Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rivalsanticheat.exe

Overview

General Information

Sample name:rivalsanticheat.exe
Analysis ID:1582991
MD5:ded1521d6ef291309ade101b3844fa22
SHA1:6db1c681cc81b818bd15c1aec2d70362fa997acd
SHA256:011c10551a4fa592185fd99631ab98f194282638b3a4c072f386ca3f67509cd9
Tags:5-89-185-156AsyncRATexeuser-JAMESWT_MHT
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Potentially Suspicious Malware Callback Communication
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • rivalsanticheat.exe (PID: 1360 cmdline: "C:\Users\user\Desktop\rivalsanticheat.exe" MD5: DED1521D6EF291309ADE101B3844FA22)
    • schtasks.exe (PID: 1436 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "rivalsanticheat" /tr "C:\Users\user\AppData\Roaming\rivalsanticheat.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 6792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 6256 cmdline: C:\Windows\system32\WerFault.exe -u -p 1360 -s 1900 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • rivalsanticheat.exe (PID: 7048 cmdline: C:\Users\user\AppData\Roaming\rivalsanticheat.exe MD5: DED1521D6EF291309ADE101B3844FA22)
  • rivalsanticheat.exe (PID: 1928 cmdline: C:\Users\user\AppData\Roaming\rivalsanticheat.exe MD5: DED1521D6EF291309ADE101B3844FA22)
  • rivalsanticheat.exe (PID: 5888 cmdline: C:\Users\user\AppData\Roaming\rivalsanticheat.exe MD5: DED1521D6EF291309ADE101B3844FA22)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["jholo.duckdns.org"], "Port": 7777, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
rivalsanticheat.exeJoeSecurity_XWormYara detected XWormJoe Security
    rivalsanticheat.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      rivalsanticheat.exerat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
      • 0xbbca:$str01: $VB$Local_Port
      • 0xbbf7:$str02: $VB$Local_Host
      • 0xa2c4:$str03: get_Jpeg
      • 0xa820:$str04: get_ServicePack
      • 0xd64e:$str05: Select * from AntivirusProduct
      • 0xe4aa:$str06: PCRestart
      • 0xe4be:$str07: shutdown.exe /f /r /t 0
      • 0xe570:$str08: StopReport
      • 0xe546:$str09: StopDDos
      • 0xe63c:$str10: sendPlugin
      • 0xe6bc:$str11: OfflineKeylogger Not Enabled
      • 0xe814:$str12: -ExecutionPolicy Bypass -File "
      • 0xf46a:$str13: Content-length: 5235
      rivalsanticheat.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xcf76:$s6: VirtualBox
      • 0xced4:$s8: Win32_ComputerSystem
      • 0xfaf2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xfb8f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xfca4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xf385:$cnc4: POST / HTTP/1.1

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\rivalsanticheat.exeJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\AppData\Roaming\rivalsanticheat.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Roaming\rivalsanticheat.exerat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
          • 0xbbca:$str01: $VB$Local_Port
          • 0xbbf7:$str02: $VB$Local_Host
          • 0xa2c4:$str03: get_Jpeg
          • 0xa820:$str04: get_ServicePack
          • 0xd64e:$str05: Select * from AntivirusProduct
          • 0xe4aa:$str06: PCRestart
          • 0xe4be:$str07: shutdown.exe /f /r /t 0
          • 0xe570:$str08: StopReport
          • 0xe546:$str09: StopDDos
          • 0xe63c:$str10: sendPlugin
          • 0xe6bc:$str11: OfflineKeylogger Not Enabled
          • 0xe814:$str12: -ExecutionPolicy Bypass -File "
          • 0xf46a:$str13: Content-length: 5235
          C:\Users\user\AppData\Roaming\rivalsanticheat.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xcf76:$s6: VirtualBox
          • 0xced4:$s8: Win32_ComputerSystem
          • 0xfaf2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0xfb8f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0xfca4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0xf385:$cnc4: POST / HTTP/1.1

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000000.1648426795.00000000003F2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000000.00000000.1648426795.00000000003F2000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xcd76:$s6: VirtualBox
            • 0xccd4:$s8: Win32_ComputerSystem
            • 0xf8f2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0xf98f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0xfaa4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0xf185:$cnc4: POST / HTTP/1.1
            00000000.00000002.3451897857.00000000027F1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              Process Memory Space: rivalsanticheat.exe PID: 1360JoeSecurity_XWormYara detected XWormJoe Security

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.rivalsanticheat.exe.3f0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  0.0.rivalsanticheat.exe.3f0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    0.0.rivalsanticheat.exe.3f0000.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
                    • 0xbbca:$str01: $VB$Local_Port
                    • 0xbbf7:$str02: $VB$Local_Host
                    • 0xa2c4:$str03: get_Jpeg
                    • 0xa820:$str04: get_ServicePack
                    • 0xd64e:$str05: Select * from AntivirusProduct
                    • 0xe4aa:$str06: PCRestart
                    • 0xe4be:$str07: shutdown.exe /f /r /t 0
                    • 0xe570:$str08: StopReport
                    • 0xe546:$str09: StopDDos
                    • 0xe63c:$str10: sendPlugin
                    • 0xe6bc:$str11: OfflineKeylogger Not Enabled
                    • 0xe814:$str12: -ExecutionPolicy Bypass -File "
                    • 0xf46a:$str13: Content-length: 5235
                    0.0.rivalsanticheat.exe.3f0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0xcf76:$s6: VirtualBox
                    • 0xced4:$s8: Win32_ComputerSystem
                    • 0xfaf2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0xfb8f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0xfca4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0xf385:$cnc4: POST / HTTP/1.1

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Potentially Suspicious Malware Callback Communication
                    Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 5.89.185.156, DestinationIsIpv6: false, DestinationPort: 7777, EventID: 3, Image: C:\Users\user\Desktop\rivalsanticheat.exe, Initiated: true, ProcessId: 1360, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49733
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "rivalsanticheat" /tr "C:\Users\user\AppData\Roaming\rivalsanticheat.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "rivalsanticheat" /tr "C:\Users\user\AppData\Roaming\rivalsanticheat.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\rivalsanticheat.exe", ParentImage: C:\Users\user\Desktop\rivalsanticheat.exe, ParentProcessId: 1360, ParentProcessName: rivalsanticheat.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "rivalsanticheat" /tr "C:\Users\user\AppData\Roaming\rivalsanticheat.exe", ProcessId: 1436, ProcessName: schtasks.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-01T10:42:27.747710+010028531931Malware Command and Control Activity Detected192.168.2.4498645.89.185.1567777TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: rivalsanticheat.exeAvira: detected
                    Antivirus detection for URL or domain
                    Source: jholo.duckdns.orgAvira URL Cloud: Label: malware
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeAvira: detection malicious, Label: HEUR/AGEN.1305769
                    Found malware configuration
                    Source: rivalsanticheat.exeMalware Configuration Extractor: Xworm {"C2 url": ["jholo.duckdns.org"], "Port": 7777, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeReversingLabs: Detection: 78%
                    Multi AV Scanner detection for submitted file
                    Source: rivalsanticheat.exeReversingLabs: Detection: 78%
                    Source: rivalsanticheat.exeVirustotal: Detection: 75%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: rivalsanticheat.exeJoe Sandbox ML: detected
                    Sample uses string decryption to hide its real strings
                    Source: rivalsanticheat.exeString decryptor: jholo.duckdns.org
                    Source: rivalsanticheat.exeString decryptor: 7777
                    Source: rivalsanticheat.exeString decryptor: <123456789>
                    Source: rivalsanticheat.exeString decryptor: <Xwormmm>
                    Source: rivalsanticheat.exeString decryptor: XWorm V5.6
                    Source: rivalsanticheat.exeString decryptor: USB.exe
                    Source: rivalsanticheat.exeString decryptor: %AppData%
                    Source: rivalsanticheat.exeString decryptor: rivalsanticheat.exe
                    Source: rivalsanticheat.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: rivalsanticheat.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: \??\C:\Windows\mscorlib.pdb2e source: rivalsanticheat.exe, 00000000.00000002.3453788430.000000001B71B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: System.Xml.ni.pdb source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: rivalsanticheat.exe, 00000000.00000002.3453788430.000000001B71B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdbRSDS source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: \??\C:\Users\user\Desktop\rivalsanticheat.PDB source: rivalsanticheat.exe, 00000000.00000002.3453788430.000000001B6E3000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Core.pdbY source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: System.Configuration.ni.pdb source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: rivalsanticheat.exe, 00000000.00000002.3454196854.000000001BEA9000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: System.Configuration.pdb source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: symbols\dll\mscorlib.pdbpdb` source: rivalsanticheat.exe, 00000000.00000002.3454196854.000000001BEA9000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.Xml.pdb source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: System.pdb source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: Microsoft.VisualBasic.pdbmscorlib.dllPQS source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: 0C:\Windows\mscorlib.pdb source: rivalsanticheat.exe, 00000000.00000002.3454196854.000000001BEA9000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.Xml.ni.pdbRSDS# source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: System.Core.ni.pdb source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: rivalsanticheat.exe, 00000000.00000002.3454196854.000000001BEA9000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.pdbSYSTEM*l source: rivalsanticheat.exe, 00000000.00000002.3453788430.000000001B71B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbR source: rivalsanticheat.exe, 00000000.00000002.3451215148.0000000000895000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: rivalsanticheat.exe, 00000000.00000002.3453788430.000000001B6E3000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.pdb source: rivalsanticheat.exe, 00000000.00000002.3451215148.0000000000895000.00000004.00000020.00020000.00000000.sdmp, rivalsanticheat.exe, 00000000.00000002.3451215148.0000000000915000.00000004.00000020.00020000.00000000.sdmp, WER2E71.tmp.dmp.12.dr
                    Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbTo source: rivalsanticheat.exe, 00000000.00000002.3453788430.000000001B71B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: rivalsanticheat.exe, 00000000.00000002.3451215148.0000000000895000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: System.Management.pdb source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: mscorlib.ni.pdb source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: System.Management.ni.pdb source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: \??\C:\Windows\mscorlib.pdb source: rivalsanticheat.exe, 00000000.00000002.3453788430.000000001B71B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Core.pdb source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: indoC:\Windows\mscorlib.pdb source: rivalsanticheat.exe, 00000000.00000002.3454196854.000000001BEA9000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdb source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WER2E71.tmp.dmp.12.dr

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49740 -> 5.89.185.156:7777
                    Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49864 -> 5.89.185.156:7777
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: jholo.duckdns.org
                    Uses dynamic DNS services
                    Source: unknownDNS query: name: jholo.duckdns.org
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: rivalsanticheat.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.rivalsanticheat.exe.3f0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\rivalsanticheat.exe, type: DROPPED
                    Source: global trafficTCP traffic: 192.168.2.4:49733 -> 5.89.185.156:7777
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewASN Name: VODAFONE-IT-ASNIT VODAFONE-IT-ASNIT
                    Source: unknownDNS query: name: ip-api.com
                    Source: unknownDNS query: name: ip-api.com
                    Source: unknownDNS query: name: ip-api.com
                    Source: unknownDNS query: name: ip-api.com
                    Source: unknownDNS query: name: ip-api.com
                    Source: unknownDNS query: name: ip-api.com
                    Source: unknownDNS query: name: ip-api.com
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: global trafficDNS traffic detected: DNS query: jholo.duckdns.org
                    Source: rivalsanticheat.exe, rivalsanticheat.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: rivalsanticheat.exe, 00000000.00000002.3451897857.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Amcache.hve.12.drString found in binary or memory: http://upx.sf.net

                    Operating System Destruction

                    barindex
                    Protects its processes via BreakOnTermination flag
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: 01 00 00 00 Jump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: rivalsanticheat.exe, type: SAMPLEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                    Source: rivalsanticheat.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0.0.rivalsanticheat.exe.3f0000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                    Source: 0.0.rivalsanticheat.exe.3f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000000.00000000.1648426795.00000000003F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exe, type: DROPPEDMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeCode function: 0_2_00007FFD9B86104D0_2_00007FFD9B86104D
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeCode function: 0_2_00007FFD9B865B460_2_00007FFD9B865B46
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeCode function: 0_2_00007FFD9B861A010_2_00007FFD9B861A01
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeCode function: 0_2_00007FFD9B8668F20_2_00007FFD9B8668F2
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeCode function: 3_2_00007FFD9B860FF83_2_00007FFD9B860FF8
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeCode function: 7_2_00007FFD9B890FF87_2_00007FFD9B890FF8
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeCode function: 9_2_00007FFD9B890FF89_2_00007FFD9B890FF8
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1360 -s 1900
                    Source: rivalsanticheat.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: rivalsanticheat.exe, type: SAMPLEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                    Source: rivalsanticheat.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 0.0.rivalsanticheat.exe.3f0000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                    Source: 0.0.rivalsanticheat.exe.3f0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000000.00000000.1648426795.00000000003F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exe, type: DROPPEDMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: rivalsanticheat.exe, CwFHZkjzy8fuL42ssK4j02FfYn8bn.csCryptographic APIs: 'TransformFinalBlock'
                    Source: rivalsanticheat.exe, CwFHZkjzy8fuL42ssK4j02FfYn8bn.csCryptographic APIs: 'TransformFinalBlock'
                    Source: rivalsanticheat.exe, wPpUVasNl83McTjXeCT7REF5YtT48.csCryptographic APIs: 'TransformFinalBlock'
                    Source: rivalsanticheat.exe.0.dr, CwFHZkjzy8fuL42ssK4j02FfYn8bn.csCryptographic APIs: 'TransformFinalBlock'
                    Source: rivalsanticheat.exe.0.dr, CwFHZkjzy8fuL42ssK4j02FfYn8bn.csCryptographic APIs: 'TransformFinalBlock'
                    Source: rivalsanticheat.exe.0.dr, wPpUVasNl83McTjXeCT7REF5YtT48.csCryptographic APIs: 'TransformFinalBlock'
                    Source: rivalsanticheat.exe.0.dr, cCtJmGsFBRSmjuWVUJhTNMkmsgWgXScdGcmbjBqGaR1T.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: rivalsanticheat.exe.0.dr, cCtJmGsFBRSmjuWVUJhTNMkmsgWgXScdGcmbjBqGaR1T.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: rivalsanticheat.exe, cCtJmGsFBRSmjuWVUJhTNMkmsgWgXScdGcmbjBqGaR1T.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: rivalsanticheat.exe, cCtJmGsFBRSmjuWVUJhTNMkmsgWgXScdGcmbjBqGaR1T.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@8/7@19/2
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeFile created: C:\Users\user\AppData\Roaming\rivalsanticheat.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeMutant created: NULL
                    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1360
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6792:120:WilError_03
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeMutant created: \Sessions\1\BaseNamedObjects\MFDgtG4e9yHdcrKV
                    Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\3edca8fa-68b1-4ac5-ad0a-ede30212bbaeJump to behavior
                    Source: rivalsanticheat.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: rivalsanticheat.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: rivalsanticheat.exeReversingLabs: Detection: 78%
                    Source: rivalsanticheat.exeVirustotal: Detection: 75%
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeFile read: C:\Users\user\Desktop\rivalsanticheat.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\rivalsanticheat.exe "C:\Users\user\Desktop\rivalsanticheat.exe"
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "rivalsanticheat" /tr "C:\Users\user\AppData\Roaming\rivalsanticheat.exe"
                    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\rivalsanticheat.exe C:\Users\user\AppData\Roaming\rivalsanticheat.exe
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\rivalsanticheat.exe C:\Users\user\AppData\Roaming\rivalsanticheat.exe
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\rivalsanticheat.exe C:\Users\user\AppData\Roaming\rivalsanticheat.exe
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1360 -s 1900
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "rivalsanticheat" /tr "C:\Users\user\AppData\Roaming\rivalsanticheat.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: avicap32.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: msvfw32.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: rivalsanticheat.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: rivalsanticheat.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: \??\C:\Windows\mscorlib.pdb2e source: rivalsanticheat.exe, 00000000.00000002.3453788430.000000001B71B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: System.Xml.ni.pdb source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: rivalsanticheat.exe, 00000000.00000002.3453788430.000000001B71B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdbRSDS source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: \??\C:\Users\user\Desktop\rivalsanticheat.PDB source: rivalsanticheat.exe, 00000000.00000002.3453788430.000000001B6E3000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Core.pdbY source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: System.Configuration.ni.pdb source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: rivalsanticheat.exe, 00000000.00000002.3454196854.000000001BEA9000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: System.Configuration.pdb source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: symbols\dll\mscorlib.pdbpdb` source: rivalsanticheat.exe, 00000000.00000002.3454196854.000000001BEA9000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.Xml.pdb source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: System.pdb source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: Microsoft.VisualBasic.pdbmscorlib.dllPQS source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: 0C:\Windows\mscorlib.pdb source: rivalsanticheat.exe, 00000000.00000002.3454196854.000000001BEA9000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.Xml.ni.pdbRSDS# source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: System.Core.ni.pdb source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: rivalsanticheat.exe, 00000000.00000002.3454196854.000000001BEA9000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.pdbSYSTEM*l source: rivalsanticheat.exe, 00000000.00000002.3453788430.000000001B71B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbR source: rivalsanticheat.exe, 00000000.00000002.3451215148.0000000000895000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: rivalsanticheat.exe, 00000000.00000002.3453788430.000000001B6E3000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.pdb source: rivalsanticheat.exe, 00000000.00000002.3451215148.0000000000895000.00000004.00000020.00020000.00000000.sdmp, rivalsanticheat.exe, 00000000.00000002.3451215148.0000000000915000.00000004.00000020.00020000.00000000.sdmp, WER2E71.tmp.dmp.12.dr
                    Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbTo source: rivalsanticheat.exe, 00000000.00000002.3453788430.000000001B71B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: rivalsanticheat.exe, 00000000.00000002.3451215148.0000000000895000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: System.Management.pdb source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: mscorlib.ni.pdb source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: System.Management.ni.pdb source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: \??\C:\Windows\mscorlib.pdb source: rivalsanticheat.exe, 00000000.00000002.3453788430.000000001B71B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Core.pdb source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: indoC:\Windows\mscorlib.pdb source: rivalsanticheat.exe, 00000000.00000002.3454196854.000000001BEA9000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdb source: WER2E71.tmp.dmp.12.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WER2E71.tmp.dmp.12.dr

