Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rwlPT9YJt0.exe

Overview

General Information

Sample name:rwlPT9YJt0.exe
renamed because original name is a hash value
Original sample name:86c77bf7333198c8e299f4825812790b6254013bcf8725e5ced098d39f87c21f.exe
Analysis ID:1588589
MD5:f2366f3502c99eb271ef13d52cffc955
SHA1:604d14da5634e8fae303e686e8aa000cc4d7ac1b
SHA256:86c77bf7333198c8e299f4825812790b6254013bcf8725e5ced098d39f87c21f
Tags:exeSnakeKeyloggeruser-adrian__luca
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
AI detected suspicious sample
Machine Learning detection for sample
Self deletion via cmd or bat file
Tries to detect the country of the analysis system (by using the IP)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • rwlPT9YJt0.exe (PID: 7508 cmdline: "C:\Users\user\Desktop\rwlPT9YJt0.exe" MD5: F2366F3502C99EB271EF13D52CFFC955)
    • cmd.exe (PID: 7704 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\rwlPT9YJt0.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • choice.exe (PID: 7752 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Username": "info@gzdled.com.tr", "Password": "Gozdeled1048", "Host": "mail.gzdled.com.tr", "Port": "587", "Token": "8043217727:AAHet_KMDJubZguJgq0Cp7yrQCzgcnbbXpU", "Chat_id": "6247294228", "Version": "5.1"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
rwlPT9YJt0.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    rwlPT9YJt0.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      rwlPT9YJt0.exeJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
        rwlPT9YJt0.exeWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x14b1f:$a1: get_encryptedPassword
        • 0x14e0b:$a2: get_encryptedUsername
        • 0x1492b:$a3: get_timePasswordChanged
        • 0x14a26:$a4: get_passwordField
        • 0x14b35:$a5: set_encryptedPassword
        • 0x161d0:$a7: get_logins
        • 0x16133:$a10: KeyLoggerEventArgs
        • 0x15d9e:$a11: KeyLoggerEventArgsEventHandler
        rwlPT9YJt0.exeMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
        • 0x1c64a:$a2: \Comodo\Dragon\User Data\Default\Login Data
        • 0x1b87c:$a3: \Google\Chrome\User Data\Default\Login Data
        • 0x1bcaf:$a4: \Orbitum\User Data\Default\Login Data
        • 0x1ccee:$a5: \Kometa\User Data\Default\Login Data
        Click to see the 2 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000001.00000002.1493479148.0000000002C52000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          00000001.00000000.1348006636.0000000000662000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000001.00000000.1348006636.0000000000662000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
              00000001.00000000.1348006636.0000000000662000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
              • 0x1491f:$a1: get_encryptedPassword
              • 0x14c0b:$a2: get_encryptedUsername
              • 0x1472b:$a3: get_timePasswordChanged
              • 0x14826:$a4: get_passwordField
              • 0x14935:$a5: set_encryptedPassword
              • 0x15fd0:$a7: get_logins
              • 0x15f33:$a10: KeyLoggerEventArgs
              • 0x15b9e:$a11: KeyLoggerEventArgsEventHandler
              00000001.00000000.1348006636.0000000000662000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
              • 0x182f8:$x1: $%SMTPDV$
              • 0x1835e:$x2: $#TheHashHere%&
              • 0x19a4c:$x3: %FTPDV$
              • 0x19b40:$x4: $%TelegramDv$
              • 0x15b9e:$x5: KeyLoggerEventArgs
              • 0x15f33:$x5: KeyLoggerEventArgs
              • 0x19a70:$m2: Clipboard Logs ID
              • 0x19c90:$m2: Screenshot Logs ID
              • 0x19da0:$m2: keystroke Logs ID
              • 0x1a07a:$m3: SnakePW
              • 0x19c68:$m4: \SnakeKeylogger\
              Click to see the 5 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              1.0.rwlPT9YJt0.exe.660000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                1.0.rwlPT9YJt0.exe.660000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                  1.0.rwlPT9YJt0.exe.660000.0.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
                    1.0.rwlPT9YJt0.exe.660000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                    • 0x14b1f:$a1: get_encryptedPassword
                    • 0x14e0b:$a2: get_encryptedUsername
                    • 0x1492b:$a3: get_timePasswordChanged
                    • 0x14a26:$a4: get_passwordField
                    • 0x14b35:$a5: set_encryptedPassword
                    • 0x161d0:$a7: get_logins
                    • 0x16133:$a10: KeyLoggerEventArgs
                    • 0x15d9e:$a11: KeyLoggerEventArgsEventHandler
                    1.0.rwlPT9YJt0.exe.660000.0.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                    • 0x1c64a:$a2: \Comodo\Dragon\User Data\Default\Login Data
                    • 0x1b87c:$a3: \Google\Chrome\User Data\Default\Login Data
                    • 0x1bcaf:$a4: \Orbitum\User Data\Default\Login Data
                    • 0x1ccee:$a5: \Kometa\User Data\Default\Login Data
                    Click to see the 2 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-11T02:48:39.550636+010028033053Unknown Traffic192.168.2.949754104.21.80.1443TCP
                    2025-01-11T02:48:40.778009+010028033053Unknown Traffic192.168.2.949761104.21.80.1443TCP
                    2025-01-11T02:48:43.129523+010028033053Unknown Traffic192.168.2.949780104.21.80.1443TCP
                    2025-01-11T02:48:46.456986+010028033053Unknown Traffic192.168.2.949802104.21.80.1443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-11T02:48:37.583191+010028032742Potentially Bad Traffic192.168.2.949732193.122.130.080TCP
                    2025-01-11T02:48:38.973773+010028032742Potentially Bad Traffic192.168.2.949732193.122.130.080TCP
                    2025-01-11T02:48:40.223788+010028032742Potentially Bad Traffic192.168.2.949759193.122.130.080TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: rwlPT9YJt0.exeAvira: detected
                    Found malware configuration
                    Source: 00000001.00000002.1493479148.0000000002AA1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Username": "info@gzdled.com.tr", "Password": "Gozdeled1048", "Host": "mail.gzdled.com.tr", "Port": "587", "Token": "8043217727:AAHet_KMDJubZguJgq0Cp7yrQCzgcnbbXpU", "Chat_id": "6247294228", "Version": "5.1"}
                    Multi AV Scanner detection for submitted file
                    Source: rwlPT9YJt0.exeReversingLabs: Detection: 91%
                    Source: rwlPT9YJt0.exeVirustotal: Detection: 68%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: rwlPT9YJt0.exeJoe Sandbox ML: detected