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: rivalsanticheat.exe, Zj3A2ceVsypvLkuHb7vS0hOvuoE3YlQ6oYsQLki9xMow.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{eISxuTAmwmXp2bOP9dtQhIMzrr363r3ygdkq9O7WCk3W.Fm4IT5ezSKgtbpBEkd9yyVSjpfSZcrHiM0ryIGbMnpwQ,eISxuTAmwmXp2bOP9dtQhIMzrr363r3ygdkq9O7WCk3W.rMp2gJUGXV3ZbV6N6llOwRdHZR3wcgtHpnoMg7OfWoEj,eISxuTAmwmXp2bOP9dtQhIMzrr363r3ygdkq9O7WCk3W.ImALPWfsqMQZsaCvxR9IHBIx9kNghVxCDxHAROjzBasS,eISxuTAmwmXp2bOP9dtQhIMzrr363r3ygdkq9O7WCk3W._7wdwDu5jCIexezcCBVRzZKo6D9mjd3B3fvk9TFIiaweR,CwFHZkjzy8fuL42ssK4j02FfYn8bn.guowrwDGUepZTuyngnhAX2iRYPKTD()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: rivalsanticheat.exe, Zj3A2ceVsypvLkuHb7vS0hOvuoE3YlQ6oYsQLki9xMow.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{R9yDxJGfdmo3SkpyatNdrGEd17hOZNnCzF5873p4IniT[2],CwFHZkjzy8fuL42ssK4j02FfYn8bn.mIKZbUt565OgyM9r3xHRDhPKGyDA4(Convert.FromBase64String(R9yDxJGfdmo3SkpyatNdrGEd17hOZNnCzF5873p4IniT[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: rivalsanticheat.exe.0.dr, Zj3A2ceVsypvLkuHb7vS0hOvuoE3YlQ6oYsQLki9xMow.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{eISxuTAmwmXp2bOP9dtQhIMzrr363r3ygdkq9O7WCk3W.Fm4IT5ezSKgtbpBEkd9yyVSjpfSZcrHiM0ryIGbMnpwQ,eISxuTAmwmXp2bOP9dtQhIMzrr363r3ygdkq9O7WCk3W.rMp2gJUGXV3ZbV6N6llOwRdHZR3wcgtHpnoMg7OfWoEj,eISxuTAmwmXp2bOP9dtQhIMzrr363r3ygdkq9O7WCk3W.ImALPWfsqMQZsaCvxR9IHBIx9kNghVxCDxHAROjzBasS,eISxuTAmwmXp2bOP9dtQhIMzrr363r3ygdkq9O7WCk3W._7wdwDu5jCIexezcCBVRzZKo6D9mjd3B3fvk9TFIiaweR,CwFHZkjzy8fuL42ssK4j02FfYn8bn.guowrwDGUepZTuyngnhAX2iRYPKTD()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: rivalsanticheat.exe.0.dr, Zj3A2ceVsypvLkuHb7vS0hOvuoE3YlQ6oYsQLki9xMow.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{R9yDxJGfdmo3SkpyatNdrGEd17hOZNnCzF5873p4IniT[2],CwFHZkjzy8fuL42ssK4j02FfYn8bn.mIKZbUt565OgyM9r3xHRDhPKGyDA4(Convert.FromBase64String(R9yDxJGfdmo3SkpyatNdrGEd17hOZNnCzF5873p4IniT[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    .NET source code contains potential unpacker
                    Source: rivalsanticheat.exe, Zj3A2ceVsypvLkuHb7vS0hOvuoE3YlQ6oYsQLki9xMow.cs.Net Code: _0sGHB0igTMVFlt1yxCvQbOdcoQ9hnEW1OzoHCBsGyS3j System.AppDomain.Load(byte[])
                    Source: rivalsanticheat.exe, Zj3A2ceVsypvLkuHb7vS0hOvuoE3YlQ6oYsQLki9xMow.cs.Net Code: _2r0VXtgKusekgogzbPvtkc1oEuxXZo6TQkrD8fBKu872 System.AppDomain.Load(byte[])
                    Source: rivalsanticheat.exe, Zj3A2ceVsypvLkuHb7vS0hOvuoE3YlQ6oYsQLki9xMow.cs.Net Code: _2r0VXtgKusekgogzbPvtkc1oEuxXZo6TQkrD8fBKu872
                    Source: rivalsanticheat.exe.0.dr, Zj3A2ceVsypvLkuHb7vS0hOvuoE3YlQ6oYsQLki9xMow.cs.Net Code: _0sGHB0igTMVFlt1yxCvQbOdcoQ9hnEW1OzoHCBsGyS3j System.AppDomain.Load(byte[])
                    Source: rivalsanticheat.exe.0.dr, Zj3A2ceVsypvLkuHb7vS0hOvuoE3YlQ6oYsQLki9xMow.cs.Net Code: _2r0VXtgKusekgogzbPvtkc1oEuxXZo6TQkrD8fBKu872 System.AppDomain.Load(byte[])
                    Source: rivalsanticheat.exe.0.dr, Zj3A2ceVsypvLkuHb7vS0hOvuoE3YlQ6oYsQLki9xMow.cs.Net Code: _2r0VXtgKusekgogzbPvtkc1oEuxXZo6TQkrD8fBKu872
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeCode function: 0_2_00007FFD9B86A705 push eax; retf 0_2_00007FFD9B86A833
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeCode function: 0_2_00007FFD9B8621C8 push ebx; iretd 0_2_00007FFD9B8621EA
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeCode function: 0_2_00007FFD9B86794D push ebx; retf 0_2_00007FFD9B86796A
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeCode function: 0_2_00007FFD9B8600BD pushad ; iretd 0_2_00007FFD9B8600C1
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeCode function: 3_2_00007FFD9B8600BD pushad ; iretd 3_2_00007FFD9B8600C1
                    Source: rivalsanticheat.exe, VcacVJ1em6v07R5IV484AfJ4JiVN5.csHigh entropy of concatenated method names: '_6lRl6jDM150xy79DBIVDdX5sSvapE', 'wjChbTmZT2OYFjiT0uP74LlAV8Wyt', 'LgpgbmqiObPCAYZd7rg8Y1JovEMkP', 'NzdTuA1JlrLDp1s2ub2Q2o', 's2gBFv5eIeYNlNOLqufHlv', 'Qp1fWcTf1nDc7PqNMW9Mdy', 'xqGtCom2LqzujpQNHjnweQ', 'mz3j6ieQi3IdZ8ejmd72Vq', 'yrcxCgFOeoDwrIoEJbvCkN', 'qI2eQSUAWY5FzY1lcccS0c'
                    Source: rivalsanticheat.exe, eISxuTAmwmXp2bOP9dtQhIMzrr363r3ygdkq9O7WCk3W.csHigh entropy of concatenated method names: 'GL4DGDTNkoxvi5RxKVLUoCmoyn4DQqF8sXbckiSwztppLQ6pAlzx7svp0wuBwC', 'jO6777MkbcyZ1m4OA7u7Cxm4jhMjva9lnUIDQ5pwn81TdrmxRjzfdIBRnAKLt3', 'qeusPqODQcqt2ipmHr7DoLPNTApdt3B6ftoJaxzmvaC5V1GMST35b9D7N57Sfn', 'e9asjdqng6Y9hC9EtQdxaqUI1aTAQrP3ApsZQZxAIPTGpVH2ZJmbGBS9PwzR9q'
                    Source: rivalsanticheat.exe, oBuT1QH6a41s.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'uimPyDiJOuUAZ1SArMigmVbySeeknRQEnYjWo9tCAn2GEBt1gAVH4xFZMFPuEx', 'RvZctpUuUAPyNhWi5kwjSLmaMGAzSxnzGzRzhXhkhDztAFZpl6bOOwCALcOrtQ', 'GB6gSDM5xYU2WdmaggvmQVPTl8wuwM4txCmWcPsHNHVlcOuU62pCIWjavHpssv', 'j5QXPslyK2JwvEelGClIFaPxi4Zi7ljtRC6oXdS4jNbBwLOFobC92eXgWVmd4f'
                    Source: rivalsanticheat.exe, bb2clQFJgGrOun9pdWjRRbebdaMMZUq1KbWDu03Q2zot.csHigh entropy of concatenated method names: 'u8QEiX8j3XM2UAqZf4bdIa4ThVBpskbv5Ftf8NsSss5p', 'XZmQR6HgpF6SWthMDC3Nk7rZEE0tT9SvAKJSWgRiTZgF0rNkQhlbOIiwJxNqlNhZfQDWkxg6gfCVPL7', 'p90PF3mlwQudzXVPM5jG5ISklliTjCj3Sxkw5paojpOoebo9hn3VrNTMcGEK0PQ2nZKJ3qKrRZnOL3l', 'ElqXPQmrYFWeZMJeGjrq7VdmP5GERyRPcciyoQzmw0AT43SkQzyJVKUJ6V4XRG7jAOdbAUw9slZusaC', '_2weGW0pjT00Z2KmZOWEovcL2K2pFsLrLZrZybJp39pXPjsWXgT4ljvAy4SzXLfnWPrECj254ccsfFKy'
                    Source: rivalsanticheat.exe, fh8tnrz5txb35hggkbSAYsj4mZ8AYvylTgfr4fE2Q15U.csHigh entropy of concatenated method names: 'B7Hvr6jG42UqFCoChQJF91NoI3vd3OlqvOejbGMSNL7L', 'Kt2g5iSc42iez0MlWTFdFi2SswgrDx9an0bJx1eutmSR', 'kkjmMQxnTmcO78QGDUFkyIhQrF1a0xIMIp3HgAXp2bFv', '_56Sjig3wZ0eFsrr09k7JXTeCofXGd5dU4V8Y68PXYDmG', 'CzP31gwxC6lGNYMzSWPTVHLT7cnZ8Uugz8l0d79v65jZ', 'dOMGT66IEgtPiUFls7673EN0WbA5qFAf6WDjukXEc3B6', 'mOZA5aS6ZEyL64DVxSX8p0Jb1Qera7OHpIg00dnQT5q0', 'jcyyZQTSlnmVNIXoQ0KYemOPoNjlgeGvtpQxdCjdhaGx', 'miFnSnOy5VJYxmgeKm6hbCLGI9wjRY7BmMy5hXr8uUgS', 'uYqiouQ9PNPTEs3Mq1hr0M0bUl3ZQSsEU0zpaq82LGBq'
                    Source: rivalsanticheat.exe, riNVOSuG9gHMEsIGB2S909igwoELbkqfqzvNazIu1Ygx.csHigh entropy of concatenated method names: 'fyyAVidFwh52zRiz7luPppLiFNEFICpdGbTlMSbmBtev', 'leqYSiowcvsQOXJBlmxx5myrsiEy0iPVEQzJlVWPKZ8N', 'XgmBxG2wrRTs0yZwca2B1JgPzBfaJ', 'Aasb1IZ2VuBKV5iD04rPNZvBaNZbk', '_0X2UL5MWT5UfWUyDjvGLRJf77khux2Z3yg1Rhpr9ejbasfV5ZlifyeHTyzWX6gKvKIW9LrKkU4zSnbh', '_0rlx1kyDWTGxogKxsq0V8QP92BWdm1vn0n1ejG5QS4Pq6QR4tamTN9Q8FVMeHXntGIVN3fOACN0SYem', 'JMh9zvOzsXYVLQa9wbGrLtXZtsmQX1CO7TTA1fYjovyvvhsoUjqP2iMjANT4mgwcxMF9VMa6a5EPWV2', 'sUgR92Dmwq1SxWNlfWh3DYPVvQJHg9wSzxeUSNfOymx26MAlAJjGLNqK0Re56xMS2XLP4xWpDFFAA97', 'N8Wiqbfua3ZsTTiAyI4rrc9igG18oVTDRipFcqYUhT8upNWX71nfNrPloKQ1xr8peDqZrOjYbWfs0Lm', 'jtP2LczDIhNsqMWjhcsJPBGRq8kZhgGcR5Ojfsy8blJhRpaD7vhVnB5WzyiZHsuRfUOSxAMku2qPND1'
                    Source: rivalsanticheat.exe, CwFHZkjzy8fuL42ssK4j02FfYn8bn.csHigh entropy of concatenated method names: 'Oi7weUyWuCQQhBF5YiejJk0fX94oE', '_0x01OaaO20ENdzFmowUzV4HZtIFX7', 'FTCZrxoK93PDHVS0JxfUFMpUBpow0', 'pAG9Vj4L9RHqaLZMlHQj7Omuc0sqw', '_7VfcQh08yWeUNULNsVdw49Yj9dpR7', 'P70ee5bjl0UQVHJORbqUNMlem1hvg', 'lzcuTeLxip3gzB5m1p2JLkvh7JovQ', 'CLyOVjEqvdKAJ59sbvJpQBIa97v3g', '_1j9wF4Iacf7t98THFs8tBa2C9bcQA', '_8ZnnGctPnYhdzKL7GD87l0iDK7pxS'
                    Source: rivalsanticheat.exe, Zj3A2ceVsypvLkuHb7vS0hOvuoE3YlQ6oYsQLki9xMow.csHigh entropy of concatenated method names: 'd8KpWZL4NE0DLYIuzVsnnSnqz668asGvOA8Jqsmitl7y', '_0sGHB0igTMVFlt1yxCvQbOdcoQ9hnEW1OzoHCBsGyS3j', 'tMcwII6xDd8m7jW41cN0uUKS6q2mDXWLMgc4U1vdPOus', 'nnc75mvNG89CwLwo3K7woBQucA9mCoHjmsgRR70CRgFl', 'v8s3kXET2YDB5K8SIJUZHYoRxGS3RwvPvzKMERZKio2U', 'ltRN3OaxH7coWH1AmQwyFdMo9ufu8aegmB6GfD7cblVS', 'Paxqe58OkbYRzd6nZ4YA4jgCi2ccftDbmsbUKcEW4FAE', 'WHaDPPU0hlA69IsVOINOF8G3d9cBQJH3DZlpeNqNP9za', 'FaBoXqLR9DN1itTlvJzGZKuKdFh8bIx5qAcUp65YMyLW', 'BG5rJdzYCSPYbTpD5Np9Bw6d8pons6252riffNrdKyZO'
                    Source: rivalsanticheat.exe, cCtJmGsFBRSmjuWVUJhTNMkmsgWgXScdGcmbjBqGaR1T.csHigh entropy of concatenated method names: '_8DLlAzHZ6Wl03EQ1ZFHZUXljgNaqnqjr7UK9jpBUGJQw', 'njFZ8sV0ef1VWhmX17Er8effWarqpqrqwyCNb3KX0GTK', 't5kaLaGzS2Njz8dXlUhOc3LMjjoSl0TWqTfXdlDSLRPS', 'inNIYkvDMzacGsiGvvMajJLPkrvRiBihdgfuLkXeAZPU', 'hPZwgp9ogeeAvgVEOpSP3CZsxrQzZXXJaBoMHtcrc74x', 'LT3cVDpeo5ddai5sRrvg5oWnhUHWX2bdODcEbZk1gBKu', 'xNaMvUjlJzngx4HGQSl3TMb1dsqTzVYmArrwlPWrGMPI', 'WIFOnRd3ecyhS4J7TkGWcsF2reZCNDXfruUhbLjvjhUd', 'hW9RukMlo0dH0jaGvjaq146BXX9HoNDrSk1oZRRAn4hZ', 'StBL68hDZMiDvA7V8zda9VIgZX2sDqmQXuhUzKNIUO14'
                    Source: rivalsanticheat.exe, wPpUVasNl83McTjXeCT7REF5YtT48.csHigh entropy of concatenated method names: 'fyuyopi7PzopjcJZGhukcoMTamUUf', 'Dz41oeX7buYQj3Exd1tfUay2T72EkI3WHimPmorWgeqkwcUd90j8kMlgQBmnJu3xOhBNrPBTmRAqwgE', 'JxYAHRWf6sDdj2HkhY5bvWINtEtrKNxPkcnzo6lwv5phbtn2ABEg3K6S5QMavH6Wfv6CSsPONVlDOy7', 'xw5r0zOIqPk41s1uqoxamC0Hcx2uTsOCRAwo3EZS437q5Kcgj4bEtSCtzmTU2tJ1xF8a5DVZqh50cw4', 'orIPmORCjjJ151KTXNdDBK3g2CUM5dGyxxLQoU8UQilCnNawXBLx2ZUpf7aDHfahPKBHcGn2YGWvIHb'
                    Source: rivalsanticheat.exe.0.dr, VcacVJ1em6v07R5IV484AfJ4JiVN5.csHigh entropy of concatenated method names: '_6lRl6jDM150xy79DBIVDdX5sSvapE', 'wjChbTmZT2OYFjiT0uP74LlAV8Wyt', 'LgpgbmqiObPCAYZd7rg8Y1JovEMkP', 'NzdTuA1JlrLDp1s2ub2Q2o', 's2gBFv5eIeYNlNOLqufHlv', 'Qp1fWcTf1nDc7PqNMW9Mdy', 'xqGtCom2LqzujpQNHjnweQ', 'mz3j6ieQi3IdZ8ejmd72Vq', 'yrcxCgFOeoDwrIoEJbvCkN', 'qI2eQSUAWY5FzY1lcccS0c'
                    Source: rivalsanticheat.exe.0.dr, eISxuTAmwmXp2bOP9dtQhIMzrr363r3ygdkq9O7WCk3W.csHigh entropy of concatenated method names: 'GL4DGDTNkoxvi5RxKVLUoCmoyn4DQqF8sXbckiSwztppLQ6pAlzx7svp0wuBwC', 'jO6777MkbcyZ1m4OA7u7Cxm4jhMjva9lnUIDQ5pwn81TdrmxRjzfdIBRnAKLt3', 'qeusPqODQcqt2ipmHr7DoLPNTApdt3B6ftoJaxzmvaC5V1GMST35b9D7N57Sfn', 'e9asjdqng6Y9hC9EtQdxaqUI1aTAQrP3ApsZQZxAIPTGpVH2ZJmbGBS9PwzR9q'
                    Source: rivalsanticheat.exe.0.dr, oBuT1QH6a41s.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'uimPyDiJOuUAZ1SArMigmVbySeeknRQEnYjWo9tCAn2GEBt1gAVH4xFZMFPuEx', 'RvZctpUuUAPyNhWi5kwjSLmaMGAzSxnzGzRzhXhkhDztAFZpl6bOOwCALcOrtQ', 'GB6gSDM5xYU2WdmaggvmQVPTl8wuwM4txCmWcPsHNHVlcOuU62pCIWjavHpssv', 'j5QXPslyK2JwvEelGClIFaPxi4Zi7ljtRC6oXdS4jNbBwLOFobC92eXgWVmd4f'
                    Source: rivalsanticheat.exe.0.dr, bb2clQFJgGrOun9pdWjRRbebdaMMZUq1KbWDu03Q2zot.csHigh entropy of concatenated method names: 'u8QEiX8j3XM2UAqZf4bdIa4ThVBpskbv5Ftf8NsSss5p', 'XZmQR6HgpF6SWthMDC3Nk7rZEE0tT9SvAKJSWgRiTZgF0rNkQhlbOIiwJxNqlNhZfQDWkxg6gfCVPL7', 'p90PF3mlwQudzXVPM5jG5ISklliTjCj3Sxkw5paojpOoebo9hn3VrNTMcGEK0PQ2nZKJ3qKrRZnOL3l', 'ElqXPQmrYFWeZMJeGjrq7VdmP5GERyRPcciyoQzmw0AT43SkQzyJVKUJ6V4XRG7jAOdbAUw9slZusaC', '_2weGW0pjT00Z2KmZOWEovcL2K2pFsLrLZrZybJp39pXPjsWXgT4ljvAy4SzXLfnWPrECj254ccsfFKy'
                    Source: rivalsanticheat.exe.0.dr, fh8tnrz5txb35hggkbSAYsj4mZ8AYvylTgfr4fE2Q15U.csHigh entropy of concatenated method names: 'B7Hvr6jG42UqFCoChQJF91NoI3vd3OlqvOejbGMSNL7L', 'Kt2g5iSc42iez0MlWTFdFi2SswgrDx9an0bJx1eutmSR', 'kkjmMQxnTmcO78QGDUFkyIhQrF1a0xIMIp3HgAXp2bFv', '_56Sjig3wZ0eFsrr09k7JXTeCofXGd5dU4V8Y68PXYDmG', 'CzP31gwxC6lGNYMzSWPTVHLT7cnZ8Uugz8l0d79v65jZ', 'dOMGT66IEgtPiUFls7673EN0WbA5qFAf6WDjukXEc3B6', 'mOZA5aS6ZEyL64DVxSX8p0Jb1Qera7OHpIg00dnQT5q0', 'jcyyZQTSlnmVNIXoQ0KYemOPoNjlgeGvtpQxdCjdhaGx', 'miFnSnOy5VJYxmgeKm6hbCLGI9wjRY7BmMy5hXr8uUgS', 'uYqiouQ9PNPTEs3Mq1hr0M0bUl3ZQSsEU0zpaq82LGBq'
                    Source: rivalsanticheat.exe.0.dr, riNVOSuG9gHMEsIGB2S909igwoELbkqfqzvNazIu1Ygx.csHigh entropy of concatenated method names: 'fyyAVidFwh52zRiz7luPppLiFNEFICpdGbTlMSbmBtev', 'leqYSiowcvsQOXJBlmxx5myrsiEy0iPVEQzJlVWPKZ8N', 'XgmBxG2wrRTs0yZwca2B1JgPzBfaJ', 'Aasb1IZ2VuBKV5iD04rPNZvBaNZbk', '_0X2UL5MWT5UfWUyDjvGLRJf77khux2Z3yg1Rhpr9ejbasfV5ZlifyeHTyzWX6gKvKIW9LrKkU4zSnbh', '_0rlx1kyDWTGxogKxsq0V8QP92BWdm1vn0n1ejG5QS4Pq6QR4tamTN9Q8FVMeHXntGIVN3fOACN0SYem', 'JMh9zvOzsXYVLQa9wbGrLtXZtsmQX1CO7TTA1fYjovyvvhsoUjqP2iMjANT4mgwcxMF9VMa6a5EPWV2', 'sUgR92Dmwq1SxWNlfWh3DYPVvQJHg9wSzxeUSNfOymx26MAlAJjGLNqK0Re56xMS2XLP4xWpDFFAA97', 'N8Wiqbfua3ZsTTiAyI4rrc9igG18oVTDRipFcqYUhT8upNWX71nfNrPloKQ1xr8peDqZrOjYbWfs0Lm', 'jtP2LczDIhNsqMWjhcsJPBGRq8kZhgGcR5Ojfsy8blJhRpaD7vhVnB5WzyiZHsuRfUOSxAMku2qPND1'
                    Source: rivalsanticheat.exe.0.dr, CwFHZkjzy8fuL42ssK4j02FfYn8bn.csHigh entropy of concatenated method names: 'Oi7weUyWuCQQhBF5YiejJk0fX94oE', '_0x01OaaO20ENdzFmowUzV4HZtIFX7', 'FTCZrxoK93PDHVS0JxfUFMpUBpow0', 'pAG9Vj4L9RHqaLZMlHQj7Omuc0sqw', '_7VfcQh08yWeUNULNsVdw49Yj9dpR7', 'P70ee5bjl0UQVHJORbqUNMlem1hvg', 'lzcuTeLxip3gzB5m1p2JLkvh7JovQ', 'CLyOVjEqvdKAJ59sbvJpQBIa97v3g', '_1j9wF4Iacf7t98THFs8tBa2C9bcQA', '_8ZnnGctPnYhdzKL7GD87l0iDK7pxS'
                    Source: rivalsanticheat.exe.0.dr, Zj3A2ceVsypvLkuHb7vS0hOvuoE3YlQ6oYsQLki9xMow.csHigh entropy of concatenated method names: 'd8KpWZL4NE0DLYIuzVsnnSnqz668asGvOA8Jqsmitl7y', '_0sGHB0igTMVFlt1yxCvQbOdcoQ9hnEW1OzoHCBsGyS3j', 'tMcwII6xDd8m7jW41cN0uUKS6q2mDXWLMgc4U1vdPOus', 'nnc75mvNG89CwLwo3K7woBQucA9mCoHjmsgRR70CRgFl', 'v8s3kXET2YDB5K8SIJUZHYoRxGS3RwvPvzKMERZKio2U', 'ltRN3OaxH7coWH1AmQwyFdMo9ufu8aegmB6GfD7cblVS', 'Paxqe58OkbYRzd6nZ4YA4jgCi2ccftDbmsbUKcEW4FAE', 'WHaDPPU0hlA69IsVOINOF8G3d9cBQJH3DZlpeNqNP9za', 'FaBoXqLR9DN1itTlvJzGZKuKdFh8bIx5qAcUp65YMyLW', 'BG5rJdzYCSPYbTpD5Np9Bw6d8pons6252riffNrdKyZO'
                    Source: rivalsanticheat.exe.0.dr, cCtJmGsFBRSmjuWVUJhTNMkmsgWgXScdGcmbjBqGaR1T.csHigh entropy of concatenated method names: '_8DLlAzHZ6Wl03EQ1ZFHZUXljgNaqnqjr7UK9jpBUGJQw', 'njFZ8sV0ef1VWhmX17Er8effWarqpqrqwyCNb3KX0GTK', 't5kaLaGzS2Njz8dXlUhOc3LMjjoSl0TWqTfXdlDSLRPS', 'inNIYkvDMzacGsiGvvMajJLPkrvRiBihdgfuLkXeAZPU', 'hPZwgp9ogeeAvgVEOpSP3CZsxrQzZXXJaBoMHtcrc74x', 'LT3cVDpeo5ddai5sRrvg5oWnhUHWX2bdODcEbZk1gBKu', 'xNaMvUjlJzngx4HGQSl3TMb1dsqTzVYmArrwlPWrGMPI', 'WIFOnRd3ecyhS4J7TkGWcsF2reZCNDXfruUhbLjvjhUd', 'hW9RukMlo0dH0jaGvjaq146BXX9HoNDrSk1oZRRAn4hZ', 'StBL68hDZMiDvA7V8zda9VIgZX2sDqmQXuhUzKNIUO14'
                    Source: rivalsanticheat.exe.0.dr, wPpUVasNl83McTjXeCT7REF5YtT48.csHigh entropy of concatenated method names: 'fyuyopi7PzopjcJZGhukcoMTamUUf', 'Dz41oeX7buYQj3Exd1tfUay2T72EkI3WHimPmorWgeqkwcUd90j8kMlgQBmnJu3xOhBNrPBTmRAqwgE', 'JxYAHRWf6sDdj2HkhY5bvWINtEtrKNxPkcnzo6lwv5phbtn2ABEg3K6S5QMavH6Wfv6CSsPONVlDOy7', 'xw5r0zOIqPk41s1uqoxamC0Hcx2uTsOCRAwo3EZS437q5Kcgj4bEtSCtzmTU2tJ1xF8a5DVZqh50cw4', 'orIPmORCjjJ151KTXNdDBK3g2CUM5dGyxxLQoU8UQilCnNawXBLx2ZUpf7aDHfahPKBHcGn2YGWvIHb'
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeFile created: C:\Users\user\AppData\Roaming\rivalsanticheat.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "rivalsanticheat" /tr "C:\Users\user\AppData\Roaming\rivalsanticheat.exe"
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: rivalsanticheat.exe, rivalsanticheat.exe.0.drBinary or memory string: SBIEDLL.DLL}YJSAPYLO9VHUSE7G89TXWCKCXBFO8HREHWIYGRYZLDVVNAZ5VULKMGKOPKWPYP}QSWQRSJOHBQLUSMTTQGHTRJQF8BF1OCPLQZKEOHTR0ACW6XCRLGYGRJSHLHZVZ}SUJHW7EUZIHNN0RWRPM8ESUKFKTG0FCEBY0QDEEAVKGUX21GI1KP2PMJWEDLM8}NLOJVCRKGYLJZGQ5IIABKWHBKFNVVWUWT07Z9OKXHFDGMUPU8NRHKKOTI50L3H}5M1KPEY5HTROFFK7ROWWMW2JLED2SOEYZYJTDLHZ2AOZYQTHGYFXCEVW1KFG8W}JNDIUC9XO6SAVWXWPBRZFB9OBRKQJ1PTLEEZZGK46HJPZ3DP7BXUZSDU2CYNJ4}XJUKFBMY826TDACXDBKEDBLFTFMW2AEP6MBUMUN2RLFKPIVX8LHRXNMUUVJN42}SMNNVCYIPN2SJIFLUUDHAHSHXCRFVT8I0XCLIBLQPLUI1S01MSCERJTNMP8YFX}YVJJOHDUQSCMZTWF1XPLCS1GN1YPBOWZYMTRYXW99OAZLCK1XZ3SVKKAISC0SP}IU7GVDGSY2IIFFFYHIPVLNPLEMZDCTOTQB5QZFUGU5U6BYUE2RWVCM4G6YKVRS}CT9LQKBROEGNVLKKFAJSSAYNBI3JHV5YQKX5NB1QI52QF9L6M54KXE8CSLILKN}BNT7YZ32CJHCZIQJDHTM6AX6OXSHKHVEYBQ3MPZI135LVFG83K9DY1P1U48O73INFO
                    Source: rivalsanticheat.exe, 00000000.00000002.3451897857.00000000027F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeMemory allocated: B40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeMemory allocated: 1A7F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeMemory allocated: 960000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeMemory allocated: 1A480000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeMemory allocated: E20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeMemory allocated: 1A7F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeMemory allocated: 2FB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeMemory allocated: 1B210000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeWindow / User API: threadDelayed 6124Jump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeWindow / User API: threadDelayed 3723Jump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exe TID: 5804Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exe TID: 6348Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exe TID: 2000Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exe TID: 2176Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: Amcache.hve.12.drBinary or memory string: VMware
                    Source: Amcache.hve.12.drBinary or memory string: VMware Virtual USB Mouse
                    Source: Amcache.hve.12.drBinary or memory string: vmci.syshbin
                    Source: Amcache.hve.12.drBinary or memory string: VMware, Inc.
                    Source: Amcache.hve.12.drBinary or memory string: VMware20,1hbin@
                    Source: Amcache.hve.12.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                    Source: Amcache.hve.12.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: Amcache.hve.12.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.12.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Amcache.hve.12.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                    Source: Amcache.hve.12.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.12.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: rivalsanticheat.exe, 00000000.00000002.3453788430.000000001B6A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: Amcache.hve.12.drBinary or memory string: vmci.sys
                    Source: Amcache.hve.12.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                    Source: Amcache.hve.12.drBinary or memory string: vmci.syshbin`
                    Source: rivalsanticheat.exe.0.drBinary or memory string: vmware
                    Source: Amcache.hve.12.drBinary or memory string: \driver\vmci,\driver\pci
                    Source: Amcache.hve.12.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Amcache.hve.12.drBinary or memory string: VMware20,1
                    Source: Amcache.hve.12.drBinary or memory string: Microsoft Hyper-V Generation Counter
                    Source: Amcache.hve.12.drBinary or memory string: NECVMWar VMware SATA CD00
                    Source: Amcache.hve.12.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                    Source: Amcache.hve.12.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                    Source: Amcache.hve.12.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                    Source: Amcache.hve.12.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                    Source: Amcache.hve.12.drBinary or memory string: VMware PCI VMCI Bus Device
                    Source: Amcache.hve.12.drBinary or memory string: VMware VMCI Bus Device
                    Source: Amcache.hve.12.drBinary or memory string: VMware Virtual RAM
                    Source: Amcache.hve.12.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                    Source: Amcache.hve.12.drBinary or memory string: vmci.inf_amd64_68ed49469341f563

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeCode function: 0_2_00007FFD9B8670F1 CheckRemoteDebuggerPresent,0_2_00007FFD9B8670F1
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "rivalsanticheat" /tr "C:\Users\user\AppData\Roaming\rivalsanticheat.exe"Jump to behavior
                    Source: rivalsanticheat.exe, 00000000.00000002.3451897857.0000000002A2C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
                    Source: rivalsanticheat.exe, 00000000.00000002.3451897857.0000000002A2C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: rivalsanticheat.exe, 00000000.00000002.3451897857.0000000002A2C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
                    Source: rivalsanticheat.exe, 00000000.00000002.3451897857.0000000002A2C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
                    Source: rivalsanticheat.exe, 00000000.00000002.3451897857.0000000002A2C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager2
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeQueries volume information: C:\Users\user\Desktop\rivalsanticheat.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeQueries volume information: C:\Users\user\AppData\Roaming\rivalsanticheat.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeQueries volume information: C:\Users\user\AppData\Roaming\rivalsanticheat.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exeQueries volume information: C:\Users\user\AppData\Roaming\rivalsanticheat.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: Amcache.hve.12.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                    Source: Amcache.hve.12.drBinary or memory string: msmpeng.exe
                    Source: Amcache.hve.12.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                    Source: rivalsanticheat.exe, 00000000.00000002.3453788430.000000001B671000.00000004.00000020.00020000.00000000.sdmp, rivalsanticheat.exe, 00000000.00000002.3453788430.000000001B6E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: Amcache.hve.12.drBinary or memory string: MsMpEng.exe
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\rivalsanticheat.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected XWorm
                    Source: Yara matchFile source: rivalsanticheat.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.rivalsanticheat.exe.3f0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1648426795.00000000003F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.3451897857.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: rivalsanticheat.exe PID: 1360, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\rivalsanticheat.exe, type: DROPPED