                    Location Tracking

                    barindex
                    Tries to detect the country of the analysis system (by using the IP)
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: rwlPT9YJt0.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.9:49743 version: TLS 1.0
                    Source: rwlPT9YJt0.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: rwlPT9YJt0.exe, type: SAMPLE
                    Source: Yara matchFile source: 1.0.rwlPT9YJt0.exe.660000.0.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.9:52726 -> 162.159.36.2:53
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 193.122.130.0 193.122.130.0
                    Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                    Source: unknownDNS query: name: checkip.dyndns.org
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49759 -> 193.122.130.0:80
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49732 -> 193.122.130.0:80
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49802 -> 104.21.80.1:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49754 -> 104.21.80.1:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49780 -> 104.21.80.1:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49761 -> 104.21.80.1:443
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.9:49743 version: TLS 1.0
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                    Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                    Source: rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002C52000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002B68000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002C09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                    Source: rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002C09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                    Source: rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002AA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                    Source: rwlPT9YJt0.exeString found in binary or memory: http://checkip.dyndns.org/q
                    Source: rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002C52000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002C09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                    Source: rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002AA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002C52000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002B68000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002C09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                    Source: rwlPT9YJt0.exeString found in binary or memory: https://reallyfreegeoip.org/xml/
                    Source: rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002C09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
                    Source: rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002C52000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002C09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49831
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49814
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49802
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: rwlPT9YJt0.exe, type: SAMPLEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: rwlPT9YJt0.exe, type: SAMPLEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: rwlPT9YJt0.exe, type: SAMPLEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: rwlPT9YJt0.exe, type: SAMPLEMatched rule: Detects Snake Keylogger Author: ditekSHen
                    Source: 1.0.rwlPT9YJt0.exe.660000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 1.0.rwlPT9YJt0.exe.660000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 1.0.rwlPT9YJt0.exe.660000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 1.0.rwlPT9YJt0.exe.660000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                    Source: 00000001.00000000.1348006636.0000000000662000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000001.00000000.1348006636.0000000000662000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                    Source: Process Memory Space: rwlPT9YJt0.exe PID: 7508, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: rwlPT9YJt0.exe PID: 7508, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeCode function: 1_2_00EFC1931_2_00EFC193
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeCode function: 1_2_00EFB3281_2_00EFB328
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeCode function: 1_2_00EFC4701_2_00EFC470
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeCode function: 1_2_00EFC7511_2_00EFC751
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeCode function: 1_2_00EF67301_2_00EF6730
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeCode function: 1_2_00EF98581_2_00EF9858
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeCode function: 1_2_00EF4AD91_2_00EF4AD9
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeCode function: 1_2_00EFCA311_2_00EFCA31
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeCode function: 1_2_00EFBEB41_2_00EFBEB4
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeCode function: 1_2_00EFB4F31_2_00EFB4F3
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeCode function: 1_2_00EF35701_2_00EF3570
                    Source: rwlPT9YJt0.exe, 00000001.00000000.1348006636.0000000000662000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs rwlPT9YJt0.exe
                    Source: rwlPT9YJt0.exe, 00000001.00000002.1492657518.0000000000BCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs rwlPT9YJt0.exe
                    Source: rwlPT9YJt0.exeBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs rwlPT9YJt0.exe
                    Source: rwlPT9YJt0.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: rwlPT9YJt0.exe, type: SAMPLEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: rwlPT9YJt0.exe, type: SAMPLEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: rwlPT9YJt0.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: rwlPT9YJt0.exe, type: SAMPLEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                    Source: 1.0.rwlPT9YJt0.exe.660000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 1.0.rwlPT9YJt0.exe.660000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 1.0.rwlPT9YJt0.exe.660000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 1.0.rwlPT9YJt0.exe.660000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                    Source: 00000001.00000000.1348006636.0000000000662000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000001.00000000.1348006636.0000000000662000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                    Source: Process Memory Space: rwlPT9YJt0.exe PID: 7508, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: rwlPT9YJt0.exe PID: 7508, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                    Source: classification engineClassification label: mal100.troj.winEXE@6/1@2/2
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rwlPT9YJt0.exe.logJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7716:120:WilError_03
                    Source: rwlPT9YJt0.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: rwlPT9YJt0.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: rwlPT9YJt0.exeReversingLabs: Detection: 91%
                    Source: rwlPT9YJt0.exeVirustotal: Detection: 68%
                    Source: rwlPT9YJt0.exeString found in binary or memory: F-Stopw
                    Source: unknownProcess created: C:\Users\user\Desktop\rwlPT9YJt0.exe "C:\Users\user\Desktop\rwlPT9YJt0.exe"
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\rwlPT9YJt0.exe"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\rwlPT9YJt0.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
                    Source: rwlPT9YJt0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: rwlPT9YJt0.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Self deletion via cmd or bat file
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\rwlPT9YJt0.exe"
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\rwlPT9YJt0.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeMemory allocated: EF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeMemory allocated: 2AA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeMemory allocated: 2920000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 599766Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 599547Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 599437Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 599328Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 599218Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 599109Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 599000Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 598886Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 598766Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 598609Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 598316Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 598124Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 598015Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 597906Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 597797Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 597687Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 597578Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 597469Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 597359Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 597250Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 597141Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 597031Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 596922Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 596812Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 596703Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 596593Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 596481Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 596362Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 596245Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 596125Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 596015Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 595905Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 595782Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 595656Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 595547Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 595398Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 595281Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 595170Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 595047Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 594937Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 594826Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 594719Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 594609Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 594500Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 594390Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 594281Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 594172Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 594062Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 593953Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeWindow / User API: threadDelayed 2417Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeWindow / User API: threadDelayed 7415Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep count: 37 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -34126476536362649s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -600000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -599875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7628Thread sleep count: 2417 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7628Thread sleep count: 7415 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -599766s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -599656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -599547s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -599437s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -599328s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -599218s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -599109s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -599000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -598886s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -598766s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -598609s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -598316s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -598124s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -598015s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -597906s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -597797s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -597687s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -597578s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -597469s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -597359s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -597250s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -597141s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -597031s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -596922s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -596812s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -596703s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -596593s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -596481s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -596362s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -596245s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -596125s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -596015s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -595905s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -595782s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -595656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -595547s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -595398s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -595281s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -595170s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -595047s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -594937s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -594826s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -594719s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -594609s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -594500s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -594390s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -594281s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -594172s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -594062s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exe TID: 7624Thread sleep time: -593953s >= -30000sJump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 599766Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 599547Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 599437Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 599328Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 599218Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 599109Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 599000Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 598886Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 598766Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 598609Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 598316Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 598124Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 598015Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 597906Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 597797Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 597687Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 597578Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 597469Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 597359Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 597250Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 597141Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 597031Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 596922Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 596812Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 596703Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 596593Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 596481Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 596362Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 596245Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 596125Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 596015Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 595905Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 595782Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 595656Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 595547Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 595398Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 595281Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 595170Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 595047Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 594937Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 594826Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 594719Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 594609Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 594500Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 594390Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 594281Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 594172Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 594062Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeThread delayed: delay time: 593953Jump to behavior
                    Source: rwlPT9YJt0.exe, 00000001.00000002.1492713261.0000000000C01000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllY
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\rwlPT9YJt0.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3Jump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeQueries volume information: C:\Users\user\Desktop\rwlPT9YJt0.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rwlPT9YJt0.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Snake Keylogger
                    Source: Yara matchFile source: rwlPT9YJt0.exe, type: SAMPLE
                    Source: Yara matchFile source: 1.0.rwlPT9YJt0.exe.660000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.1493479148.0000000002C52000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000000.1348006636.0000000000662000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1493479148.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: rwlPT9YJt0.exe PID: 7508, type: MEMORYSTR
                    Source: Yara matchFile source: rwlPT9YJt0.exe, type: SAMPLE
                    Source: Yara matchFile source: 1.0.rwlPT9YJt0.exe.660000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000000.1348006636.0000000000662000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: rwlPT9YJt0.exe PID: 7508, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected Snake Keylogger
                    Source: Yara matchFile source: rwlPT9YJt0.exe, type: SAMPLE
                    Source: Yara matchFile source: 1.0.rwlPT9YJt0.exe.660000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.1493479148.0000000002C52000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000000.1348006636.0000000000662000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1493479148.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: rwlPT9YJt0.exe PID: 7508, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                    Command and Scripting Interpreter                    		1
                    DLL Side-Loading                    		11
                    Process Injection                    		1
                    Masquerading                    		OS Credential Dumping1
                    Security Software Discovery                    		Remote Services1
                    Archive Collected Data                    		11
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                    Virtualization/Sandbox Evasion                    		Security Account Manager31
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput Capture13
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets1
                    System Network Configuration Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    File Deletion                    		Cached Domain Credentials1
                    File and Directory Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync12
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    rwlPT9YJt0.exe92%ReversingLabsWin32.Keylogger.NotFound
                    rwlPT9YJt0.exe69%VirustotalBrowse
                    rwlPT9YJt0.exe100%AviraTR/ATRAPS.Gen
                    rwlPT9YJt0.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    s-part-0017.t-0009.t-msedge.net
                    		13.107.246.45
                    		truefalse
                      		high
                      reallyfreegeoip.org
                      		104.21.80.1
                      		truefalse
                        		high
                        checkip.dyndns.com
                        		193.122.130.0
                        		truefalse
                          		high
                          checkip.dyndns.org
                          		unknown
                          		unknownfalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://checkip.dyndns.org/false
                              		high
                              https://reallyfreegeoip.org/xml/8.46.123.189false
                                		high

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://reallyfreegeoip.orgrwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002C52000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002B68000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002C09000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://checkip.dyndns.orgrwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002C09000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://checkip.dyndns.comrwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002C52000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002B68000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002C09000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namerwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002AA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://checkip.dyndns.org/qrwlPT9YJt0.exefalse
                                          		high
                                          https://reallyfreegeoip.org/xml/8.46.123.189$rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002C52000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002C09000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://reallyfreegeoip.orgrwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002C52000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, rwlPT9YJt0.exe, 00000001.00000002.1493479148.0000000002C09000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://reallyfreegeoip.org/xml/rwlPT9YJt0.exefalse
                                                		high

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                193.122.130.0
                                                		checkip.dyndns.comUnited States
                                                		31898ORACLE-BMC-31898USfalse
                                                104.21.80.1
                                                		reallyfreegeoip.orgUnited States
                                                		13335CLOUDFLARENETUSfalse

                                                General Information

                                                Joe Sandbox version:42.0.0 Malachite
                                                Analysis ID:1588589
                                                Start date and time:2025-01-11 02:47:43 +01:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 3m 22s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:6
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:rwlPT9YJt0.exe
                                                renamed because original name is a hash value
                                                Original Sample Name:86c77bf7333198c8e299f4825812790b6254013bcf8725e5ced098d39f87c21f.exe
                                                Detection:MAL
                                                Classification:mal100.troj.winEXE@6/1@2/2
                                                EGA Information:Failed
                                                HCA Information:
                                                • Successful, ratio: 97%
                                                • Number of executed functions: 48
                                                • Number of non-executed functions: 0
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe
                                                • Stop behavior analysis, all processes terminated

                                                Warnings

                                                • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
                                                • Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.109.210.53
                                                • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, d.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
                                                • Execution Graph export aborted for target rwlPT9YJt0.exe, PID 7508 because it is empty
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                20:48:38API Interceptor98x Sleep call for process: rwlPT9YJt0.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                193.122.130.0YDg44STseR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • checkip.dyndns.org/
                                                VCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • checkip.dyndns.org/
                                                h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • checkip.dyndns.org/
                                                4AMVusDMPP.exeGet hashmaliciousGuLoaderBrowse
                                                • checkip.dyndns.org/
                                                tVuAoupHhZ.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • checkip.dyndns.org/
                                                WGi85dsMNp.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                • checkip.dyndns.org/
                                                wymvwQ4mC4.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • checkip.dyndns.org/
                                                C5JLkBS1CX.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                • checkip.dyndns.org/
                                                VQsnGWaNi5.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • checkip.dyndns.org/
                                                lsc5QN46NH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • checkip.dyndns.org/

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                s-part-0017.t-0009.t-msedge.netCGk5FtIq0N.exeGet hashmaliciousFormBookBrowse
                                                • 13.107.246.45
                                                wOBmA8bj8d.exeGet hashmaliciousFormBookBrowse
                                                • 13.107.246.45
                                                KtPCqWWnqM.exeGet hashmaliciousUnknownBrowse
                                                • 13.107.246.45
                                                kQibsaGS2E.exeGet hashmaliciousUnknownBrowse
                                                • 13.107.246.45
                                                1907125702104121563.jsGet hashmaliciousStrela DownloaderBrowse
                                                • 13.107.246.45
                                                2937924646314313784.jsGet hashmaliciousStrela DownloaderBrowse
                                                • 13.107.246.45
                                                RdichqztBg.exeGet hashmaliciousFormBookBrowse
                                                • 13.107.246.45
                                                AraK29dzhH.exeGet hashmaliciousFormBookBrowse
                                                • 13.107.246.45
                                                YrCSUX2O3I.exeGet hashmaliciousGuLoaderBrowse
                                                • 13.107.246.45
                                                http://unikuesolutions.com/ck/bd/%7BRANDOM_NUMBER05%7D/YmVuc29uLmxpbkB2aGFjb3JwLmNvbQ==Get hashmaliciousUnknownBrowse
                                                • 13.107.246.45
                                                checkip.dyndns.comYDg44STseR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • 193.122.130.0
                                                ZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                • 193.122.6.168
                                                uVpytXGpQz.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 132.226.8.169
                                                6BRa130JDj.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • 193.122.6.168
                                                4AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                • 132.226.247.73
                                                VCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 193.122.130.0
                                                h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 193.122.130.0
                                                yqfze5TKW7.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                • 158.101.44.242
                                                4AMVusDMPP.exeGet hashmaliciousGuLoaderBrowse
                                                • 193.122.130.0
                                                VCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 158.101.44.242
                                                reallyfreegeoip.orgYDg44STseR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • 104.21.112.1
                                                ZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                • 104.21.16.1
                                                uVpytXGpQz.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 104.21.64.1
                                                6BRa130JDj.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • 104.21.80.1
                                                4AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                • 104.21.32.1
                                                VCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 104.21.48.1
                                                h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 104.21.96.1
                                                yqfze5TKW7.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                • 104.21.112.1
                                                VCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 104.21.16.1
                                                h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 104.21.96.1