                    Remote Access Functionality

                    barindex
                    Yara detected XWorm
                    Source: Yara matchFile source: rivalsanticheat.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.rivalsanticheat.exe.3f0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1648426795.00000000003F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.3451897857.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: rivalsanticheat.exe PID: 1360, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\rivalsanticheat.exe, type: DROPPED

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                    Windows Management Instrumentation                    		1
                    Scheduled Task/Job                    		12
                    Process Injection                    		1
                    Masquerading                    		OS Credential Dumping541
                    Security Software Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    DLL Side-Loading                    		1
                    Scheduled Task/Job                    		1
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    DLL Side-Loading                    		151
                    Virtualization/Sandbox Evasion                    		Security Account Manager151
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Ingress Tool Transfer                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput Capture2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    System Network Configuration Discovery                    		SSHKeylogging22
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Obfuscated Files or Information                    		Cached Domain Credentials1
                    File and Directory Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                    Software Packing                    		DCSync23
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1582991 Sample: rivalsanticheat.exe Startdate: 01/01/2025 Architecture: WINDOWS Score: 100 29 jholo.duckdns.org 2->29 31 ip-api.com 2->31 37 Suricata IDS alerts for network traffic 2->37 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 45 14 other signatures 2->45 8 rivalsanticheat.exe 14 4 2->8         started        13 rivalsanticheat.exe 1 2->13         started        15 rivalsanticheat.exe 2->15         started        17 rivalsanticheat.exe 2->17         started        signatures3 43 Uses dynamic DNS services 29->43 process4 dnsIp5 33 jholo.duckdns.org 5.89.185.156, 49733, 49740, 49741 VODAFONE-IT-ASNIT Italy 8->33 35 ip-api.com 208.95.112.1, 49732, 50012, 80 TUT-ASUS United States 8->35 25 C:\Users\user\AppData\...\rivalsanticheat.exe, PE32 8->25 dropped 47 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->47 49 Protects its processes via BreakOnTermination flag 8->49 51 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->51 59 2 other signatures 8->59 19 schtasks.exe 1 8->19         started        21 WerFault.exe 19 16 8->21         started        27 C:\Users\user\...\rivalsanticheat.exe.log, CSV 13->27 dropped 53 Antivirus detection for dropped file 13->53 55 Multi AV Scanner detection for dropped file 13->55 57 Machine Learning detection for dropped file 13->57 file6 signatures7 process8 process9 23 conhost.exe 19->23         started       

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    rivalsanticheat.exe79%ReversingLabsWin32.Exploit.Xworm
                    rivalsanticheat.exe75%VirustotalBrowse
                    rivalsanticheat.exe100%AviraHEUR/AGEN.1305769
                    rivalsanticheat.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\rivalsanticheat.exe100%AviraHEUR/AGEN.1305769
                    C:\Users\user\AppData\Roaming\rivalsanticheat.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\rivalsanticheat.exe79%ReversingLabsWin32.Exploit.Xworm

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    jholo.duckdns.org100%Avira URL Cloudmalware

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    ip-api.com
                    		208.95.112.1
                    		truefalse
                      		high
                      jholo.duckdns.org
                      		5.89.185.156
                      		truetrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        jholo.duckdns.orgtrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://ip-api.com/line/?fields=hostingfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://upx.sf.netAmcache.hve.12.drfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namerivalsanticheat.exe, 00000000.00000002.3451897857.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              208.95.112.1
                              		ip-api.comUnited States
                              		53334TUT-ASUSfalse
                              5.89.185.156
                              		jholo.duckdns.orgItaly
                              		30722VODAFONE-IT-ASNITtrue

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1582991
                              Start date and time:2025-01-01 10:40:07 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 6m 44s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:13
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Critical Process Termination
                              Sample name:rivalsanticheat.exe
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@8/7@19/2
                              EGA Information:
                              • Successful, ratio: 25%
                              HCA Information:
                              • Successful, ratio: 100%
                              • Number of executed functions: 38
                              • Number of non-executed functions: 0
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                              • Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.45
                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Execution Graph export aborted for target rivalsanticheat.exe, PID 1928 because it is empty
                              • Execution Graph export aborted for target rivalsanticheat.exe, PID 5888 because it is empty
                              • Execution Graph export aborted for target rivalsanticheat.exe, PID 7048 because it is empty
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                              • Report size getting too big, too many NtSetInformationFile calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              04:41:06API Interceptor9209440x Sleep call for process: rivalsanticheat.exe modified
                              09:41:03Task SchedulerRun new task: rivalsanticheat path: C:\Users\user\AppData\Roaming\rivalsanticheat.exe

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              208.95.112.1rename_me_before.exeGet hashmaliciousPython Stealer, Exela StealerBrowse
                              • ip-api.com/json
                              vEtDFkAZjO.exeGet hashmaliciousRL STEALER, StormKittyBrowse
                              • ip-api.com/xml
                              Fizzy Loader.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                              • ip-api.com/json/?fields=225545
                              Extreme Injector v3.exeGet hashmaliciousXWormBrowse
                              • ip-api.com/line/?fields=hosting
                              VegaStealer_v2.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA StealerBrowse
                              • ip-api.com/json/?fields=61439
                              SharcHack.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA Stealer, XmrigBrowse
                              • ip-api.com/json/
                              SharcHack.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA StealerBrowse
                              • ip-api.com/json/?fields=61439
                              987656789009800.exeGet hashmaliciousAgentTeslaBrowse
                              • ip-api.com/line/?fields=hosting
                              good.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                              • ip-api.com/json/
                              Client-built.exeGet hashmaliciousQuasarBrowse
                              • ip-api.com/json/
                              5.89.185.156uncrypted.exeGet hashmaliciousDarkVision RatBrowse
                              • jholo.duckdns.org/upload.php

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              ip-api.comrename_me_before.exeGet hashmaliciousPython Stealer, Exela StealerBrowse
                              • 208.95.112.1
                              vEtDFkAZjO.exeGet hashmaliciousRL STEALER, StormKittyBrowse
                              • 208.95.112.1
                              Fizzy Loader.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                              • 208.95.112.1
                              Extreme Injector v3.exeGet hashmaliciousXWormBrowse
                              • 208.95.112.1
                              VegaStealer_v2.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA StealerBrowse
                              • 208.95.112.1
                              SharcHack.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA Stealer, XmrigBrowse
                              • 208.95.112.1
                              SharcHack.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA StealerBrowse
                              • 208.95.112.1
                              987656789009800.exeGet hashmaliciousAgentTeslaBrowse
                              • 208.95.112.1
                              good.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                              • 208.95.112.1
                              Client-built.exeGet hashmaliciousQuasarBrowse
                              • 208.95.112.1
                              jholo.duckdns.orguncrypted.exeGet hashmaliciousDarkVision RatBrowse
                              • 5.89.185.156

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              VODAFONE-IT-ASNITuncrypted.exeGet hashmaliciousDarkVision RatBrowse
                              • 5.89.185.156
                              kwari.mips.elfGet hashmaliciousUnknownBrowse
                              • 93.150.243.45
                              botx.mips.elfGet hashmaliciousMiraiBrowse
                              • 37.178.147.159
                              botx.x86.elfGet hashmaliciousMiraiBrowse
                              • 109.119.42.246
                              star.ppc.elfGet hashmaliciousMirai, MoobotBrowse
                              • 5.89.85.231
                              mpsl.elfGet hashmaliciousMirai, MoobotBrowse
                              • 5.95.28.147
                              db0fa4b8db0333367e9bda3ab68b8042.spc.elfGet hashmaliciousMirai, GafgytBrowse
                              • 37.118.210.45
                              loligang.sh4.elfGet hashmaliciousMiraiBrowse
                              • 188.217.53.181
                              loligang.mpsl.elfGet hashmaliciousMiraiBrowse
                              • 93.147.74.169
                              nabarm7.elfGet hashmaliciousUnknownBrowse
                              • 91.80.70.20
                              TUT-ASUSrename_me_before.exeGet hashmaliciousPython Stealer, Exela StealerBrowse
                              • 208.95.112.1
                              vEtDFkAZjO.exeGet hashmaliciousRL STEALER, StormKittyBrowse
                              • 208.95.112.1
                              Fizzy Loader.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                              • 208.95.112.1
                              Extreme Injector v3.exeGet hashmaliciousXWormBrowse
                              • 208.95.112.1
                              VegaStealer_v2.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA StealerBrowse
                              • 208.95.112.1
                              SharcHack.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA Stealer, XmrigBrowse
                              • 208.95.112.1
                              SharcHack.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA StealerBrowse
                              • 208.95.112.1
                              987656789009800.exeGet hashmaliciousAgentTeslaBrowse
                              • 208.95.112.1
                              good.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                              • 208.95.112.1
                              http://au.kirmalk.com/watch.php?vid=7750fd3c8Get hashmaliciousUnknownBrowse
                              • 162.252.214.4

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rivalsanticheat._f56a8e9026b51152de5411fb914b175356b7f3f4_02260eb2_81eee2cd-acf4-422b-bb00-caf571b2d27e\Report.wer

                              Download File
                              Process:C:\Windows\System32\WerFault.exe
                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):65536
                              Entropy (8bit):1.3692073450975948
                              Encrypted:false
                              SSDEEP:192:w4fLVF3081iHxaWz8iyUhlxjKzEzuiFjZ24lO8/4ya:wuLVFE81iRa48ihxWQzuiFjY4lO8/l
                              MD5:64C24A1E6D65BADA024C39556E4C63C0
                              SHA1:5C3A57DBBE4AC53272EE487DE60D00A33AAC5E29
                              SHA-256:7C2DBFB9480B64EF54FD831304BA66CDF437F16D5B6DF3AF0DE8BED080BDCC83
                              SHA-512:55CC4572C22159F782322D79156681D6D21A42BDB393DA85EAD146B6AC6CDA48ACA2368F8726942F7789CF2BCC9D0B5A6BF2D4F4C8296D8DDC415EBDDA7DFE82
                              Malicious:false
                              Reputation:low
                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.r.i.t.i.c.a.l.P.r.o.c.e.s.s.F.a.u.l.t.2.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.1.9.8.2.3.5.0.0.9.1.6.5.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.1.e.e.e.2.c.d.-.a.c.f.4.-.4.2.2.b.-.b.b.0.0.-.c.a.f.5.7.1.b.2.d.2.7.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.9.2.1.b.f.c.6.-.d.b.0.3.-.4.e.6.b.-.b.a.3.3.-.e.8.8.b.5.f.f.6.d.7.e.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.i.v.a.l.s.a.n.t.i.c.h.e.a.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.r.i.v.a.l.s.a.n.t.i.c.h.e.a.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.5.0.-.0.0.0.1.-.0.0.1.4.-.6.f.a.d.-.5.5.4.1.3.1.5.c.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.7.d.8.4.d.7.f.1.c.0.2.9.8.0.a.2.e.5.f.4.3.4.b.6.8.c.8.a.7.4.5.0.0.0.0.0.0.0.0.!.0.0.0.0.6.d.b.1.c.6.8.1.c.c.8.1.b.8.1.8.b.d.1.5.c.1.a.e.c.2.d.7.0.3.6.2.f.a.9.9.7.a.c.d.!.r.i.v.a.l.s.a.n.t.i.c.h.e.a.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER2E71.tmp.dmp

                              Download File
                              Process:C:\Windows\System32\WerFault.exe
                              File Type:Mini DuMP crash report, 16 streams, Wed Jan 1 09:43:55 2025, 0x1205a4 type
                              Category:dropped
                              Size (bytes):529625
                              Entropy (8bit):3.0399079424706428
                              Encrypted:false
                              SSDEEP:6144:bBGqEMpjUItqF3QkOpLskOYCk2IKEO4S02Y6kuQa9k:FGqEMRUCqpQkOp4m
                              MD5:DCE4976F781FF17DB934E236C5D9D8C3
                              SHA1:3950BBD22CB0E955BAB6DC711A266F0A000FD531
                              SHA-256:585CB39061D9403D66B0B8F885032C677598FEF33950B73C4A4AA4BE5ADDC9CE
                              SHA-512:24139C0DCB5E37A7C20ACFC43A984A277C15F2A503D58F6C1F62BD331911DA2869EF2367005D9360DB67AC16FCC3873811A1E2EC16BB4111229758B7B412173E
                              Malicious:false
                              Reputation:low
                              Preview:MDMP..a..... .......[.ug............4...........@'..T.......<....1......H....1......$@..*...........l.......8...........T............W..I............E...........G..............................................................................eJ.......G......Lw......................T.......P.....ug....T........................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER3095.tmp.WERInternalMetadata.xml

                              Download File
                              Process:C:\Windows\System32\WerFault.exe
                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):9346
                              Entropy (8bit):3.698387683156473
                              Encrypted:false
                              SSDEEP:192:R6l7wVeJ3216Y9Dy0/gmfk4jN4t8GprU89bxcnroDrf/bm:R6lXJm16YpJ/gmfks4t7xSroDrfq
                              MD5:8A0D27042E51866EB8EF625CEC9FE9BE
                              SHA1:07D8D72A03C17D8DDEA96D7D82385D682D20F0E5
                              SHA-256:009A0BF659AAE8D15FBD3381D1BB6B3D4F4DF412D00FCBF72BC7E1D208BC71D9
                              SHA-512:72AB66BEDF33FCA43AE1E16A1E8BBEC1AA7DCE059F89B8623F1EB97BB18A6B5675D144D31B7082F3633A1C693FFA2694382B624B6BC19E45114BFFC702B810A7
                              Malicious:false
                              Reputation:low
                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.3.6.0.<./.P.i.