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                CLOUDFLARENETUSYDg44STseR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • 104.21.112.1
                                                ZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                • 104.21.16.1
                                                XeFYBYYj0w.exeGet hashmaliciousFormBookBrowse
                                                • 188.114.96.3
                                                tfWjjV1LdT.exeGet hashmaliciousFormBookBrowse
                                                • 104.21.36.62
                                                uVpytXGpQz.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 104.21.64.1
                                                6BRa130JDj.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • 104.21.80.1
                                                4AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                • 104.21.32.1
                                                BcF3o0Egke.exeGet hashmaliciousFormBookBrowse
                                                • 104.21.15.100
                                                VCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 104.21.48.1
                                                h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 104.21.96.1
                                                ORACLE-BMC-31898USYDg44STseR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • 193.122.130.0
                                                ZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                • 193.122.6.168
                                                6BRa130JDj.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • 193.122.6.168
                                                VCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 193.122.130.0
                                                h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 193.122.130.0
                                                yqfze5TKW7.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                • 158.101.44.242
                                                4AMVusDMPP.exeGet hashmaliciousGuLoaderBrowse
                                                • 193.122.130.0
                                                VCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 158.101.44.242
                                                h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 193.122.6.168
                                                tVuAoupHhZ.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 193.122.130.0

                                                JA3 Fingerprints

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                54328bd36c14bd82ddaa0c04b25ed9adYDg44STseR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • 104.21.80.1
                                                ZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                • 104.21.80.1
                                                uVpytXGpQz.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 104.21.80.1
                                                6BRa130JDj.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • 104.21.80.1
                                                4AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                • 104.21.80.1
                                                VCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 104.21.80.1
                                                h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 104.21.80.1
                                                yqfze5TKW7.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                • 104.21.80.1
                                                VCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 104.21.80.1
                                                h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 104.21.80.1

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rwlPT9YJt0.exe.log

                                                Download File
                                                Process:C:\Users\user\Desktop\rwlPT9YJt0.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1039
                                                Entropy (8bit):5.353332853270839
                                                Encrypted:false
                                                SSDEEP:24:ML9E4KiE4Ko84qXKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKiHKoviYHKh3oPtHo6hAHKzeR
                                                MD5:A4AF0F36EC4E0C69DC0F860C891E8BBE
                                                SHA1:28DD81A1EDDF71CBCBF86DA986E047279EF097CD
                                                SHA-256:B038D4342E4DD96217BD90CFE32581FCCB381C5C2E6FF257CD32854F840D1FDE
                                                SHA-512:A675D3E9DB5BDD325A22E82C6BCDBD5409D7A34453DAAEB0E37206BE982C388547E1BDF22DC70393C69D0CE55635E2364502572C3AD2E6753A56A5C3893F6D69
                                                Malicious:true
                                                Reputation:moderate, very likely benign file
                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):5.836544704175262
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                • Windows Screen Saver (13104/52) 0.07%
                                                • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                File name:rwlPT9YJt0.exe
                                                File size:134'144 bytes
                                                MD5:f2366f3502c99eb271ef13d52cffc955
                                                SHA1:604d14da5634e8fae303e686e8aa000cc4d7ac1b
                                                SHA256:86c77bf7333198c8e299f4825812790b6254013bcf8725e5ced098d39f87c21f
                                                SHA512:0e760e41ca326fd80dea91b29025393cda367c0503d71ec685005b6d0a6b786c028e99c7e2642f9b86ef5ba578e485502987ab8c56828320817e28f0395d0255
                                                SSDEEP:3072:5EYgRPDH8edkPScrxVkkb57AdsL0wvxpqgbY:2R7Hakkb1Akzb
                                                TLSH:24D31A0A27E49804E1FFA9730670A115C775B8131A6ADF1D17C2B82D2B7D6E1CE16FA3
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....-.f..............P.............^.... ... ....@.. .......................`............@................................

                                                File Icon

                                                Icon Hash:00928e8e8686b000

                                                Static PE Info

                                                General

                                                Entrypoint:0x42155e
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x66972DD9 [Wed Jul 17 02:35:05 2024 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00402000h]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x215040x57.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x220000x108f.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x240000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000x1f5640x1f6008eb630242299a3d5b2311b96d40fa0caFalse0.35620798057768926data5.8499322924218475IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rsrc0x220000x108f0x1200f59392b7fa5e8b22ad0c6b19a0b07c20False0.3663194444444444data4.868462934974607IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x240000xc0x2004f6d91bc58ecedb425ca0505fecce648False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_VERSION0x220a00x394OpenPGP Secret Key0.42358078602620086
                                                RT_MANIFEST0x224340xc5bXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.3926651912741069

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Network Behavior

                                                Suricata IDS Alerts

                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                2025-01-11T02:48:37.583191+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949732193.122.130.080TCP
                                                2025-01-11T02:48:38.973773+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949732193.122.130.080TCP
                                                2025-01-11T02:48:39.550636+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.949754104.21.80.1443TCP
                                                2025-01-11T02:48:40.223788+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949759193.122.130.080TCP
                                                2025-01-11T02:48:40.778009+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.949761104.21.80.1443TCP
                                                2025-01-11T02:48:43.129523+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.949780104.21.80.1443TCP
                                                2025-01-11T02:48:46.456986+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.949802104.21.80.1443TCP