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER30D4.tmp.xml

                              Download File
                              Process:C:\Windows\System32\WerFault.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4958
                              Entropy (8bit):4.459273758978835
                              Encrypted:false
                              SSDEEP:48:cvIwWl8zsxJg771I9zCpWpW8VYPoYm8M4JdSFjKyq8vRrZd/XM0WXid:uIjfDI7ACY7V4FJ+KWDBQid
                              MD5:485C807F7106EFBE876AF8DCE4F1163D
                              SHA1:3E89567EF2F86343062404F7C143BE1278FFE219
                              SHA-256:88628A7D557EFD5640A6D10ECBC6366BACFAA03D5D7533A0CD7517716791BDC6
                              SHA-512:312817F6585F597F5AD896D2B2E8CBBE7A68C19CCE03A43CE54B0DA1A8F2CB065C69BB34EC92345FD0E54680E923341AC98C7EA1B457B82F810B304364668245
                              Malicious:false
                              Reputation:low
                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="656686" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rivalsanticheat.exe.log

                              Download File
                              Process:C:\Users\user\AppData\Roaming\rivalsanticheat.exe
                              File Type:CSV text
                              Category:dropped
                              Size (bytes):654
                              Entropy (8bit):5.380476433908377
                              Encrypted:false
                              SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                              MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                              SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                              SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                              SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                              Malicious:true
                              Reputation:moderate, very likely benign file
                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                              C:\Users\user\AppData\Roaming\rivalsanticheat.exe

                              Download File
                              Process:C:\Users\user\Desktop\rivalsanticheat.exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):73216
                              Entropy (8bit):5.918587995511303
                              Encrypted:false
                              SSDEEP:1536:L0z/WRwKrmTYSnFjjsmXqMFfvb04dPexOLbEi3SiOgjmE:LNi/tlvb0Nx6bEizOgjt
                              MD5:DED1521D6EF291309ADE101B3844FA22
                              SHA1:6DB1C681CC81B818BD15C1AEC2D70362FA997ACD
                              SHA-256:011C10551A4FA592185FD99631AB98F194282638B3A4C072F386CA3F67509CD9
                              SHA-512:F4ECB9F991E05B9DEB90506B072294AA00E16D49D26A5D1056A29C960BAECFA87F6858016B91DC6302133ED01543BC4ABA7777F8EDE999869C364E4E37D1AFA9
                              Malicious:true
                              Yara Hits:
                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exe, Author: Joe Security
                              • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exe, Author: Joe Security
                              • Rule: rat_win_xworm_v3, Description: Finds XWorm (version XClient, v3) samples based on characteristic strings, Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exe, Author: Sekoia.io
                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exe, Author: ditekSHen
                              Antivirus:
                              • Antivirus: Avira, Detection: 100%
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 79%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:.tg.............................2... ...@....@.. ....................................@..................................2..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................2......H........Y..(.......&.....................................................(....*.r...p*. .^..*..(....*.r=..p*. .1..*.s.........s.........s.........s.........*.r...p*. ...*.r9..p*. ..e.*.r...p*. ....*.r5..p*. ~.H.*.r...p*. g ..*..((...*.r3..p*. E/..*.r...p*. S...*.(*...-.(+...,.+.(,...,.+.()...,.+.((...,..(F...*&(....&+.*.+5sY... .... .'..oZ...(*...~....-.(Y...(K...~....o[...&.-.*.rK..p*. .~.*.r...p*. ....*.rG..p*. .x!.*.r...p*. ...*.rC..p*. ..W.*.r...p*. .O..*.r?..p*.r...p

                              C:\Windows\appcompat\Programs\Amcache.hve

                              Download File
                              Process:C:\Windows\System32\WerFault.exe
                              File Type:MS Windows registry file, NT/2000 or above
                              Category:dropped
                              Size (bytes):1835008
                              Entropy (8bit):4.465587158864858
                              Encrypted:false
                              SSDEEP:6144:/IXfpi67eLPU9skLmb0b4LWSPKaJG8nAgejZMMhA2gX4WABl0uNfdwBCswSbh:wXD94LWlLZMM6YFH1+h
                              MD5:AC5EDA8C6E4800E6672D3364ADD03750
                              SHA1:D177D57451FB1485FC37820EAC031CD1CBDE7C2E
                              SHA-256:5553CDA4EACD5F8E33395E8ECDFEEF3D1AB843D5E88D7E34AD55B58A9A04F493
                              SHA-512:30C62A8D5D37DCCC3CF67AA92ABD99BE5F1FBCF385F963BD6E4958710696749709962F072EAC1DAEAD28070FCE3ED2306B393CA8BCB06C710B8AA9D4CED1690B
                              Malicious:false
                              Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..'.1\..............................................................................................................................................................................................................................................................................................................................................%V0.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Entropy (8bit):5.918587995511303
                              TrID:
                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                              • Win32 Executable (generic) a (10002005/4) 49.75%
                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                              • Windows Screen Saver (13104/52) 0.07%
                              • Generic Win/DOS Executable (2004/3) 0.01%
                              File name:rivalsanticheat.exe
                              File size:73'216 bytes
                              MD5:ded1521d6ef291309ade101b3844fa22
                              SHA1:6db1c681cc81b818bd15c1aec2d70362fa997acd
                              SHA256:011c10551a4fa592185fd99631ab98f194282638b3a4c072f386ca3f67509cd9
                              SHA512:f4ecb9f991e05b9deb90506b072294aa00e16d49d26a5d1056a29c960baecfa87f6858016b91dc6302133ed01543bc4aba7777f8ede999869c364e4e37d1afa9
                              SSDEEP:1536:L0z/WRwKrmTYSnFjjsmXqMFfvb04dPexOLbEi3SiOgjmE:LNi/tlvb0Nx6bEizOgjt
                              TLSH:28638C187BFA4125F1BFAFB12DF17166CA38F2236913D65F68C4028A0A13E85CD517B9
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:.tg.............................2... ...@....@.. ....................................@................................

                              File Icon

                              Icon Hash:90cececece8e8eb0

                              Static PE Info

                              General

                              Entrypoint:0x4132fe
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Time Stamp:0x6774893A [Wed Jan 1 00:15:54 2025 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                              Entrypoint Preview

                              Instruction
                              jmp dword ptr [00402000h]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x132ac0x4f.text
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x140000x4ee.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x160000xc.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x20000x113040x1140028290520b744afd6c1982f66461fb07bFalse0.6047469429347826data5.9904173517895885IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rsrc0x140000x4ee0x60097a703be0af2c97af4d2ac4158258e7bFalse0.3763020833333333data3.765133107182464IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0x160000xc0x200af8e124215825ea9a0c46d119ae8548cFalse0.041015625data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_VERSION0x140a00x264data0.4591503267973856
                              RT_MANIFEST0x143040x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                              Imports

                              DLLImport
                              mscoree.dll_CorExeMain

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2025-01-01T10:41:40.309380+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.4497405.89.185.1567777TCP
                              2025-01-01T10:42:27.747710+01002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.4498645.89.185.1567777TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Jan 1, 2025 10:41:00.617403030 CET4973280192.168.2.4208.95.112.1
                              Jan 1, 2025 10:41:00.622232914 CET8049732208.95.112.1192.168.2.4
                              Jan 1, 2025 10:41:00.622292995 CET4973280192.168.2.4208.95.112.1
                              Jan 1, 2025 10:41:00.623034954 CET4973280192.168.2.4208.95.112.1
                              Jan 1, 2025 10:41:00.627836943 CET8049732208.95.112.1192.168.2.4
                              Jan 1, 2025 10:41:01.088197947 CET8049732208.95.112.1192.168.2.4
                              Jan 1, 2025 10:41:01.137945890 CET4973280192.168.2.4208.95.112.1
                              Jan 1, 2025 10:41:07.614912987 CET497337777192.168.2.45.89.185.156
                              Jan 1, 2025 10:41:07.619731903 CET7777497335.89.185.156192.168.2.4
                              Jan 1, 2025 10:41:07.619800091 CET497337777192.168.2.45.89.185.156
                              Jan 1, 2025 10:41:08.139451027 CET497337777192.168.2.45.89.185.156
                              Jan 1, 2025 10:41:08.144311905 CET7777497335.89.185.156192.168.2.4
                              Jan 1, 2025 10:41:22.939548969 CET497337777192.168.2.45.89.185.156
                              Jan 1, 2025 10:41:22.944509029 CET7777497335.89.185.156192.168.2.4
                              Jan 1, 2025 10:41:28.989173889 CET7777497335.89.185.156192.168.2.4
                              Jan 1, 2025 10:41:28.989233017 CET497337777192.168.2.45.89.185.156
                              Jan 1, 2025 10:41:29.028706074 CET497337777192.168.2.45.89.185.156
                              Jan 1, 2025 10:41:29.030287027 CET497407777192.168.2.45.89.185.156
                              Jan 1, 2025 10:41:29.033487082 CET7777497335.89.185.156192.168.2.4
                              Jan 1, 2025 10:41:29.035146952 CET7777497405.89.185.156192.168.2.4
                              Jan 1, 2025 10:41:29.035204887 CET497407777192.168.2.45.89.185.156
                              Jan 1, 2025 10:41:29.063221931 CET497407777192.168.2.45.89.185.156
                              Jan 1, 2025 10:41:29.068033934 CET7777497405.89.185.156192.168.2.4
                              Jan 1, 2025 10:41:40.309380054 CET497407777192.168.2.45.89.185.156
                              Jan 1, 2025 10:41:40.314246893 CET7777497405.89.185.156192.168.2.4
                              Jan 1, 2025 10:41:50.437096119 CET7777497405.89.185.156192.168.2.4
                              Jan 1, 2025 10:41:50.437161922 CET497407777192.168.2.45.89.185.156
                              Jan 1, 2025 10:41:51.237055063 CET497407777192.168.2.45.89.185.156
                              Jan 1, 2025 10:41:51.238343000 CET497417777192.168.2.45.89.185.156
                              Jan 1, 2025 10:41:51.242044926 CET7777497405.89.185.156192.168.2.4
                              Jan 1, 2025 10:41:51.243226051 CET7777497415.89.185.156192.168.2.4
                              Jan 1, 2025 10:41:51.243292093 CET497417777192.168.2.45.89.185.156
                              Jan 1, 2025 10:41:51.267394066 CET497417777192.168.2.45.89.185.156
                              Jan 1, 2025 10:41:51.272213936 CET7777497415.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:05.732167959 CET497417777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:05.736938953 CET7777497415.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:07.388851881 CET497417777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:07.393778086 CET7777497415.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:07.550321102 CET8049732208.95.112.1192.168.2.4
                              Jan 1, 2025 10:42:07.550384998 CET4973280192.168.2.4208.95.112.1
                              Jan 1, 2025 10:42:09.950885057 CET497417777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:09.955713034 CET7777497415.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:11.372742891 CET497417777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:11.377587080 CET7777497415.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:12.601344109 CET7777497415.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:12.603945017 CET497417777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:16.216346979 CET497417777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:16.531877995 CET497417777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:16.671726942 CET7777497415.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:16.671761990 CET7777497415.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:16.671874046 CET497417777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:16.803872108 CET498647777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:16.808777094 CET7777498645.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:16.811968088 CET498647777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:16.858380079 CET498647777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:16.863244057 CET7777498645.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:20.091787100 CET498647777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:20.096579075 CET7777498645.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:22.091423988 CET498647777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:22.096292019 CET7777498645.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:22.169660091 CET498647777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:22.174595118 CET7777498645.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:23.107104063 CET498647777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:23.111902952 CET7777498645.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:27.263343096 CET498647777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:27.268143892 CET7777498645.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:27.435226917 CET498647777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:27.440099955 CET7777498645.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:27.513331890 CET498647777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:27.518162966 CET7777498645.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:27.544620037 CET498647777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:27.549464941 CET7777498645.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:27.575833082 CET498647777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:27.580662966 CET7777498645.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:27.591490984 CET498647777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:27.596230984 CET7777498645.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:27.607016087 CET498647777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:27.611814976 CET7777498645.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:27.622798920 CET498647777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:27.627614021 CET7777498645.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:27.716500998 CET498647777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:27.721338987 CET7777498645.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:27.732064962 CET498647777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:27.736819029 CET7777498645.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:27.747709990 CET498647777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:27.752506971 CET7777498645.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:27.841451883 CET498647777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:27.846208096 CET7777498645.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:27.857214928 CET498647777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:27.861984968 CET7777498645.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:27.872669935 CET498647777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:27.877528906 CET7777498645.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:27.950772047 CET498647777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:27.955585957 CET7777498645.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:33.107264042 CET498647777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:33.112006903 CET7777498645.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:38.138473988 CET498647777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:38.143351078 CET7777498645.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:38.201915979 CET7777498645.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:38.201975107 CET498647777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:41.093966007 CET4973280192.168.2.4208.95.112.1
                              Jan 1, 2025 10:42:41.099047899 CET8049732208.95.112.1192.168.2.4
                              Jan 1, 2025 10:42:43.169529915 CET498647777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:43.172161102 CET500097777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:43.174428940 CET7777498645.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:43.177005053 CET7777500095.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:43.179038048 CET500097777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:43.227529049 CET500097777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:43.232337952 CET7777500095.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:43.498526096 CET500097777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:43.621210098 CET7777500095.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:43.685513020 CET500097777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:43.690330029 CET7777500095.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:43.732117891 CET500097777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:43.736933947 CET7777500095.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:43.763341904 CET500097777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:43.768192053 CET7777500095.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:43.825860023 CET500097777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:43.830892086 CET7777500095.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:53.935339928 CET500097777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:53.940268993 CET7777500095.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:53.950946093 CET500097777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:53.955720901 CET7777500095.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:53.966514111 CET500097777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:53.971302032 CET7777500095.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:53.982135057 CET500097777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:53.986965895 CET7777500095.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:53.997718096 CET500097777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:54.002454996 CET7777500095.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:54.013477087 CET500097777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:54.018345118 CET7777500095.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:54.029076099 CET500097777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:54.033840895 CET7777500095.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:54.044553995 CET500097777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:54.049319029 CET7777500095.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:54.060199976 CET500097777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:54.065012932 CET7777500095.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:54.107144117 CET500097777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:54.111923933 CET7777500095.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:54.138432026 CET500097777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:54.143249989 CET7777500095.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:54.156593084 CET500097777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:54.161472082 CET7777500095.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:54.169609070 CET500097777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:54.174402952 CET7777500095.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:54.232199907 CET500097777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:54.237086058 CET7777500095.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:54.263359070 CET500097777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:54.268153906 CET7777500095.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:54.278999090 CET500097777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:54.283834934 CET7777500095.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:54.294589996 CET500097777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:54.299395084 CET7777500095.89.185.156192.168.2.4
                              Jan 1, 2025 10:42:59.607177973 CET500097777192.168.2.45.89.185.156
                              Jan 1, 2025 10:42:59.612118006 CET7777500095.89.185.156192.168.2.4
                              Jan 1, 2025 10:43:04.439400911 CET500097777192.168.2.45.89.185.156
                              Jan 1, 2025 10:43:04.444349051 CET7777500095.89.185.156192.168.2.4
                              Jan 1, 2025 10:43:04.584191084 CET7777500095.89.185.156192.168.2.4
                              Jan 1, 2025 10:43:04.584310055 CET500097777192.168.2.45.89.185.156
                              Jan 1, 2025 10:43:09.497705936 CET500097777192.168.2.45.89.185.156
                              Jan 1, 2025 10:43:09.500262022 CET500107777192.168.2.45.89.185.156
                              Jan 1, 2025 10:43:09.502669096 CET7777500095.89.185.156192.168.2.4
                              Jan 1, 2025 10:43:09.505047083 CET7777500105.89.185.156192.168.2.4
                              Jan 1, 2025 10:43:09.505103111 CET500107777192.168.2.45.89.185.156
                              Jan 1, 2025 10:43:09.542629957 CET500107777192.168.2.45.89.185.156
                              Jan 1, 2025 10:43:09.547503948 CET7777500105.89.185.156192.168.2.4
                              Jan 1, 2025 10:43:09.560264111 CET500107777192.168.2.45.89.185.156
                              Jan 1, 2025 10:43:09.565206051 CET7777500105.89.185.156192.168.2.4
                              Jan 1, 2025 10:43:09.607085943 CET500107777192.168.2.45.89.185.156
                              Jan 1, 2025 10:43:09.611831903 CET7777500105.89.185.156192.168.2.4
                              Jan 1, 2025 10:43:09.641005993 CET500107777192.168.2.45.89.185.156
                              Jan 1, 2025 10:43:09.645874023 CET7777500105.89.185.156192.168.2.4
                              Jan 1, 2025 10:43:20.263425112 CET500107777192.168.2.45.89.185.156
                              Jan 1, 2025 10:43:20.268349886 CET7777500105.89.185.156192.168.2.4
                              Jan 1, 2025 10:43:29.997853041 CET500107777192.168.2.45.89.185.156
                              Jan 1, 2025 10:43:30.002736092 CET7777500105.89.185.156192.168.2.4
                              Jan 1, 2025 10:43:30.013398886 CET500107777192.168.2.45.89.185.156
                              Jan 1, 2025 10:43:30.018223047 CET7777500105.89.185.156192.168.2.4
                              Jan 1, 2025 10:43:30.060398102 CET500107777192.168.2.45.89.185.156
                              Jan 1, 2025 10:43:30.065243006 CET7777500105.89.185.156192.168.2.4
                              Jan 1, 2025 10:43:30.897444010 CET7777500105.89.185.156192.168.2.4
                              Jan 1, 2025 10:43:30.901999950 CET500107777192.168.2.45.89.185.156
                              Jan 1, 2025 10:43:35.106969118 CET500107777192.168.2.45.89.185.156
                              Jan 1, 2025 10:43:35.111809969 CET7777500105.89.185.156192.168.2.4
                              Jan 1, 2025 10:43:35.227005959 CET500117777192.168.2.45.89.185.156
                              Jan 1, 2025 10:43:35.234124899 CET7777500115.89.185.156192.168.2.4
                              Jan 1, 2025 10:43:35.234913111 CET500117777192.168.2.45.89.185.156
                              Jan 1, 2025 10:43:35.290569067 CET500117777192.168.2.45.89.185.156
                              Jan 1, 2025 10:43:35.299021006 CET7777500115.89.185.156192.168.2.4
                              Jan 1, 2025 10:43:36.388612986 CET500117777192.168.2.45.89.185.156
                              Jan 1, 2025 10:43:36.393491030 CET7777500115.89.185.156192.168.2.4
                              Jan 1, 2025 10:43:38.575881958 CET500117777192.168.2.45.89.185.156
                              Jan 1, 2025 10:43:38.580868959 CET7777500115.89.185.156192.168.2.4
                              Jan 1, 2025 10:43:40.404015064 CET500117777192.168.2.45.89.185.156
                              Jan 1, 2025 10:43:40.408926010 CET7777500115.89.185.156192.168.2.4
                              Jan 1, 2025 10:43:40.419620991 CET500117777192.168.2.45.89.185.156
                              Jan 1, 2025 10:43:40.424417973 CET7777500115.89.185.156192.168.2.4
                              Jan 1, 2025 10:43:42.341576099 CET500117777192.168.2.45.89.185.156
                              Jan 1, 2025 10:43:42.346602917 CET7777500115.89.185.156192.168.2.4
                              Jan 1, 2025 10:43:45.341978073 CET500117777192.168.2.45.89.185.156
                              Jan 1, 2025 10:43:45.346913099 CET7777500115.89.185.156192.168.2.4
                              Jan 1, 2025 10:43:55.638394117 CET500117777192.168.2.45.89.185.156
                              Jan 1, 2025 10:43:55.643214941 CET7777500115.89.185.156192.168.2.4
                              Jan 1, 2025 10:43:55.747844934 CET500117777192.168.2.45.89.185.156
                              Jan 1, 2025 10:43:55.752737999 CET7777500115.89.185.156192.168.2.4
                              Jan 1, 2025 10:43:56.620636940 CET7777500115.89.185.156192.168.2.4
                              Jan 1, 2025 10:43:56.626106977 CET500117777192.168.2.45.89.185.156
                              Jan 1, 2025 10:43:57.566631079 CET500117777192.168.2.45.89.185.156
                              Jan 1, 2025 10:44:04.793297052 CET5001280192.168.2.4208.95.112.1
                              Jan 1, 2025 10:44:04.798074961 CET8050012208.95.112.1192.168.2.4
                              Jan 1, 2025 10:44:04.798281908 CET5001280192.168.2.4208.95.112.1
                              Jan 1, 2025 10:44:04.798460960 CET5001280192.168.2.4208.95.112.1
                              Jan 1, 2025 10:44:04.803225994 CET8050012208.95.112.1192.168.2.4
                              Jan 1, 2025 10:44:05.273091078 CET8050012208.95.112.1192.168.2.4
                              Jan 1, 2025 10:44:05.327220917 CET5001280192.168.2.4208.95.112.1
                              Jan 1, 2025 10:44:10.675205946 CET500137777192.168.2.45.89.185.156
                              Jan 1, 2025 10:44:11.685003042 CET500137777192.168.2.45.89.185.156
                              Jan 1, 2025 10:44:13.700748920 CET500137777192.168.2.45.89.185.156
                              Jan 1, 2025 10:44:17.700638056 CET500137777192.168.2.45.89.185.156
                              Jan 1, 2025 10:44:25.700781107 CET500137777192.168.2.45.89.185.156

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Jan 1, 2025 10:41:00.603971958 CET6438753192.168.2.41.1.1.1
                              Jan 1, 2025 10:41:00.611074924 CET53643871.1.1.1192.168.2.4
                              Jan 1, 2025 10:41:07.474582911 CET5363853192.168.2.41.1.1.1
                              Jan 1, 2025 10:41:07.589572906 CET53536381.1.1.1192.168.2.4
                              Jan 1, 2025 10:42:16.218815088 CET5847853192.168.2.41.1.1.1
                              Jan 1, 2025 10:42:16.797254086 CET53584781.1.1.1192.168.2.4
                              Jan 1, 2025 10:43:35.109782934 CET6447153192.168.2.41.1.1.1
                              Jan 1, 2025 10:43:35.225853920 CET53644711.1.1.1192.168.2.4
                              Jan 1, 2025 10:44:04.782443047 CET6090153192.168.2.41.1.1.1
                              Jan 1, 2025 10:44:04.790056944 CET53609011.1.1.1192.168.2.4
                              Jan 1, 2025 10:44:37.623851061 CET6172053192.168.2.41.1.1.1
                              Jan 1, 2025 10:44:38.622615099 CET6172053192.168.2.41.1.1.1
                              Jan 1, 2025 10:44:39.623495102 CET6172053192.168.2.41.1.1.1
                              Jan 1, 2025 10:44:41.622618914 CET6172053192.168.2.41.1.1.1
                              Jan 1, 2025 10:44:45.740180016 CET6172053192.168.2.41.1.1.1
                              Jan 1, 2025 10:44:49.732533932 CET4940853192.168.2.41.1.1.1
                              Jan 1, 2025 10:44:50.747586012 CET4940853192.168.2.41.1.1.1
                              Jan 1, 2025 10:44:51.763230085 CET4940853192.168.2.41.1.1.1
                              Jan 1, 2025 10:44:53.763253927 CET4940853192.168.2.41.1.1.1
                              Jan 1, 2025 10:44:57.779012918 CET4940853192.168.2.41.1.1.1
                              Jan 1, 2025 10:44:58.264087915 CET6116453192.168.2.41.1.1.1
                              Jan 1, 2025 10:44:59.263200998 CET6116453192.168.2.41.1.1.1
                              Jan 1, 2025 10:45:00.287980080 CET6116453192.168.2.41.1.1.1
                              Jan 1, 2025 10:45:02.278919935 CET6116453192.168.2.41.1.1.1

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Jan 1, 2025 10:41:00.603971958 CET192.168.2.41.1.1.10x2398Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                              Jan 1, 2025 10:41:07.474582911 CET192.168.2.41.1.1.10x5c65Standard query (0)jholo.duckdns.orgA (IP address)IN (0x0001)false
                              Jan 1, 2025 10:42:16.218815088 CET192.168.2.41.1.1.10xe696Standard query (0)jholo.duckdns.orgA (IP address)IN (0x0001)false
                              Jan 1, 2025 10:43:35.109782934 CET192.168.2.41.1.1.10xe363Standard query (0)jholo.duckdns.orgA (IP address)IN (0x0001)false
                              Jan 1, 2025 10:44:04.782443047 CET192.168.2.41.1.1.10xdbabStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                              Jan 1, 2025 10:44:37.623851061 CET192.168.2.41.1.1.10xea83Standard query (0)jholo.duckdns.orgA (IP address)IN (0x0001)false
                              Jan 1, 2025 10:44:38.622615099 CET192.168.2.41.1.1.10xea83Standard query (0)jholo.duckdns.orgA (IP address)IN (0x0001)false
                              Jan 1, 2025 10:44:39.623495102 CET192.168.2.41.1.1.10xea83Standard query (0)jholo.duckdns.orgA (IP address)IN (0x0001)false
                              Jan 1, 2025 10:44:41.622618914 CET192.168.2.41.1.1.10xea83Standard query (0)jholo.duckdns.orgA (IP address)IN (0x0001)false
                              Jan 1, 2025 10:44:45.740180016 CET192.168.2.41.1.1.10xea83Standard query (0)jholo.duckdns.orgA (IP address)IN (0x0001)false
                              Jan 1, 2025 10:44:49.732533932 CET192.168.2.41.1.1.10x79d8Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                              Jan 1, 2025 10:44:50.747586012 CET192.168.2.41.1.1.10x79d8Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                              Jan 1, 2025 10:44:51.763230085 CET192.168.2.41.1.1.10x79d8Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                              Jan 1, 2025 10:44:53.763253927 CET192.168.2.41.1.1.10x79d8Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                              Jan 1, 2025 10:44:57.779012918 CET192.168.2.41.1.1.10x79d8Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                              Jan 1, 2025 10:44:58.264087915 CET192.168.2.41.1.1.10xf8afStandard query (0)jholo.duckdns.orgA (IP address)IN (0x0001)false
                              Jan 1, 2025 10:44:59.263200998 CET192.168.2.41.1.1.10xf8afStandard query (0)jholo.duckdns.orgA (IP address)IN (0x0001)false
                              Jan 1, 2025 10:45:00.287980080 CET192.168.2.41.1.1.10xf8afStandard query (0)jholo.duckdns.orgA (IP address)IN (0x0001)false
                              Jan 1, 2025 10:45:02.278919935 CET192.168.2.41.1.1.10xf8afStandard query (0)jholo.duckdns.orgA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Jan 1, 2025 10:41:00.611074924 CET1.1.1.1192.168.2.40x2398No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                              Jan 1, 2025 10:41:07.589572906 CET1.1.1.1192.168.2.40x5c65No error (0)jholo.duckdns.org5.89.185.156A (IP address)IN (0x0001)false
                              Jan 1, 2025 10:42:16.797254086 CET1.1.1.1192.168.2.40xe696No error (0)jholo.duckdns.org5.89.185.156A (IP address)IN (0x0001)false
                              Jan 1, 2025 10:43:35.225853920 CET1.1.1.1192.168.2.40xe363No error (0)jholo.duckdns.org5.89.185.156A (IP address)IN (0x0001)false
                              Jan 1, 2025 10:44:04.790056944 CET1.1.1.1192.168.2.40xdbabNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                              HTTP Request Dependency Graph

                              • ip-api.com

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.449732208.95.112.1801360C:\Users\user\Desktop\rivalsanticheat.exe
                              TimestampBytes transferredDirectionData
                              Jan 1, 2025 10:41:00.623034954 CET80OUTGET /line/?fields=hosting HTTP/1.1
                              Host: ip-api.com
                              Connection: Keep-Alive
                              Jan 1, 2025 10:41:01.088197947 CET175INHTTP/1.1 200 OK
                              Date: Wed, 01 Jan 2025 09:41:00 GMT
                              Content-Type: text/plain; charset=utf-8
                              Content-Length: 6
                              Access-Control-Allow-Origin: *
                              X-Ttl: 60
                              X-Rl: 44
                              Data Raw: 66 61 6c 73 65 0a
                              Data Ascii: false


                              Session IDSource IPSource PortDestination IPDestination Port
                              1192.168.2.450012208.95.112.180
                              TimestampBytes transferredDirectionData
                              Jan 1, 2025 10:44:04.798460960 CET80OUTGET /line/?fields=hosting HTTP/1.1
                              Host: ip-api.com
                              Connection: Keep-Alive
                              Jan 1, 2025 10:44:05.273091078 CET175INHTTP/1.1 200 OK
                              Date: Wed, 01 Jan 2025 09:44:04 GMT
                              Content-Type: text/plain; charset=utf-8
                              Content-Length: 6
                              Access-Control-Allow-Origin: *
                              X-Ttl: 60
                              X-Rl: 44
                              Data Raw: 66 61 6c 73 65 0a
                              Data Ascii: false


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:04:40:55
                              Start date:01/01/2025
                              Path:C:\Users\user\Desktop\rivalsanticheat.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Users\user\Desktop\rivalsanticheat.exe"
                              Imagebase:0x3f0000
                              File size:73'216 bytes
                              MD5 hash:DED1521D6EF291309ADE101B3844FA22
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1648426795.00000000003F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1648426795.00000000003F2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3451897857.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:1
                              Start time:04:41:01
                              Start date:01/01/2025
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "rivalsanticheat" /tr "C:\Users\user\AppData\Roaming\rivalsanticheat.exe"
                              Imagebase:0x7ff76f990000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:2
                              Start time:04:41:01
                              Start date:01/01/2025
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:3
                              Start time:04:41:03
                              Start date:01/01/2025
                              Path:C:\Users\user\AppData\Roaming\rivalsanticheat.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Users\user\AppData\Roaming\rivalsanticheat.exe
                              Imagebase:0x220000
                              File size:73'216 bytes
                              MD5 hash:DED1521D6EF291309ADE101B3844FA22
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exe, Author: Joe Security
                              • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exe, Author: Joe Security
                              • Rule: rat_win_xworm_v3, Description: Finds XWorm (version XClient, v3) samples based on characteristic strings, Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exe, Author: Sekoia.io
                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\rivalsanticheat.exe, Author: ditekSHen
                              Antivirus matches:
                              • Detection: 100%, Avira
                              • Detection: 100%, Joe Sandbox ML
                              • Detection: 79%, ReversingLabs
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:7
                              Start time:04:42:01
                              Start date:01/01/2025
                              Path:C:\Users\user\AppData\Roaming\rivalsanticheat.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Users\user\AppData\Roaming\rivalsanticheat.exe
                              Imagebase:0x5d0000
                              File size:73'216 bytes
                              MD5 hash:DED1521D6EF291309ADE101B3844FA22
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:9
                              Start time:04:43:00
                              Start date:01/01/2025
                              Path:C:\Users\user\AppData\Roaming\rivalsanticheat.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Users\user\AppData\Roaming\rivalsanticheat.exe
                              Imagebase:0xfb0000
                              File size:73'216 bytes
                              MD5 hash:DED1521D6EF291309ADE101B3844FA22
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:12
                              Start time:04:43:54
                              Start date:01/01/2025
                              Path:C:\Windows\System32\WerFault.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\WerFault.exe -u -p 1360 -s 1900
                              Imagebase:0x7ff63d330000
                              File size:570'736 bytes
                              MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:21.3%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:30%
                                Total number of Nodes:10
                                Total number of Limit Nodes:0

                                Executed Functions

                                Function 00007FFD9B86104D Relevance: 1.6, Strings: 1, Instructions: 393COMMON
                                Download Yara Rule