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jan 11, 2025 02:48:36.243026018 CET4973280192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:36.247828960 CET8049732193.122.130.0192.168.2.9
                                                Jan 11, 2025 02:48:36.247891903 CET4973280192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:36.248174906 CET4973280192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:36.252989054 CET8049732193.122.130.0192.168.2.9
                                                Jan 11, 2025 02:48:37.398909092 CET8049732193.122.130.0192.168.2.9
                                                Jan 11, 2025 02:48:37.407562017 CET4973280192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:37.412446022 CET8049732193.122.130.0192.168.2.9
                                                Jan 11, 2025 02:48:37.537951946 CET8049732193.122.130.0192.168.2.9
                                                Jan 11, 2025 02:48:37.583190918 CET4973280192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:37.886668921 CET49743443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:37.886698008 CET44349743104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:37.886756897 CET49743443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:37.945861101 CET49743443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:37.945869923 CET44349743104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:38.436232090 CET44349743104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:38.436305046 CET49743443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:38.457467079 CET49743443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:38.457499027 CET44349743104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:38.457848072 CET44349743104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:38.505029917 CET49743443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:38.653484106 CET49743443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:38.695336103 CET44349743104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:38.772593975 CET44349743104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:38.772651911 CET44349743104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:38.772701025 CET49743443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:38.779354095 CET49743443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:38.783607960 CET4973280192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:38.788465977 CET8049732193.122.130.0192.168.2.9
                                                Jan 11, 2025 02:48:38.923049927 CET8049732193.122.130.0192.168.2.9
                                                Jan 11, 2025 02:48:38.926533937 CET49754443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:38.926551104 CET44349754104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:38.926868916 CET49754443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:38.927469969 CET49754443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:38.927479982 CET44349754104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:38.973773003 CET4973280192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:39.394094944 CET44349754104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:39.397286892 CET49754443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:39.397327900 CET44349754104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:39.550662041 CET44349754104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:39.550704002 CET44349754104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:39.553972960 CET49754443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:39.557944059 CET49754443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:39.564088106 CET4973280192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:39.565334082 CET4975980192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:39.569036007 CET8049732193.122.130.0192.168.2.9
                                                Jan 11, 2025 02:48:39.569098949 CET4973280192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:39.570112944 CET8049759193.122.130.0192.168.2.9
                                                Jan 11, 2025 02:48:39.570415974 CET4975980192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:39.570653915 CET4975980192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:39.575368881 CET8049759193.122.130.0192.168.2.9
                                                Jan 11, 2025 02:48:40.171840906 CET8049759193.122.130.0192.168.2.9
                                                Jan 11, 2025 02:48:40.176410913 CET49761443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:40.176460028 CET44349761104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:40.176552057 CET49761443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:40.176981926 CET49761443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:40.176991940 CET44349761104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:40.223788023 CET4975980192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:40.635349989 CET44349761104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:40.671546936 CET49761443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:40.671586037 CET44349761104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:40.778032064 CET44349761104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:40.778132915 CET44349761104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:40.778230906 CET49761443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:40.780575991 CET49761443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:40.790005922 CET4976780192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:40.795005083 CET8049767193.122.130.0192.168.2.9
                                                Jan 11, 2025 02:48:40.795084000 CET4976780192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:40.795228958 CET4976780192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:40.800049067 CET8049767193.122.130.0192.168.2.9
                                                Jan 11, 2025 02:48:41.274195910 CET8049767193.122.130.0192.168.2.9
                                                Jan 11, 2025 02:48:41.275516033 CET49768443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:41.275561094 CET44349768104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:41.275850058 CET49768443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:41.276393890 CET49768443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:41.276405096 CET44349768104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:41.317523956 CET4976780192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:41.739298105 CET44349768104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:41.741815090 CET49768443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:41.741839886 CET44349768104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:41.893984079 CET44349768104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:41.894078970 CET44349768104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:41.894156933 CET49768443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:41.894742966 CET49768443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:41.898911953 CET4976780192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:41.900152922 CET4977480192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:41.904623032 CET8049767193.122.130.0192.168.2.9
                                                Jan 11, 2025 02:48:41.904696941 CET4976780192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:41.905884981 CET8049774193.122.130.0192.168.2.9
                                                Jan 11, 2025 02:48:41.905957937 CET4977480192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:41.906102896 CET4977480192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:41.911705971 CET8049774193.122.130.0192.168.2.9
                                                Jan 11, 2025 02:48:42.525719881 CET8049774193.122.130.0192.168.2.9
                                                Jan 11, 2025 02:48:42.527127981 CET49780443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:42.527172089 CET44349780104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:42.527309895 CET49780443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:42.527659893 CET49780443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:42.527671099 CET44349780104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:42.567516088 CET4977480192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:42.983614922 CET44349780104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:42.986340046 CET49780443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:42.986352921 CET44349780104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:43.129496098 CET44349780104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:43.129573107 CET44349780104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:43.129750967 CET49780443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:43.132348061 CET49780443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:43.138144970 CET4977480192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:43.138870001 CET4978680192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:43.143738985 CET8049774193.122.130.0192.168.2.9
                                                Jan 11, 2025 02:48:43.143845081 CET4977480192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:43.144813061 CET8049786193.122.130.0192.168.2.9
                                                Jan 11, 2025 02:48:43.144903898 CET4978680192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:43.145020008 CET4978680192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:43.150674105 CET8049786193.122.130.0192.168.2.9
                                                Jan 11, 2025 02:48:45.720869064 CET8049786193.122.130.0192.168.2.9
                                                Jan 11, 2025 02:48:45.723303080 CET49802443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:45.723388910 CET44349802104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:45.723460913 CET49802443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:45.724158049 CET49802443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:45.724172115 CET44349802104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:45.770688057 CET4978680192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:46.322176933 CET44349802104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:46.324196100 CET49802443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:46.324240923 CET44349802104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:46.457010031 CET44349802104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:46.457083941 CET44349802104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:46.457134962 CET49802443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:46.457787991 CET49802443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:46.462285995 CET4978680192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:46.463550091 CET4980880192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:46.467698097 CET8049786193.122.130.0192.168.2.9
                                                Jan 11, 2025 02:48:46.467747927 CET4978680192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:46.468367100 CET8049808193.122.130.0192.168.2.9
                                                Jan 11, 2025 02:48:46.468431950 CET4980880192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:46.468513012 CET4980880192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:46.473351955 CET8049808193.122.130.0192.168.2.9
                                                Jan 11, 2025 02:48:47.300707102 CET8049808193.122.130.0192.168.2.9
                                                Jan 11, 2025 02:48:47.302405119 CET49814443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:47.302449942 CET44349814104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:47.302524090 CET49814443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:47.302866936 CET49814443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:47.302877903 CET44349814104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:47.348783970 CET4980880192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:47.771760941 CET44349814104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:47.773730040 CET49814443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:47.773762941 CET44349814104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:47.907782078 CET44349814104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:47.907860041 CET44349814104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:47.908169031 CET49814443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:47.908540010 CET49814443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:47.912539005 CET4980880192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:47.913764954 CET4982080192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:47.917912006 CET8049808193.122.130.0192.168.2.9
                                                Jan 11, 2025 02:48:47.918004036 CET4980880192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:47.918621063 CET8049820193.122.130.0192.168.2.9
                                                Jan 11, 2025 02:48:47.918828964 CET4982080192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:47.919015884 CET4982080192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:47.924351931 CET8049820193.122.130.0192.168.2.9
                                                Jan 11, 2025 02:48:49.330205917 CET8049820193.122.130.0192.168.2.9
                                                Jan 11, 2025 02:48:49.331814051 CET49831443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:49.331830025 CET44349831104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:49.332062960 CET49831443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:49.332356930 CET49831443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:49.332365990 CET44349831104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:49.380026102 CET4982080192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:49.813663960 CET44349831104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:49.815802097 CET49831443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:49.815819979 CET44349831104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:49.943909883 CET44349831104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:49.943981886 CET44349831104.21.80.1192.168.2.9
                                                Jan 11, 2025 02:48:49.944117069 CET49831443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:49.944789886 CET49831443192.168.2.9104.21.80.1
                                                Jan 11, 2025 02:48:50.102382898 CET4982080192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:48:50.102677107 CET4975980192.168.2.9193.122.130.0
                                                Jan 11, 2025 02:49:17.684979916 CET5272653192.168.2.9162.159.36.2
                                                Jan 11, 2025 02:49:17.690078020 CET5352726162.159.36.2192.168.2.9
                                                Jan 11, 2025 02:49:17.690196037 CET5272653192.168.2.9162.159.36.2
                                                Jan 11, 2025 02:49:17.695296049 CET5352726162.159.36.2192.168.2.9
                                                Jan 11, 2025 02:49:18.207478046 CET5272653192.168.2.9162.159.36.2
                                                Jan 11, 2025 02:49:18.212995052 CET5352726162.159.36.2192.168.2.9
                                                Jan 11, 2025 02:49:18.213084936 CET5272653192.168.2.9162.159.36.2

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jan 11, 2025 02:48:36.228729010 CET5078153192.168.2.91.1.1.1
                                                Jan 11, 2025 02:48:36.237046957 CET53507811.1.1.1192.168.2.9
                                                Jan 11, 2025 02:48:37.878653049 CET5616653192.168.2.91.1.1.1
                                                Jan 11, 2025 02:48:37.885593891 CET53561661.1.1.1192.168.2.9
                                                Jan 11, 2025 02:49:17.684298992 CET5350813162.159.36.2192.168.2.9
                                                Jan 11, 2025 02:49:18.394090891 CET53533591.1.1.1192.168.2.9

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Jan 11, 2025 02:48:36.228729010 CET192.168.2.91.1.1.10x71faStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                Jan 11, 2025 02:48:37.878653049 CET192.168.2.91.1.1.10xdbf7Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Jan 11, 2025 02:48:31.493329048 CET1.1.1.1192.168.2.90xa832No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                Jan 11, 2025 02:48:31.493329048 CET1.1.1.1192.168.2.90xa832No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                Jan 11, 2025 02:48:36.237046957 CET1.1.1.1192.168.2.90x71faNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                Jan 11, 2025 02:48:36.237046957 CET1.1.1.1192.168.2.90x71faNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                Jan 11, 2025 02:48:36.237046957 CET1.1.1.1192.168.2.90x71faNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                Jan 11, 2025 02:48:36.237046957 CET1.1.1.1192.168.2.90x71faNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                Jan 11, 2025 02:48:36.237046957 CET1.1.1.1192.168.2.90x71faNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                Jan 11, 2025 02:48:36.237046957 CET1.1.1.1192.168.2.90x71faNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                Jan 11, 2025 02:48:37.885593891 CET1.1.1.1192.168.2.90xdbf7No error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                Jan 11, 2025 02:48:37.885593891 CET1.1.1.1192.168.2.90xdbf7No error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                Jan 11, 2025 02:48:37.885593891 CET1.1.1.1192.168.2.90xdbf7No error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                Jan 11, 2025 02:48:37.885593891 CET1.1.1.1192.168.2.90xdbf7No error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                Jan 11, 2025 02:48:37.885593891 CET1.1.1.1192.168.2.90xdbf7No error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                Jan 11, 2025 02:48:37.885593891 CET1.1.1.1192.168.2.90xdbf7No error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                Jan 11, 2025 02:48:37.885593891 CET1.1.1.1192.168.2.90xdbf7No error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false

                                                HTTP Request Dependency Graph

                                                • reallyfreegeoip.org
                                                • checkip.dyndns.org