                                Control-flow Graph

                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.3454752165.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b860000_rivalsanticheat.jbxd
                                Similarity
                                • API ID:
                                • String ID: SAO_^
                                • API String ID: 0-3650529936
                                • Opcode ID: 348c0f186a655c100abfda0aaa591bb24ca82f47177a56a19d69337430369342
                                • Instruction ID: 07f60a353d42a9b07ab2955343f59041480e02ce8e560141560f7643dfb61e4f
                                • Opcode Fuzzy Hash: 348c0f186a655c100abfda0aaa591bb24ca82f47177a56a19d69337430369342
                                • Instruction Fuzzy Hash: 3AC13621B1DA1A4FDB58F7B8E875AFD3B92EF88320B85007AE01EC71D7DD6868018751
                                Function 00007FFD9B8670F1 Relevance: 1.6, APIs: 1, Instructions: 125COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 129 7ffd9b8670f1-7ffd9b8671ad CheckRemoteDebuggerPresent 132 7ffd9b8671af 129->132 133 7ffd9b8671b5-7ffd9b8671f8 129->133 132->133
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.3454752165.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b860000_rivalsanticheat.jbxd
                                Similarity
                                • API ID: CheckDebuggerPresentRemote
                                • String ID:
                                • API String ID: 3662101638-0
                                • Opcode ID: 4eb075e4435ce5f8b8bac5eb8eb89b0f9937c02a06894353f873dc59229d5b7f
                                • Instruction ID: 17532c2691509cc8d18ba32803e49610718eac6c126e3831c06988a142375221
                                • Opcode Fuzzy Hash: 4eb075e4435ce5f8b8bac5eb8eb89b0f9937c02a06894353f873dc59229d5b7f
                                • Instruction Fuzzy Hash: CB31133190871C8FCB58DF58C846BE97BF0EF65321F0542ABD489D7292D774A846CB91
                                Function 00007FFD9B865B46 Relevance: .5, Instructions: 474COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 261 7ffd9b865b46-7ffd9b865b53 262 7ffd9b865b5e-7ffd9b865c27 261->262 263 7ffd9b865b55-7ffd9b865b5d 261->263 268 7ffd9b865c93 262->268 269 7ffd9b865c29-7ffd9b865c32 262->269 263->262 271 7ffd9b865c95-7ffd9b865cba 268->271 269->268 270 7ffd9b865c34-7ffd9b865c40 269->270 272 7ffd9b865c42-7ffd9b865c54 270->272 273 7ffd9b865c79-7ffd9b865c91 270->273 278 7ffd9b865cbc-7ffd9b865cc5 271->278 279 7ffd9b865d26 271->279 274 7ffd9b865c56 272->274 275 7ffd9b865c58-7ffd9b865c6b 272->275 273->271 274->275 275->275 277 7ffd9b865c6d-7ffd9b865c75 275->277 277->273 278->279 281 7ffd9b865cc7-7ffd9b865cd3 278->281 280 7ffd9b865d28-7ffd9b865dd0 279->280 292 7ffd9b865dd2-7ffd9b865ddc 280->292 293 7ffd9b865e3e 280->293 282 7ffd9b865d0c-7ffd9b865d24 281->282 283 7ffd9b865cd5-7ffd9b865ce7 281->283 282->280 285 7ffd9b865ce9 283->285 286 7ffd9b865ceb-7ffd9b865cfe 283->286 285->286 286->286 287 7ffd9b865d00-7ffd9b865d08 286->287 287->282 292->293 295 7ffd9b865dde-7ffd9b865deb 292->295 294 7ffd9b865e40-7ffd9b865e69 293->294 302 7ffd9b865ed3 294->302 303 7ffd9b865e6b-7ffd9b865e76 294->303 296 7ffd9b865e24-7ffd9b865e3c 295->296 297 7ffd9b865ded-7ffd9b865dff 295->297 296->294 298 7ffd9b865e01 297->298 299 7ffd9b865e03-7ffd9b865e16 297->299 298->299 299->299 301 7ffd9b865e18-7ffd9b865e20 299->301 301->296 304 7ffd9b865ed5-7ffd9b865f66 302->304 303->302 305 7ffd9b865e78-7ffd9b865e86 303->305 313 7ffd9b865f6c-7ffd9b865f7b 304->313 306 7ffd9b865ebf-7ffd9b865ed1 305->306 307 7ffd9b865e88-7ffd9b865e9a 305->307 306->304 309 7ffd9b865e9e-7ffd9b865eb1 307->309 310 7ffd9b865e9c 307->310 309->309 311 7ffd9b865eb3-7ffd9b865ebb 309->311 310->309 311->306 314 7ffd9b865f83-7ffd9b865fe8 call 7ffd9b866004 313->314 315 7ffd9b865f7d 313->315 323 7ffd9b865fef-7ffd9b866003 314->323 324 7ffd9b865fea 314->324 315->314 324->323
                                Memory Dump Source
                                • Source File: 00000000.00000002.3454752165.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b860000_rivalsanticheat.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d63866d3eda4b8e32694758a73632e563bed02f98c9a336f572b971161159886
                                • Instruction ID: 025dd608396b0da19c102160695462f84929b677cfd417382d05b4685f0dae2f
                                • Opcode Fuzzy Hash: d63866d3eda4b8e32694758a73632e563bed02f98c9a336f572b971161159886
                                • Instruction Fuzzy Hash: 23F1B830A09A4E8FEBA8DF28D859BE937E1FF58310F44426EE84DC7295DF3499458781
                                Function 00007FFD9B8668F2 Relevance: .5, Instructions: 460COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 325 7ffd9b8668f2-7ffd9b8668ff 326 7ffd9b866901-7ffd9b866909 325->326 327 7ffd9b86690a-7ffd9b8669d7 325->327 326->327 332 7ffd9b866a43 327->332 333 7ffd9b8669d9-7ffd9b8669e2 327->333 334 7ffd9b866a45-7ffd9b866a6a 332->334 333->332 335 7ffd9b8669e4-7ffd9b8669f0 333->335 341 7ffd9b866a6c-7ffd9b866a75 334->341 342 7ffd9b866ad6 334->342 336 7ffd9b8669f2-7ffd9b866a04 335->336 337 7ffd9b866a29-7ffd9b866a41 335->337 339 7ffd9b866a06 336->339 340 7ffd9b866a08-7ffd9b866a1b 336->340 337->334 339->340 340->340 343 7ffd9b866a1d-7ffd9b866a25 340->343 341->342 344 7ffd9b866a77-7ffd9b866a83 341->344 345 7ffd9b866ad8-7ffd9b866afd 342->345 343->337 346 7ffd9b866abc-7ffd9b866ad4 344->346 347 7ffd9b866a85-7ffd9b866a97 344->347 352 7ffd9b866aff-7ffd9b866b09 345->352 353 7ffd9b866b6b 345->353 346->345 348 7ffd9b866a99 347->348 349 7ffd9b866a9b-7ffd9b866aae 347->349 348->349 349->349 351 7ffd9b866ab0-7ffd9b866ab8 349->351 351->346 352->353 354 7ffd9b866b0b-7ffd9b866b18 352->354 355 7ffd9b866b6d-7ffd9b866b9b 353->355 356 7ffd9b866b51-7ffd9b866b69 354->356 357 7ffd9b866b1a-7ffd9b866b2c 354->357 362 7ffd9b866b9d-7ffd9b866ba8 355->362 363 7ffd9b866c0b 355->363 356->355 358 7ffd9b866b2e 357->358 359 7ffd9b866b30-7ffd9b866b43 357->359 358->359 359->359 361 7ffd9b866b45-7ffd9b866b4d 359->361 361->356 362->363 365 7ffd9b866baa-7ffd9b866bb8 362->365 364 7ffd9b866c0d-7ffd9b866ce5 363->364 375 7ffd9b866ceb-7ffd9b866cfa 364->375 366 7ffd9b866bf1-7ffd9b866c09 365->366 367 7ffd9b866bba-7ffd9b866bcc 365->367 366->364 369 7ffd9b866bce 367->369 370 7ffd9b866bd0-7ffd9b866be3 367->370 369->370 370->370 372 7ffd9b866be5-7ffd9b866bed 370->372 372->366 376 7ffd9b866d02-7ffd9b866d64 call 7ffd9b866d80 375->376 377 7ffd9b866cfc 375->377 385 7ffd9b866d6b-7ffd9b866d7f 376->385 386 7ffd9b866d66 376->386 377->376 386->385
                                Memory Dump Source
                                • Source File: 00000000.00000002.3454752165.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b860000_rivalsanticheat.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0b322fdaf36009a1e954367d849c492c44fd7952800feb87c6f9bfaacecc6b04
                                • Instruction ID: dfef53da1a337c2e194f3e0202652d1a330fa8437d8219cb0ca541f9d0665638
                                • Opcode Fuzzy Hash: 0b322fdaf36009a1e954367d849c492c44fd7952800feb87c6f9bfaacecc6b04
                                • Instruction Fuzzy Hash: 2FE10870A09A8E8FEBA8DF28C8657E977D1FF58310F44426ED84DC7295DF7499408781
                                Function 00007FFD9B861A01 Relevance: .4, Instructions: 394COMMON
                                Download Yara Rule

                                Control-flow Graph

                                Memory Dump Source
                                • Source File: 00000000.00000002.3454752165.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b860000_rivalsanticheat.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7de7eede8c3be66c5d00c4ed6a0b59e12e2fe4c34bdc46d55835d64682b08330
                                • Instruction ID: ef13b4e02f7ea6a8ae20167fd4548e3f9a858556e922ab6f71e9179e39fab753
                                • Opcode Fuzzy Hash: 7de7eede8c3be66c5d00c4ed6a0b59e12e2fe4c34bdc46d55835d64682b08330
                                • Instruction Fuzzy Hash: 89C1A160B1D94A8FEBA8FB688475A7D77D2EF9C301F45017AE05EC32E7DE28A9014741
                                Function 00007FFD9B8689AD Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 113 7ffd9b8689ad-7ffd9b868a2a 116 7ffd9b868a32-7ffd9b868a90 RtlSetProcessIsCritical 113->116 117 7ffd9b868a92 116->117 118 7ffd9b868a98-7ffd9b868acd 116->118 117->118
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.3454752165.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b860000_rivalsanticheat.jbxd
                                Similarity
                                • API ID: CriticalProcess
                                • String ID:
                                • API String ID: 2695349919-0
                                • Opcode ID: 9f3607a8847afdc2d9cb3efde19c195dfbbcb96b7bb116cdaa8224946317db29
                                • Instruction ID: a1883d12b636d3307276c990f4f809715839a344c72dae7078361333b8580182
                                • Opcode Fuzzy Hash: 9f3607a8847afdc2d9cb3efde19c195dfbbcb96b7bb116cdaa8224946317db29
                                • Instruction Fuzzy Hash: 7441F43190C6588FD729DFA8D855AE9BBF0FF56311F08416FE08AC3592CB746846CB91
                                Function 00007FFD9B8683D5 Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 101 7ffd9b8683d5-7ffd9b868a2a 109 7ffd9b868a32-7ffd9b868a90 RtlSetProcessIsCritical 101->109 110 7ffd9b868a92 109->110 111 7ffd9b868a98-7ffd9b868acd 109->111 110->111
                                Memory Dump Source
                                • Source File: 00000000.00000002.3454752165.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b860000_rivalsanticheat.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 420bf506d49105cf0754f788d1c0db07f6283e099ce22559ca19f71a13072016
                                • Instruction ID: 226203f15fc65b7fdcf1e34ca29b0ef3a12dddf491cb6c2618f31b59bebd33f0
                                • Opcode Fuzzy Hash: 420bf506d49105cf0754f788d1c0db07f6283e099ce22559ca19f71a13072016
                                • Instruction Fuzzy Hash: 1841253190D7888FDB29DBAC98556F97BF0EF6A310F04016FD09AC3293CA646946CB52
                                Function 00007FFD9B8683F0 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 120 7ffd9b8683f0-7ffd9b868a90 RtlSetProcessIsCritical 126 7ffd9b868a92 120->126 127 7ffd9b868a98-7ffd9b868acd 120->127 126->127
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.3454752165.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b860000_rivalsanticheat.jbxd
                                Similarity
                                • API ID: CriticalProcess
                                • String ID:
                                • API String ID: 2695349919-0
                                • Opcode ID: 30abd319f84af1f2dd749bc0454e3af400e91b86dda61557f071afef0c38cfa7
                                • Instruction ID: 8208b97b22a51ebda62c09ea6ddfb68525197c6b9f16b8418250f3a92daa086e
                                • Opcode Fuzzy Hash: 30abd319f84af1f2dd749bc0454e3af400e91b86dda61557f071afef0c38cfa7
                                • Instruction Fuzzy Hash: 2241137190CB488FDB29DB9C9855AF97BF0EF69311F04012FE09AC3292DB646846CB91

                                Executed Functions

                                Function 00007FFD9B860FF8 Relevance: .4, Instructions: 427COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.1763584784.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_7ffd9b860000_rivalsanticheat.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a812565455f6609712ee10cd4f170de1a0eb1438ae2e7196bd92ccf45a36e2c0
                                • Instruction ID: 10c5cb460cdb5c6c9d2c51ac44445aa83e8ffa729800b52400e4983e125f1591
                                • Opcode Fuzzy Hash: a812565455f6609712ee10cd4f170de1a0eb1438ae2e7196bd92ccf45a36e2c0
                                • Instruction Fuzzy Hash: DAD15922F5951A4FD758F7F8A875AFD3B92EF88320B4500BAE04EC71DBDD6868018791
                                Function 00007FFD9B8610FA Relevance: .3, Instructions: 303COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.1763584784.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_7ffd9b860000_rivalsanticheat.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cd94cf093ab96fa1fc01234c1891b073eed558c0f2eea5c3338773cb545c6393
                                • Instruction ID: 527c02e0507c6dc9ea478f4d1d5a821f287ab0db0625ba86b879e9caf8f3b09b
                                • Opcode Fuzzy Hash: cd94cf093ab96fa1fc01234c1891b073eed558c0f2eea5c3338773cb545c6393
                                • Instruction Fuzzy Hash: B3912921B6991A4FDB68F7F8A4756FD7B92EF88310F810479E00EC72DBDD6868008791
                                Function 00007FFD9B860E4E Relevance: .2, Instructions: 206COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.1763584784.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_7ffd9b860000_rivalsanticheat.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b3ad9d5bddba47868a924712a30110caabb2c4c49cc56c668db51c4a6797508f
                                • Instruction ID: 2a0dec2619049e109500ce8bd19112ced754269bbb048c70456a478ace3b22b7
                                • Opcode Fuzzy Hash: b3ad9d5bddba47868a924712a30110caabb2c4c49cc56c668db51c4a6797508f
                                • Instruction Fuzzy Hash: 6A513621B1E68A0FE356B77C98669B53BD2DF86225B4900FBD08DC71EBDD0C5C468352
                                Function 00007FFD9B860AFB Relevance: .2, Instructions: 198COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.1763584784.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_7ffd9b860000_rivalsanticheat.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fb9e41e2d62815aafa074e890c42a008814b599bbb7e461acd8bd39b19f72398
                                • Instruction ID: 69feb4e833b610f0c173a97f27136206d7e732cd23dfed8c60994dcb77d9f587
                                • Opcode Fuzzy Hash: fb9e41e2d62815aafa074e890c42a008814b599bbb7e461acd8bd39b19f72398
                                • Instruction Fuzzy Hash: 61515C36B289198FDB05BBBCD861AED3BA1EFC8311F444476D008CB2D7DD7464468791
                                Function 00007FFD9B86178A Relevance: .2, Instructions: 190COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.1763584784.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_7ffd9b860000_rivalsanticheat.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6ea6439b20a02ec2a1a1c85fe3408b92ca9cb5978dfa0271d7675e787cc8ba71
                                • Instruction ID: f323811328f3f6de565810af949a1ffaa43497acac42b8fd02bc883c3f70007f
                                • Opcode Fuzzy Hash: 6ea6439b20a02ec2a1a1c85fe3408b92ca9cb5978dfa0271d7675e787cc8ba71
                                • Instruction Fuzzy Hash: CA51C311B0D6C50FD796AB7898696657FE2DF8A220B0901FFE08DCB2A7DD585C06C312
                                Function 00007FFD9B8609C8 Relevance: .2, Instructions: 167COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.1763584784.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_7ffd9b860000_rivalsanticheat.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b46b71d66c7ef6ce6bd82a77ea1861a8f558f6203a4fdc4a3764ba04baf7b13d
                                • Instruction ID: c3fb551492b73907f2dff88aee3d44e2f157643cab0864313468ffe7fd9ced6a
                                • Opcode Fuzzy Hash: b46b71d66c7ef6ce6bd82a77ea1861a8f558f6203a4fdc4a3764ba04baf7b13d
                                • Instruction Fuzzy Hash: 66418927B1955A8ED702377DA8619ED3F61DFC1776B0941B7C148CF0D7C964204A87E1
                                Function 00007FFD9B860608 Relevance: .1, Instructions: 138COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.1763584784.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_7ffd9b860000_rivalsanticheat.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 80f548aef9e9f364d73138df1967d337c89a3316226c45c8c2ef257a3c551f4f
                                • Instruction ID: cadf1800cbe8a4533a10ca52fda2014bb2b9c1884d4a768bda5f0f828746d9ff
                                • Opcode Fuzzy Hash: 80f548aef9e9f364d73138df1967d337c89a3316226c45c8c2ef257a3c551f4f
                                • Instruction Fuzzy Hash: 8E31C621B189490FE798FB2C586A77DA6D2EF9C355F0505BEE00EC32DBDD689C418341
                                Function 00007FFD9B860CE1 Relevance: .1, Instructions: 130COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.1763584784.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_7ffd9b860000_rivalsanticheat.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fd4ff4fddf7b3427ce0988a9c86c58f140d64a899ad5a9019632b9db15286540
                                • Instruction ID: 360c0bb75171111d6f8415342be274406f65c49ea4882828189c019a6a530f09
                                • Opcode Fuzzy Hash: fd4ff4fddf7b3427ce0988a9c86c58f140d64a899ad5a9019632b9db15286540
                                • Instruction Fuzzy Hash: 8931E761B189094FEB54B7BC5C697BD76D2EF98711F1002B6E00DC32DBDE286C418752
                                Function 00007FFD9B860949 Relevance: .1, Instructions: 65COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.1763584784.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_7ffd9b860000_rivalsanticheat.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ead32debabf2130f6a56fe15b5a8569ff25b1f9dcaa13b63b828d031d80e6eb6
                                • Instruction ID: 17c0f65feb2da17ddea959a56c198ae5b635071d6501124f3f4f5a9faaa08902
                                • Opcode Fuzzy Hash: ead32debabf2130f6a56fe15b5a8569ff25b1f9dcaa13b63b828d031d80e6eb6
                                • Instruction Fuzzy Hash: F511C61B6086A14EC702B77DB8E09E87B20DEC223571801F3C2C6CE487D558648AC7E2
                                Function 00007FFD9B861931 Relevance: .0, Instructions: 44COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.1763584784.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_7ffd9b860000_rivalsanticheat.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2cc8d16293fa9e4fea729e9766318ebf1824f466ec72c5bb1c4d064eda7b82f9
                                • Instruction ID: 310a87a5c44ca297469a7f98ec624ef5906843caafaab09c3f5a9479a8c0169e
                                • Opcode Fuzzy Hash: 2cc8d16293fa9e4fea729e9766318ebf1824f466ec72c5bb1c4d064eda7b82f9
                                • Instruction Fuzzy Hash: 2001DD01E1E7454FFB55BB7858614B17FF0DF9A300F4408BAE8C8C70ABF918AA018392