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.949732193.122.130.0807508C:\Users\user\Desktop\rwlPT9YJt0.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 11, 2025 02:48:36.248174906 CET151OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                Host: checkip.dyndns.org
                                                Connection: Keep-Alive
                                                Jan 11, 2025 02:48:37.398909092 CET321INHTTP/1.1 200 OK
                                                Date: Sat, 11 Jan 2025 01:48:37 GMT
                                                Content-Type: text/html
                                                Content-Length: 104
                                                Connection: keep-alive
                                                Cache-Control: no-cache
                                                Pragma: no-cache
                                                X-Request-ID: c8f68ec64dae587bf05749ac7831f281
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                Jan 11, 2025 02:48:37.407562017 CET127OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                Host: checkip.dyndns.org
                                                Jan 11, 2025 02:48:37.537951946 CET321INHTTP/1.1 200 OK
                                                Date: Sat, 11 Jan 2025 01:48:37 GMT
                                                Content-Type: text/html
                                                Content-Length: 104
                                                Connection: keep-alive
                                                Cache-Control: no-cache
                                                Pragma: no-cache
                                                X-Request-ID: 815989172ede6ac013ebdc4c21fbb096
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                Jan 11, 2025 02:48:38.783607960 CET127OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                Host: checkip.dyndns.org
                                                Jan 11, 2025 02:48:38.923049927 CET321INHTTP/1.1 200 OK
                                                Date: Sat, 11 Jan 2025 01:48:38 GMT
                                                Content-Type: text/html
                                                Content-Length: 104
                                                Connection: keep-alive
                                                Cache-Control: no-cache
                                                Pragma: no-cache
                                                X-Request-ID: cb9e1049d05e09c24d2a1994ff2e2e7d
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.949759193.122.130.0807508C:\Users\user\Desktop\rwlPT9YJt0.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 11, 2025 02:48:39.570653915 CET127OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                Host: checkip.dyndns.org
                                                Jan 11, 2025 02:48:40.171840906 CET321INHTTP/1.1 200 OK
                                                Date: Sat, 11 Jan 2025 01:48:40 GMT
                                                Content-Type: text/html
                                                Content-Length: 104
                                                Connection: keep-alive
                                                Cache-Control: no-cache
                                                Pragma: no-cache
                                                X-Request-ID: 4ff68a21628822cb1516e50ff80824c6
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                2192.168.2.949767193.122.130.0807508C:\Users\user\Desktop\rwlPT9YJt0.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 11, 2025 02:48:40.795228958 CET151OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                Host: checkip.dyndns.org
                                                Connection: Keep-Alive
                                                Jan 11, 2025 02:48:41.274195910 CET321INHTTP/1.1 200 OK
                                                Date: Sat, 11 Jan 2025 01:48:41 GMT
                                                Content-Type: text/html
                                                Content-Length: 104
                                                Connection: keep-alive
                                                Cache-Control: no-cache
                                                Pragma: no-cache
                                                X-Request-ID: 2a0ca6e99ad174f0f47b8cea23c23999
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                3192.168.2.949774193.122.130.0807508C:\Users\user\Desktop\rwlPT9YJt0.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 11, 2025 02:48:41.906102896 CET151OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                Host: checkip.dyndns.org
                                                Connection: Keep-Alive
                                                Jan 11, 2025 02:48:42.525719881 CET321INHTTP/1.1 200 OK
                                                Date: Sat, 11 Jan 2025 01:48:42 GMT
                                                Content-Type: text/html
                                                Content-Length: 104
                                                Connection: keep-alive
                                                Cache-Control: no-cache
                                                Pragma: no-cache
                                                X-Request-ID: 96eccb5f9ab817bba772d2744791ce81
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                4192.168.2.949786193.122.130.0807508C:\Users\user\Desktop\rwlPT9YJt0.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 11, 2025 02:48:43.145020008 CET151OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                Host: checkip.dyndns.org
                                                Connection: Keep-Alive
                                                Jan 11, 2025 02:48:45.720869064 CET321INHTTP/1.1 200 OK
                                                Date: Sat, 11 Jan 2025 01:48:45 GMT
                                                Content-Type: text/html
                                                Content-Length: 104
                                                Connection: keep-alive
                                                Cache-Control: no-cache
                                                Pragma: no-cache
                                                X-Request-ID: fcbffab1721d587f7e6500de880dfa5b
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                5192.168.2.949808193.122.130.0807508C:\Users\user\Desktop\rwlPT9YJt0.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 11, 2025 02:48:46.468513012 CET151OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                Host: checkip.dyndns.org
                                                Connection: Keep-Alive
                                                Jan 11, 2025 02:48:47.300707102 CET321INHTTP/1.1 200 OK
                                                Date: Sat, 11 Jan 2025 01:48:47 GMT
                                                Content-Type: text/html
                                                Content-Length: 104
                                                Connection: keep-alive
                                                Cache-Control: no-cache
                                                Pragma: no-cache
                                                X-Request-ID: 7c02bee9974c5f5f429f9193eea5d7cd
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                6192.168.2.949820193.122.130.0807508C:\Users\user\Desktop\rwlPT9YJt0.exe
                                                TimestampBytes transferredDirectionData
                                                Jan 11, 2025 02:48:47.919015884 CET151OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                Host: checkip.dyndns.org
                                                Connection: Keep-Alive
                                                Jan 11, 2025 02:48:49.330205917 CET321INHTTP/1.1 200 OK
                                                Date: Sat, 11 Jan 2025 01:48:49 GMT
                                                Content-Type: text/html
                                                Content-Length: 104
                                                Connection: keep-alive
                                                Cache-Control: no-cache
                                                Pragma: no-cache
                                                X-Request-ID: 98bdcd1d5667d4a011a6e2b0fca01ea8
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                HTTPS Proxied Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.949743104.21.80.14437508C:\Users\user\Desktop\rwlPT9YJt0.exe
                                                TimestampBytes transferredDirectionData
                                                2025-01-11 01:48:38 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                Host: reallyfreegeoip.org
                                                Connection: Keep-Alive
                                                2025-01-11 01:48:38 UTC855INHTTP/1.1 200 OK
                                                Date: Sat, 11 Jan 2025 01:48:38 GMT
                                                Content-Type: text/xml
                                                Content-Length: 362
                                                Connection: close
                                                Age: 1874907
                                                Cache-Control: max-age=31536000
                                                cf-cache-status: HIT
                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zlmY1JRnZUeyS2WCdv2HMODaoWtY%2F1cHDnLl2Ia3CQQ6kLHvUrEi9U8p2VGLXU%2BhzEzXiVnsSiXrkr3otEinavIcqXk8L1M3OFlNLYlXvLpH0LyRDQ8M%2FLPLAOduHQVYlcU0KH5O"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 90013ee5eb3043ee-EWR
                                                alt-svc: h3=":443"; ma=86400
                                                server-timing: cfL4;desc="?proto=TCP&rtt=1719&min_rtt=1712&rtt_var=657&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1645070&cwnd=228&unsent_bytes=0&cid=1405dcd582b1f417&ts=358&x=0"
                                                2025-01-11 01:48:38 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.949754104.21.80.14437508C:\Users\user\Desktop\rwlPT9YJt0.exe
                                                TimestampBytes transferredDirectionData
                                                2025-01-11 01:48:39 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                Host: reallyfreegeoip.org
                                                2025-01-11 01:48:39 UTC867INHTTP/1.1 200 OK
                                                Date: Sat, 11 Jan 2025 01:48:39 GMT
                                                Content-Type: text/xml
                                                Content-Length: 362
                                                Connection: close
                                                Age: 1874908
                                                Cache-Control: max-age=31536000
                                                cf-cache-status: HIT
                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wjKPReOH%2BMuBtLu05JsH10jT9O459geovt5Z%2BPi%2BFrYcERr65MW3WIDiUvKBz5nFTy8eEHjkHDWv%2ByzJ4w20%2BGOmSqzDNM%2BvpWwpYHGjrhIoBdR2BK%2Bsbm%2B0bAav%2BUSIvwwUI6yk"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 90013eeadb108c0f-EWR
                                                alt-svc: h3=":443"; ma=86400
                                                server-timing: cfL4;desc="?proto=TCP&rtt=1958&min_rtt=1957&rtt_var=737&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1482986&cwnd=223&unsent_bytes=0&cid=96ca38ebccac3ce3&ts=163&x=0"
                                                2025-01-11 01:48:39 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                2192.168.2.949761104.21.80.14437508C:\Users\user\Desktop\rwlPT9YJt0.exe
                                                TimestampBytes transferredDirectionData
                                                2025-01-11 01:48:40 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                Host: reallyfreegeoip.org
                                                2025-01-11 01:48:40 UTC853INHTTP/1.1 200 OK
                                                Date: Sat, 11 Jan 2025 01:48:40 GMT
                                                Content-Type: text/xml
                                                Content-Length: 362
                                                Connection: close
                                                Age: 1874909
                                                Cache-Control: max-age=31536000
                                                cf-cache-status: HIT
                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kZ3ZNHOl9ek9Zlx2AHawZpevLI7D4sO%2BN5ulVKNbiFoogn%2BipinH2bhoNNm3Ut1Pf2jPbVYxFgwKZ2iWOyyyQckyWeYFyZN1jxC8CK5cUgSjvQDPFsAQgJ3dMLd5fCrI5adGmxp5"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 90013ef28d588c0f-EWR
                                                alt-svc: h3=":443"; ma=86400
                                                server-timing: cfL4;desc="?proto=TCP&rtt=1961&min_rtt=1959&rtt_var=739&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1476238&cwnd=223&unsent_bytes=0&cid=a57feb863880d69a&ts=146&x=0"
                                                2025-01-11 01:48:40 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                3192.168.2.949768104.21.80.14437508C:\Users\user\Desktop\rwlPT9YJt0.exe
                                                TimestampBytes transferredDirectionData
                                                2025-01-11 01:48:41 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                Host: reallyfreegeoip.org
                                                Connection: Keep-Alive
                                                2025-01-11 01:48:41 UTC859INHTTP/1.1 200 OK
                                                Date: Sat, 11 Jan 2025 01:48:41 GMT
                                                Content-Type: text/xml
                                                Content-Length: 362
                                                Connection: close
                                                Age: 1874910
                                                Cache-Control: max-age=31536000
                                                cf-cache-status: HIT
                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VKLQ8QdRL0ytieH%2FQwiAlWVHWMd5QODCdKafwjX5F9OBOo8wzE77PTW5KP9f%2BdLsgx0cdArFxoCTSrYTXkI%2F5xOOhMiFf7W0q5n97IHmkDHgsou%2BDYxpBlUlyeEZVD7%2BHJRWE4MZ"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 90013ef97d0e0f36-EWR
                                                alt-svc: h3=":443"; ma=86400
                                                server-timing: cfL4;desc="?proto=TCP&rtt=1495&min_rtt=1494&rtt_var=564&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1935056&cwnd=231&unsent_bytes=0&cid=131a84b3e1edc71b&ts=159&x=0"
                                                2025-01-11 01:48:41 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                4192.168.2.949780104.21.80.14437508C:\Users\user\Desktop\rwlPT9YJt0.exe
                                                TimestampBytes transferredDirectionData
                                                2025-01-11 01:48:42 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                Host: reallyfreegeoip.org
                                                2025-01-11 01:48:43 UTC859INHTTP/1.1 200 OK
                                                Date: Sat, 11 Jan 2025 01:48:43 GMT
                                                Content-Type: text/xml
                                                Content-Length: 362
                                                Connection: close
                                                Age: 1874912
                                                Cache-Control: max-age=31536000
                                                cf-cache-status: HIT
                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cPPwmWNA3wvnWsARchbpH0XLjpeZsOiKQn1gvcN7V%2FyXn%2FVsQwwJgnmKphklvOEqoogu6q%2FLzYOQSGBIFOLVkBJqzNRaprEBUH8jw8nowgGX%2Fdlo5NHYs8un6U1q1i2Gp4nZr%2BOD"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 90013f013c6442d2-EWR
                                                alt-svc: h3=":443"; ma=86400
                                                server-timing: cfL4;desc="?proto=TCP&rtt=1556&min_rtt=1547&rtt_var=600&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1795817&cwnd=229&unsent_bytes=0&cid=e49090b876035b5d&ts=150&x=0"
                                                2025-01-11 01:48:43 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                5192.168.2.949802104.21.80.14437508C:\Users\user\Desktop\rwlPT9YJt0.exe
                                                TimestampBytes transferredDirectionData
                                                2025-01-11 01:48:46 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                Host: reallyfreegeoip.org
                                                2025-01-11 01:48:46 UTC853INHTTP/1.1 200 OK
                                                Date: Sat, 11 Jan 2025 01:48:46 GMT
                                                Content-Type: text/xml
                                                Content-Length: 362
                                                Connection: close
                                                Age: 1874915
                                                Cache-Control: max-age=31536000
                                                cf-cache-status: HIT
                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2kBwaiBOmqxv7%2BlrxmePPfmrZWA6vULtwO88TLvBSzlr6%2F9%2BlK4LHE34tuzG9ZkL85uEsNvQ78gFZWNoq1sIBkESA3w4nABdCiCB0waTpnOxsvjwVV1a5395NQ98BB8Lf92rAGVH"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 90013f15f9600f36-EWR
                                                alt-svc: h3=":443"; ma=86400
                                                server-timing: cfL4;desc="?proto=TCP&rtt=1522&min_rtt=1522&rtt_var=761&sent=6&recv=7&lost=0&retrans=1&sent_bytes=4234&recv_bytes=699&delivery_rate=42123&cwnd=231&unsent_bytes=0&cid=b760ae9f4c85ca06&ts=207&x=0"
                                                2025-01-11 01:48:46 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                6192.168.2.949814104.21.80.14437508C:\Users\user\Desktop\rwlPT9YJt0.exe
                                                TimestampBytes transferredDirectionData
                                                2025-01-11 01:48:47 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                Host: reallyfreegeoip.org
                                                Connection: Keep-Alive
                                                2025-01-11 01:48:47 UTC863INHTTP/1.1 200 OK
                                                Date: Sat, 11 Jan 2025 01:48:47 GMT
                                                Content-Type: text/xml
                                                Content-Length: 362
                                                Connection: close
                                                Age: 1874916
                                                Cache-Control: max-age=31536000
                                                cf-cache-status: HIT
                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LAGRoozWwvtU8f%2BW8JTRdwCf%2F2um%2BC7H9s5jkGIUq0RbC7XX9GuuoBG%2B0Fu%2BfQ7L9dllQOJxDcqP3c9WjaeNg%2B%2FgfTEcJNkFT8owdJbTQewJpOa4hhCY12e8UOriHlnmri1HO0iy"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 90013f1f1e9c43ee-EWR
                                                alt-svc: h3=":443"; ma=86400
                                                server-timing: cfL4;desc="?proto=TCP&rtt=1627&min_rtt=1622&rtt_var=618&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1754807&cwnd=228&unsent_bytes=0&cid=54612dc47f4c2b8e&ts=139&x=0"
                                                2025-01-11 01:48:47 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                7192.168.2.949831104.21.80.14437508C:\Users\user\Desktop\rwlPT9YJt0.exe
                                                TimestampBytes transferredDirectionData
                                                2025-01-11 01:48:49 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                Host: reallyfreegeoip.org
                                                Connection: Keep-Alive
                                                2025-01-11 01:48:49 UTC857INHTTP/1.1 200 OK
                                                Date: Sat, 11 Jan 2025 01:48:49 GMT
                                                Content-Type: text/xml
                                                Content-Length: 362
                                                Connection: close
                                                Age: 1874919
                                                Cache-Control: max-age=31536000
                                                cf-cache-status: HIT
                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7v%2FtXYhNxC36OlYRjRv8ynYD8qtR4Y3siElynxDyqn1syIS1g5x3xPj4%2FGx1tF%2F2y3okc3LXIiH4aOrfHpyH%2FAmvFwVc928QZp4MAzTTEGv0q7t40hsR4rfZlDhRE1GW1Dh40lS7"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 90013f2bc9378c0f-EWR
                                                alt-svc: h3=":443"; ma=86400
                                                server-timing: cfL4;desc="?proto=TCP&rtt=2068&min_rtt=2065&rtt_var=782&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1393794&cwnd=223&unsent_bytes=0&cid=f5a36b6e5c7af222&ts=137&x=0"
                                                2025-01-11 01:48:49 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:1
                                                Start time:20:48:34
                                                Start date:10/01/2025
                                                Path:C:\Users\user\Desktop\rwlPT9YJt0.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\rwlPT9YJt0.exe"
                                                Imagebase:0x660000
                                                File size:134'144 bytes
                                                MD5 hash:F2366F3502C99EB271EF13D52CFFC955
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.1493479148.0000000002C52000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.1348006636.0000000000662000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000000.1348006636.0000000000662000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000000.1348006636.0000000000662000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000001.00000000.1348006636.0000000000662000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.1493479148.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:2
                                                Start time:20:48:49
                                                Start date:10/01/2025
                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\rwlPT9YJt0.exe"
                                                Imagebase:0xc50000
                                                File size:236'544 bytes
                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:3
                                                Start time:20:48:49
                                                Start date:10/01/2025
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff70f010000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:4
                                                Start time:20:48:49
                                                Start date:10/01/2025
                                                Path:C:\Windows\SysWOW64\choice.exe
                                                Wow64 process (32bit):true
                                                Commandline:choice /C Y /N /D Y /T 3
                                                Imagebase:0x2d0000
                                                File size:28'160 bytes
                                                MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:true