                                Executed Functions

                                Function 00007FFD9B890FF8 Relevance: .4, Instructions: 425COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2344942838.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_7ffd9b890000_rivalsanticheat.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e84bbc8021c0d23e81eb20519ae526fde690239b559691859c205211832b59b3
                                • Instruction ID: 7981c5c7f3d1eaa1aa5b56589dcbc4326e204054b8e61d608d74e49acdbbe9e6
                                • Opcode Fuzzy Hash: e84bbc8021c0d23e81eb20519ae526fde690239b559691859c205211832b59b3
                                • Instruction Fuzzy Hash: 80D18822F5D51A0FDB58B7B8A8755FE3BA2EF88320B45007AE05EC71E7ED6828018741
                                Function 00007FFD9B8910FA Relevance: .3, Instructions: 300COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2344942838.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_7ffd9b890000_rivalsanticheat.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 73e7cace1728b20ab3f3a9d5678546f27c1d998eab8e3eec88018f86e50dafb0
                                • Instruction ID: 3cd8c6cd75e1e774854f3d573953b38cbdc6cd2ee965c49476a586dfc422d3c2
                                • Opcode Fuzzy Hash: 73e7cace1728b20ab3f3a9d5678546f27c1d998eab8e3eec88018f86e50dafb0
                                • Instruction Fuzzy Hash: F291D621B5D91A1FDB69F7B8A4756FD3BA2FF88310B450475E01EC32E7EE2868018751
                                Function 00007FFD9B890E4E Relevance: .2, Instructions: 208COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2344942838.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_7ffd9b890000_rivalsanticheat.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: dea4c9168549d84d049415e0fd7e06148b6355b12ed12a8b35cddce30564f23b
                                • Instruction ID: 406fcd3b8155180ac3bd2840828abc499112aa665c6c33b91c350a4ee5fb2295
                                • Opcode Fuzzy Hash: dea4c9168549d84d049415e0fd7e06148b6355b12ed12a8b35cddce30564f23b
                                • Instruction Fuzzy Hash: 66511621B1E68A0FE756B77C98269B93FD2DF8A225B0940FBD08DC71E7DC1858468352
                                Function 00007FFD9B890AFB Relevance: .2, Instructions: 197COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2344942838.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_7ffd9b890000_rivalsanticheat.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 72641a4f3508c286d7652df299bbe5df3fc3ef54a10f7b53f7522751546cb8ba
                                • Instruction ID: f379a40a8669e65b2a69fec47556bc2e95c25ff9d1d3d45686a7fa57ffd83846
                                • Opcode Fuzzy Hash: 72641a4f3508c286d7652df299bbe5df3fc3ef54a10f7b53f7522751546cb8ba
                                • Instruction Fuzzy Hash: F4513836B1891A8FDB05BBBCE8216ED7BA2EF89311F0400B6D118C72D7DE7564468B91
                                Function 00007FFD9B89178A Relevance: .2, Instructions: 192COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2344942838.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_7ffd9b890000_rivalsanticheat.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5056ec8e6b9f658ac37c51e8d35d4ef882e093dfd8e347ef869ee072a4d28529
                                • Instruction ID: 92aaf519302364150faf4662d7a4241812e76812147fa77e9e69bb0a2d9b20a8
                                • Opcode Fuzzy Hash: 5056ec8e6b9f658ac37c51e8d35d4ef882e093dfd8e347ef869ee072a4d28529
                                • Instruction Fuzzy Hash: 1151B311B1E6C90FD796AB7858696657FE2DF8A220B0901FBE08DC72E7CD595C06C312
                                Function 00007FFD9B8909C8 Relevance: .2, Instructions: 165COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2344942838.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_7ffd9b890000_rivalsanticheat.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c9238cfb8498e977f66dfbc1a6dad7ec2c3f74c9cf60c4e85a5265fe1bd456f4
                                • Instruction ID: 416b9a05c193b1525b7c2c933606bd22e9d170f44b4bbe4a673e4e5f34a8244a
                                • Opcode Fuzzy Hash: c9238cfb8498e977f66dfbc1a6dad7ec2c3f74c9cf60c4e85a5265fe1bd456f4
                                • Instruction Fuzzy Hash: 72414667B1D65A4EDB027BBCA8215FD3FA1DF86375B0901B7C148CB0E3C965204A87D2
                                Function 00007FFD9B890608 Relevance: .1, Instructions: 138COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2344942838.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_7ffd9b890000_rivalsanticheat.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a273ea4cd3146c9237d8c033593b6829e266f66730d9ad816db9537a44f49047
                                • Instruction ID: d05b00937aaf73c45cb01d968da97a5e877b256ae291e002f514659a7323118f
                                • Opcode Fuzzy Hash: a273ea4cd3146c9237d8c033593b6829e266f66730d9ad816db9537a44f49047
                                • Instruction Fuzzy Hash: D331C621B1C9490FE798FB2C986A679A6D2EF9C355F0505BEE01EC32DBDD689C018341
                                Function 00007FFD9B890CE1 Relevance: .1, Instructions: 130COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2344942838.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_7ffd9b890000_rivalsanticheat.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9178a427ecb76c7387f95407d150199b8789de1a2d4c43981070c1b67c7d332f
                                • Instruction ID: 4a2eaa70817b2792655dd5bf904677f43055338e733ae363cd091e3e15d742a1
                                • Opcode Fuzzy Hash: 9178a427ecb76c7387f95407d150199b8789de1a2d4c43981070c1b67c7d332f
                                • Instruction Fuzzy Hash: B931C861F199090FEB54B7BC5C2A7BD77D1EF98751F1402B6E01DC32D6DE2868414782
                                Function 00007FFD9B890949 Relevance: .1, Instructions: 62COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2344942838.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_7ffd9b890000_rivalsanticheat.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d640001267189c0d08b89b8b0440d150a618f494ab0185ad6c62638d9caebe34
                                • Instruction ID: 79b38a8fa1a71b1893232eed54d3a230d7bfe2b60dde9aeff46ae5e66edc97f5
                                • Opcode Fuzzy Hash: d640001267189c0d08b89b8b0440d150a618f494ab0185ad6c62638d9caebe34
                                • Instruction Fuzzy Hash: E31173166496A14ED703A7BCB8A14F87B60DE4236571801F3C1C5DE0ABD558648BC7D6
                                Function 00007FFD9B891931 Relevance: .0, Instructions: 46COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000007.00000002.2344942838.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_7_2_7ffd9b890000_rivalsanticheat.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: eeae1578e7b3e9bdd06e75ea94dbd0e7cc8253bb46477753bad8166be5e9aba9
                                • Instruction ID: f12a0271ef049ce71538f7dcb18b2258e4c74407bd3a9121989f604c03b2717c
                                • Opcode Fuzzy Hash: eeae1578e7b3e9bdd06e75ea94dbd0e7cc8253bb46477753bad8166be5e9aba9
                                • Instruction Fuzzy Hash: 03017B11A1E7950FEB66B73848715617FE0DF99240B0505BEE489C71E3E9186A428342

                                Executed Functions

                                Function 00007FFD9B890FF8 Relevance: .4, Instructions: 425COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000009.00000002.2932541203.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_7ffd9b890000_rivalsanticheat.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8607719c3c3cdfcd17f60e214f79e3db0197db8c66b740af6f18dc9707675bce
                                • Instruction ID: a21ac0addb9dfe175c71684f2549d630578b0e94ce8655fe661f8efc204b5876
                                • Opcode Fuzzy Hash: 8607719c3c3cdfcd17f60e214f79e3db0197db8c66b740af6f18dc9707675bce
                                • Instruction Fuzzy Hash: 0BD15B22F1D51A1FDB59B7B8A8755FD3BA2EF88324B4400BAE04EC71EBED682441C751
                                Function 00007FFD9B8910FA Relevance: .3, Instructions: 300COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000009.00000002.2932541203.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_7ffd9b890000_rivalsanticheat.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2711c7ecf69cbe4378e7be9ead3dc98c3b16b0fd606bcc2ab0a42e4e5890e6b6
                                • Instruction ID: c29f87ec709e771fc7e44ae55a4d0e9f4e0f6f18ae33c4ffe31bc19315a641c8
                                • Opcode Fuzzy Hash: 2711c7ecf69cbe4378e7be9ead3dc98c3b16b0fd606bcc2ab0a42e4e5890e6b6
                                • Instruction Fuzzy Hash: 7E911921B1991E5FDB98F7B894796FD3BA2FF88310B550075E00EC72EBED2869018751
                                Function 00007FFD9B890E4E Relevance: .2, Instructions: 208COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000009.00000002.2932541203.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_7ffd9b890000_rivalsanticheat.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c8b2eb190e357733c0055b91209d542156d03a25749434e7415891abd836c9dd
                                • Instruction ID: 5ddcb76f00696c108b2a9633949374185335bb5f27754656b9e7101d5d42af21
                                • Opcode Fuzzy Hash: c8b2eb190e357733c0055b91209d542156d03a25749434e7415891abd836c9dd
                                • Instruction Fuzzy Hash: B5510621B1E68A0FE756B77C98269B93FD2DF86225B0940FBD08DC71E7DD0C58468352
                                Function 00007FFD9B890AFB Relevance: .2, Instructions: 197COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000009.00000002.2932541203.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_7ffd9b890000_rivalsanticheat.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 82423b2f6978b42f6d24dea516a45f778907fc3640c95a282f8514eb4176ef83
                                • Instruction ID: 498aab195056f4404ae0cfa1c6d9d713361c45933a6c674a375dd70579a135aa
                                • Opcode Fuzzy Hash: 82423b2f6978b42f6d24dea516a45f778907fc3640c95a282f8514eb4176ef83
                                • Instruction Fuzzy Hash: A7515832B189198FDB05BBBCD8215ED3BA2EF89315F1440B6D009CB2D7DE7964468B91
                                Function 00007FFD9B89178A Relevance: .2, Instructions: 192COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000009.00000002.2932541203.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_7ffd9b890000_rivalsanticheat.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a43e62c1864bee2a444dd4722e6944bb791c00b9642045fda3d78f48a79c79ed
                                • Instruction ID: 6000432fdb3b6759a9e3c49ad48f52baa353c7d133117ce2b9cc34c6ed420384
                                • Opcode Fuzzy Hash: a43e62c1864bee2a444dd4722e6944bb791c00b9642045fda3d78f48a79c79ed
                                • Instruction Fuzzy Hash: A551D411B0E6C90FD796AB7858696657FE2DF8A220B0901FFE08DC72E7CD585C06C312
                                Function 00007FFD9B8909C8 Relevance: .2, Instructions: 165COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000009.00000002.2932541203.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_7ffd9b890000_rivalsanticheat.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 729669c109e1af4ed943eefe1347982a661b19abafd8ce57fdbdbb7f40363555
                                • Instruction ID: 130af615797e72577d15f0d5293aef4e78259fd91440afe2688eda33fa600bb7
                                • Opcode Fuzzy Hash: 729669c109e1af4ed943eefe1347982a661b19abafd8ce57fdbdbb7f40363555
                                • Instruction Fuzzy Hash: 2E414667B1965A4EDB027BBCA8215FD3FA1DF82375B0941B7C148CB0E3C965204A87D2
                                Function 00007FFD9B890608 Relevance: .1, Instructions: 138COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000009.00000002.2932541203.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_7ffd9b890000_rivalsanticheat.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 774464d489218bb8798330d9a79b652e74ac175090ac1af7f4f366b5ec03c77b
                                • Instruction ID: 59a8d2fb4bbf9f0137ace0a7b37354b329b9856c83924c5dc756c030650711b0
                                • Opcode Fuzzy Hash: 774464d489218bb8798330d9a79b652e74ac175090ac1af7f4f366b5ec03c77b
                                • Instruction Fuzzy Hash: 7231C621B1C9490FE798FB2C586A679A6D2EF9C355F0501BEE00EC32DBDD689C018341
                                Function 00007FFD9B890CE1 Relevance: .1, Instructions: 130COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000009.00000002.2932541203.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_7ffd9b890000_rivalsanticheat.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9178a427ecb76c7387f95407d150199b8789de1a2d4c43981070c1b67c7d332f
                                • Instruction ID: 4a2eaa70817b2792655dd5bf904677f43055338e733ae363cd091e3e15d742a1
                                • Opcode Fuzzy Hash: 9178a427ecb76c7387f95407d150199b8789de1a2d4c43981070c1b67c7d332f
                                • Instruction Fuzzy Hash: B931C861F199090FEB54B7BC5C2A7BD77D1EF98751F1402B6E01DC32D6DE2868414782
                                Function 00007FFD9B890949 Relevance: .1, Instructions: 62COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000009.00000002.2932541203.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_7ffd9b890000_rivalsanticheat.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d640001267189c0d08b89b8b0440d150a618f494ab0185ad6c62638d9caebe34
                                • Instruction ID: 79b38a8fa1a71b1893232eed54d3a230d7bfe2b60dde9aeff46ae5e66edc97f5
                                • Opcode Fuzzy Hash: d640001267189c0d08b89b8b0440d150a618f494ab0185ad6c62638d9caebe34
                                • Instruction Fuzzy Hash: E31173166496A14ED703A7BCB8A14F87B60DE4236571801F3C1C5DE0ABD558648BC7D6
                                Function 00007FFD9B891931 Relevance: .0, Instructions: 46COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000009.00000002.2932541203.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_9_2_7ffd9b890000_rivalsanticheat.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6b7ff0ee8d4cf8e6f8f77305ec6426f55c4d20360ea908f093a8e53953cbca46
                                • Instruction ID: 88fc0a68069be4fabc6e32eb34727124107209d0f8aad262fd19bb9393816350
                                • Opcode Fuzzy Hash: 6b7ff0ee8d4cf8e6f8f77305ec6426f55c4d20360ea908f093a8e53953cbca46
                                • Instruction Fuzzy Hash: 95017B11A1E7954FEB66B73848615617FE0DF95244B0805BEE489C70E7E9086A428342