                                                Disassembly

                                                Reset < >

                                                  Executed Functions

                                                  Function 00EFB328 Relevance: 1.6, Strings: 1, Instructions: 354COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: E
                                                  • API String ID: 0-3568589458
                                                  • Opcode ID: 8089ef7530265741fa2610d802c9d2cfff8d362a77e008861075dc567c208d7c
                                                  • Instruction ID: 35276f989ef0887389e601c62b0b20ed2ef4f43c25c185e075a73f69cb84777a
                                                  • Opcode Fuzzy Hash: 8089ef7530265741fa2610d802c9d2cfff8d362a77e008861075dc567c208d7c
                                                  • Instruction Fuzzy Hash: 9BE11874A00218CFDB14CFA9D984AADBBF1FF49304F1590A9E919AB362DB30AD41CF50
                                                  Function 00EF9858 Relevance: .9, Instructions: 857COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3586c91bf3bbbeb397f996a63190285ffb65a03a122dbd01fd2ed10ce22d6c9f
                                                  • Instruction ID: c25b70351d0b2daeb1bee659c59e5d88e9cf404b90046f48ee076f46a35e1d4b
                                                  • Opcode Fuzzy Hash: 3586c91bf3bbbeb397f996a63190285ffb65a03a122dbd01fd2ed10ce22d6c9f
                                                  • Instruction Fuzzy Hash: CF727F71A00209CFCB15CF68C984ABEBBF2FF88304F159569E949AB261D730ED51DB61
                                                  Function 00EF6730 Relevance: .5, Instructions: 467COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e4d823e607bc7a1555cee119652ae6c77a088fb6217347908e34953f16351228
                                                  • Instruction ID: 92f91f9d909dfa45adb7f8924a02698926a7a2c7a1ce6b19958e1259ced9a06b
                                                  • Opcode Fuzzy Hash: e4d823e607bc7a1555cee119652ae6c77a088fb6217347908e34953f16351228
                                                  • Instruction Fuzzy Hash: 7F124970A00209DFCB14CFA9D984ABEBBB2FF89304F15906AE955EB2A1D731DC41DB50
                                                  Function 00EF3570 Relevance: .4, Instructions: 430COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 63fe226687fd71af3a9bd116d2b6a9f34254b38a25eb5f2f7292bfc9c4e34cbb
                                                  • Instruction ID: 024840a1210620226a176d26dce70bb5a628df92c2f132c75e3bb61d95d1ee60
                                                  • Opcode Fuzzy Hash: 63fe226687fd71af3a9bd116d2b6a9f34254b38a25eb5f2f7292bfc9c4e34cbb
                                                  • Instruction Fuzzy Hash: 1FF16F35F042589FDB08EFB5D8546AEBBB2BF89300B54846AE406F7395DF389802DB51
                                                  Function 00EFBEB4 Relevance: .2, Instructions: 202COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c3ff36856bd16234e0c54671b93c2a97634a69b64c056534782622d72ba05a53
                                                  • Instruction ID: 6e2aca3a80a79567ba2909f56a806e34572b31aae3bf37a79066b05488039f29
                                                  • Opcode Fuzzy Hash: c3ff36856bd16234e0c54671b93c2a97634a69b64c056534782622d72ba05a53
                                                  • Instruction Fuzzy Hash: BC919274E0021CCFDB14DFA9D984AADBBF2BF89304F249069E519BB265DB305986CF11
                                                  Function 00EFC470 Relevance: .2, Instructions: 184COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b676e00678f0a140fe9d5166d73d2235043a37fb0c4faceefcd3de3739959b47
                                                  • Instruction ID: 4d19d3325ff053862b8a818b4b07617e42288cec35143a44eaf42299f5e9b276
                                                  • Opcode Fuzzy Hash: b676e00678f0a140fe9d5166d73d2235043a37fb0c4faceefcd3de3739959b47
                                                  • Instruction Fuzzy Hash: 38818E74E0421CCFDB54DFA9D984AADBBF2BF89304F249069E519BB265DB309941CF10
                                                  Function 00EFC193 Relevance: .2, Instructions: 183COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 522d924ea051fbeca85d2bf9ee4fd187c0a5338ef6ffac4c704cba0d18097fb6
                                                  • Instruction ID: bd8876467fd031b33457c3632a1b5b2bbfd4f124ab73aa180bbe561a97af19ff
                                                  • Opcode Fuzzy Hash: 522d924ea051fbeca85d2bf9ee4fd187c0a5338ef6ffac4c704cba0d18097fb6
                                                  • Instruction Fuzzy Hash: AB81A174E00218CFEB14DFAAD984AADBBF2BF89304F24D069E519BB265DB305941CF10
                                                  Function 00EFC751 Relevance: .2, Instructions: 183COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7af26a9669a13467abaa9c37d6a76b4515c448059dd4b4aedbb1dc9072495ab5
                                                  • Instruction ID: e491807fb324f21bcdd0b243b5baba190b4df4cf25bf7c7f1c499ba575808c7a
                                                  • Opcode Fuzzy Hash: 7af26a9669a13467abaa9c37d6a76b4515c448059dd4b4aedbb1dc9072495ab5
                                                  • Instruction Fuzzy Hash: 2681A274E0025CCFDB58DFA9D984AADBBF2BF89300F249069E519BB265DB709941CF10
                                                  Function 00EF4AD9 Relevance: .2, Instructions: 183COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 60f816fb82996d3b7575f0df16f5bb81bc39fa786ec821cccbdd41af7f41655a
                                                  • Instruction ID: e6a273d875f6f59ac1447e47acec72e3ab4e3f7ce0ef281be9a637218cd2b5dd
                                                  • Opcode Fuzzy Hash: 60f816fb82996d3b7575f0df16f5bb81bc39fa786ec821cccbdd41af7f41655a
                                                  • Instruction Fuzzy Hash: FD819274E01258CFEB54DFA9D984AADFBF2BF89300F149069E519BB265DB305941CF10
                                                  Function 00EFCA31 Relevance: .2, Instructions: 183COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 016cc6ea9308b822ef373f8de5923f03b93c96acddb750a3815c452e2e953e53
                                                  • Instruction ID: cc87d0a8c205f467100846f5fae47093e6685c9c8450d10e28b05342299dea86
                                                  • Opcode Fuzzy Hash: 016cc6ea9308b822ef373f8de5923f03b93c96acddb750a3815c452e2e953e53
                                                  • Instruction Fuzzy Hash: 08818174E0021CCFDB14DFAAD984A9DBBF2BF88304F249469E919BB265DB309941DF10
                                                  Function 00EFB4F3 Relevance: .1, Instructions: 149COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 825b5f99a5878fe994acd29a23541ca2a94d865b2680632ad3cc98cd6423ef39
                                                  • Instruction ID: ecd8cb9675098dbf1d0880ea212377018ccdfb51ab0f78bcb331f0dc8f5459b5
                                                  • Opcode Fuzzy Hash: 825b5f99a5878fe994acd29a23541ca2a94d865b2680632ad3cc98cd6423ef39
                                                  • Instruction Fuzzy Hash: 0C618074E00608DFDB18DFAAD944AADBBF2BF89300F14916AE519BB365DB345941CF10
                                                  Function 00EF77F0 Relevance: .7, Instructions: 707COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1e6e41fcf18ab2e1c742107169cafa2a2ef5d58436b80a6bdcd3f1e7d92e4fa8
                                                  • Instruction ID: e8b6da496287fa850ff47640f855bcf799cc69c9d4432cfdc2f799f6779e9fc2
                                                  • Opcode Fuzzy Hash: 1e6e41fcf18ab2e1c742107169cafa2a2ef5d58436b80a6bdcd3f1e7d92e4fa8
                                                  • Instruction Fuzzy Hash: FC52EF34A002188FEB15DBA0C860BAEB7B2FF98300F1481A9D51A6B365DF359E85DF55
                                                  Function 00EF87E9 Relevance: .5, Instructions: 503COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f9f7a5f67146517fcd722f514876ebb9304e672548a59d172eed6b7f9de07a1d
                                                  • Instruction ID: 610141000b4b6067c7589438f6d26723240bdba948d70962df4628647fc7f749
                                                  • Opcode Fuzzy Hash: f9f7a5f67146517fcd722f514876ebb9304e672548a59d172eed6b7f9de07a1d
                                                  • Instruction Fuzzy Hash: 0BF116343046088FDB199B39CA58B7977AAEF85B04F1854AAE602EF3B1EF25CC41D751
                                                  Function 00EF6E58 Relevance: .5, Instructions: 477COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cbf8ca6ddc5843bff743a4ad811d56c72b870b3c09693366cd942a233eacab78
                                                  • Instruction ID: 270f15a9f0b78233eaf2c1e014049b1f26d572da275d70636e27f2156095e3d6
                                                  • Opcode Fuzzy Hash: cbf8ca6ddc5843bff743a4ad811d56c72b870b3c09693366cd942a233eacab78
                                                  • Instruction Fuzzy Hash: 32125B31A042099FDB14CF69D884AAEBBF2FF48314F159599E989EB361DB30ED41CB50
                                                  Function 00EFA818 Relevance: .4, Instructions: 422COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 099d9ff605a9de7cfd6af7460e1c6fb62bc67139833c43145d5040636aaae9ad
                                                  • Instruction ID: c765af6d8b3f6e8708b012a7ee438deedc9e70dd6f1d1a1aa67dcb9f1ce556ef
                                                  • Opcode Fuzzy Hash: 099d9ff605a9de7cfd6af7460e1c6fb62bc67139833c43145d5040636aaae9ad
                                                  • Instruction Fuzzy Hash: 62F132B5A406198FCB04CFACD584AADBBF2FF88314B1A9069E519EB361C735EC41CB51
                                                  Function 00EF0C8F Relevance: .4, Instructions: 401COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9c2fd1ae56a37fb5d580c1aefbc5c9e0b01e8af1f9bd39df71fd5f8d19075d7a
                                                  • Instruction ID: 1a43f7cb12f9addc5020a9a188dbf90d523fadab6db7074c7d7d555bc75c6926
                                                  • Opcode Fuzzy Hash: 9c2fd1ae56a37fb5d580c1aefbc5c9e0b01e8af1f9bd39df71fd5f8d19075d7a
                                                  • Instruction Fuzzy Hash: 4022097490061ADFCB54EF64E884B9DBBB2FF49300F1085A9D809A7369DB306D96CF50
                                                  Function 00EF0CA0 Relevance: .4, Instructions: 395COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3fb7b1b1e374da7eab3ba4a40eb71063b394104bdcda11d978c6360ac1f9178c
                                                  • Instruction ID: 3575e76af4c49db8db4e98c57efa1009b5204e0b01d8434747af5e0e7fdbed58
                                                  • Opcode Fuzzy Hash: 3fb7b1b1e374da7eab3ba4a40eb71063b394104bdcda11d978c6360ac1f9178c
                                                  • Instruction Fuzzy Hash: C922087990061ADFCB54EF64E884B9DBBB2FF49300F1085A9D809A7359DB306D96CF50
                                                  Function 00EF56A8 Relevance: .3, Instructions: 326COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a80600d0c2c4bb5e06d10f1275682e6385976e84c71a2e936fa6a8b5909ce06e
                                                  • Instruction ID: c29dcd68c56faee8108749106a12c0836f1f64d347ae3a409257a131345297a6
                                                  • Opcode Fuzzy Hash: a80600d0c2c4bb5e06d10f1275682e6385976e84c71a2e936fa6a8b5909ce06e
                                                  • Instruction Fuzzy Hash: 5AB12F32704A08CFDB159F78C844B7A7BE2AF99314F24896AE60ADB391DB74CC51D790
                                                  Function 00EF5C08 Relevance: .2, Instructions: 230COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2b9cef5fdc945bd3d20b78032d94a1cee79734bc63616c35d71bc5e716bc3e3a
                                                  • Instruction ID: ffc8ff24fb56e4e49fd2867e9305948aecfca33015c36d5ca5cd6492bbd57ad1
                                                  • Opcode Fuzzy Hash: 2b9cef5fdc945bd3d20b78032d94a1cee79734bc63616c35d71bc5e716bc3e3a
                                                  • Instruction Fuzzy Hash: AF817E32B01A098FCB14CF68C488ABABBB2BF99314B259169D606F7361D732DD41CB51
                                                  Function 00EF7438 Relevance: .2, Instructions: 201COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6cba2989fa2fff4d138e36f2e5a7888462c5d991c78cccd1e525ece2c9321920
                                                  • Instruction ID: 98888fc6b8ed97edbaee17aaf6a9389c853bb4e48bdbc6ad0e0ba7753691babf
                                                  • Opcode Fuzzy Hash: 6cba2989fa2fff4d138e36f2e5a7888462c5d991c78cccd1e525ece2c9321920
                                                  • Instruction Fuzzy Hash: 2B712A347086098FCB55DF28C898AB97BE6AF49704F1550A9EA42EB3B1DB70DC51CB90
                                                  Function 00EFCEC7 Relevance: .2, Instructions: 171COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d122e3c3e35b8f7c7d2040dc1619977c0d1cbe9d3c3d36e68a737778db641dc9
                                                  • Instruction ID: 3e34d34dc52d82269489655dec530cbcdd8e2a092ef53839e7a777ed05b3e577
                                                  • Opcode Fuzzy Hash: d122e3c3e35b8f7c7d2040dc1619977c0d1cbe9d3c3d36e68a737778db641dc9
                                                  • Instruction Fuzzy Hash: 9251C1768AA7078FC3142F64AAAC17EBB64FB0F31B7456D05E10EC2065DF3060A5EB60
                                                  Function 00EFCED8 Relevance: .2, Instructions: 167COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 759d189873dc35e044ef2ef1e79ab37133c0ae948b4ae3de70f6949585813228
                                                  • Instruction ID: 8b4a8e11b9ccac038782678aab6a8328c233255738e9e3273f6f66c2c01eaf11
                                                  • Opcode Fuzzy Hash: 759d189873dc35e044ef2ef1e79ab37133c0ae948b4ae3de70f6949585813228
                                                  • Instruction Fuzzy Hash: CD51A3368AA707CFC2542F64AAAC13EBB64FB4F31B7456D05E10EC2065DF3064A4EB60
                                                  Function 00EFCD10 Relevance: .1, Instructions: 136COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 191f66685e31dd700a4acc3ea3f7c588d4ad06482bd7ec87530a4fc0c240aa6b
                                                  • Instruction ID: 8b07011c414b3b089e44e73cdb464cffe39db5ecd31fdcfd6acb1be87f80ddca
                                                  • Opcode Fuzzy Hash: 191f66685e31dd700a4acc3ea3f7c588d4ad06482bd7ec87530a4fc0c240aa6b
                                                  • Instruction Fuzzy Hash: 48517374E01208DFDB58DFA9D5849DDBBF2BF89300F24816AE819AB365DB31A905CF50
                                                  Function 00EF3908 Relevance: .1, Instructions: 134COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cac19d369bc46cfb08adf6aa4af60e555c21b61b1d63f4ffd8d39c3d04371741
                                                  • Instruction ID: 8f1a8eeada3d3313186545793bf877161e99141c9e9a1b874b5774d9c31f54f8
                                                  • Opcode Fuzzy Hash: cac19d369bc46cfb08adf6aa4af60e555c21b61b1d63f4ffd8d39c3d04371741
                                                  • Instruction Fuzzy Hash: 77519175E01608CFDB08DFA9D49099DBBF2FF8A301B209469E805BB364DB31A942CF50
                                                  Function 00EF9A63 Relevance: .1, Instructions: 125COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e94e16dd4a7cf171a218ba5b6a2b9f58e377b115e70a3a8300ef0a1b6a2310fe
                                                  • Instruction ID: ec1e0e1c24b4cdbfdaa50853ae132e4b9718d193bbafbec0c3962da3d4e0724e
                                                  • Opcode Fuzzy Hash: e94e16dd4a7cf171a218ba5b6a2b9f58e377b115e70a3a8300ef0a1b6a2310fe
                                                  • Instruction Fuzzy Hash: C641BD31A0424DDFCF11CFA8C844BEDBBB2AF89314F148555EA95BB2A2D330D951DB60
                                                  Function 00EFA650 Relevance: .1, Instructions: 124COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 31e1477bd78e5bb3d704ec050993c72778aa32f1c3ce877316558a5858ac09a7
                                                  • Instruction ID: 3f2915915e1970b4b0abaf9dc4f4c892c04f50323011267efd5eff193411a515
                                                  • Opcode Fuzzy Hash: 31e1477bd78e5bb3d704ec050993c72778aa32f1c3ce877316558a5858ac09a7
                                                  • Instruction Fuzzy Hash: 9D41E435B042089FDB15AB74D854BFE7BF6AFC9210F188469D506E7391CE318C12CB91
                                                  Function 00EF3428 Relevance: .1, Instructions: 112COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d49e3b9e3c1cf73d062ac48c6381871a9e1fc10b8fcf00dc4cb765e20054a487
                                                  • Instruction ID: 67e1213c1bf09dafdef4170a619ede9227972c87f03722ef82e4436097ad3e60
                                                  • Opcode Fuzzy Hash: d49e3b9e3c1cf73d062ac48c6381871a9e1fc10b8fcf00dc4cb765e20054a487
                                                  • Instruction Fuzzy Hash: 14314872B0032C8BDF198AB6889437E62EABBC4354F14503DDA26F3380DF74CE0196A1
                                                  Function 00EF4DC8 Relevance: .1, Instructions: 101COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fbac290a48247d93534cfad4f05c63f9a9a2e3843869033fdaf1b06c08b7b7e8
                                                  • Instruction ID: 90de0b5d5051e524e11f9cc8e934fe969b225f2356fce5f079926d8993ec9890
                                                  • Opcode Fuzzy Hash: fbac290a48247d93534cfad4f05c63f9a9a2e3843869033fdaf1b06c08b7b7e8
                                                  • Instruction Fuzzy Hash: 6D31807170420A9FCB059FA4D454ABF7BE2FB48315F108414FA1A9B390CB35CD61EBA1
                                                  Function 00EF76D0 Relevance: .1, Instructions: 92COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9be98a3fc448105d0037ce7ea1bf238cea1d9e597364b32fbb8c595ec4de3926
                                                  • Instruction ID: 8122eb9a5304bc3db7216894eecebbbe1a79d48caaf98060f4093b1f2c14b0c3
                                                  • Opcode Fuzzy Hash: 9be98a3fc448105d0037ce7ea1bf238cea1d9e597364b32fbb8c595ec4de3926
                                                  • Instruction Fuzzy Hash: 4821363431C2084BEB153A798C9467E27A79FD9B0A714507AD682DB7E4DE34CC42E380
                                                  Function 00EFA809 Relevance: .1, Instructions: 89COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8638b834192a7d1f0e635592f2b8eea6bf94e53f8085040d882631981d4e83f9
                                                  • Instruction ID: eeae67345610d10ad21424903e482de976340e7711fbb0190aa3a8e16ccbab06
                                                  • Opcode Fuzzy Hash: 8638b834192a7d1f0e635592f2b8eea6bf94e53f8085040d882631981d4e83f9
                                                  • Instruction Fuzzy Hash: A1318170A405098FCB04CF78C8889BEBBF2FFC5750B198165E559AB3A1C7709C12CB91
                                                  Function 00EF76E0 Relevance: .1, Instructions: 87COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1b033ad99d92eb7c6748e7a963a6605002c16e2c3b253710551d0e353b887a07
                                                  • Instruction ID: f43f07b31cd573158548c25d48b608be50fe269a7d007b39f34ea95290fa9f7a
                                                  • Opcode Fuzzy Hash: 1b033ad99d92eb7c6748e7a963a6605002c16e2c3b253710551d0e353b887a07
                                                  • Instruction Fuzzy Hash: 1D21B63832C2084BEB143A79C85467E36979FC8B1AF14507AD646DB7D4EE35CC81E790
                                                  Function 00EF2060 Relevance: .1, Instructions: 77COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b890d2641bc581fc82f2e740de998e28bd6052700e102c6f8406a673f5cdf4ef
                                                  • Instruction ID: c867ef9a4fb6f5bddfe1a7c0a6bc52f4679611b049096a7a81b1bbd25c2b9992
                                                  • Opcode Fuzzy Hash: b890d2641bc581fc82f2e740de998e28bd6052700e102c6f8406a673f5cdf4ef
                                                  • Instruction Fuzzy Hash: D1218375A00219AFCB14DB68C4509BE7BA6EB99750F10C459DA059B340DF31EE46CBA1
                                                  Function 00EF5A63 Relevance: .1, Instructions: 77COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d38aab0f752a05ad38b37c2f60f54f143d5f049d018bf7d2d3a4c13d1260958a
                                                  • Instruction ID: 1ca7e67fa4ad3f9420ad1cc29bccbcd423635603bc6be4f2ff878fabc54f95de
                                                  • Opcode Fuzzy Hash: d38aab0f752a05ad38b37c2f60f54f143d5f049d018bf7d2d3a4c13d1260958a
                                                  • Instruction Fuzzy Hash: 4D21D332705E158FC7199A78C4A453BB7A2EF8976171485AAEA06DB351CF30DC12D7D0
                                                  Function 00EFD11B Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 81867c88ba7760147e9f8e12e40aee974a5802f1da8db8e75ea7c94a067a32ca
                                                  • Instruction ID: d63b7a0161c49cfaea42b16476f2f479aa01d2c62ee271792fce73fe4c7abc24
                                                  • Opcode Fuzzy Hash: 81867c88ba7760147e9f8e12e40aee974a5802f1da8db8e75ea7c94a067a32ca
                                                  • Instruction Fuzzy Hash: AD212331C15609CECB11EFA8E8046ECFBB5FF4A301F109629E55477264EB306A5ACB90
                                                  Function 00EF215C Relevance: .1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 79a60948c15c9a95b374ab9a7573bc618a5f7307dd057faa4d2c0abfd3adf13e
                                                  • Instruction ID: 696c08d660a1d5460796025d7bb9ff2ef65f3f2856c96d4806f5af2eca082424
                                                  • Opcode Fuzzy Hash: 79a60948c15c9a95b374ab9a7573bc618a5f7307dd057faa4d2c0abfd3adf13e
                                                  • Instruction Fuzzy Hash: 2E113832E4525D9BCB119BF8AC005EEBB30FF89320B24875AD62677091EB31594AC7A1
                                                  Function 00EFD218 Relevance: .1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 465d4b6e237048690634827f01b3c10365f10cc5e83b62e8d2ca02da700ffb16
                                                  • Instruction ID: 9ec6252aab5e463122cd84e6318f95f9aff46221a0d78e1c10e7e6fafda3c66e
                                                  • Opcode Fuzzy Hash: 465d4b6e237048690634827f01b3c10365f10cc5e83b62e8d2ca02da700ffb16
                                                  • Instruction Fuzzy Hash: 5B2129359562098BCB14EFB4D850AEDB7B2BF8A305F109468D805773A4CB359942CF65
                                                  Function 00EF4DBB Relevance: .1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0a73a62a3de21e28991ca951591d743eff3773084359b08e1a75f0491e3a5651
                                                  • Instruction ID: 35b242cf928b8c0d5404c967589de13997b4d2244f751112d068520142430e04
                                                  • Opcode Fuzzy Hash: 0a73a62a3de21e28991ca951591d743eff3773084359b08e1a75f0491e3a5651
                                                  • Instruction Fuzzy Hash: FF21D4716042498FCB159FB8D4546BB3BE2FF84714F108469F5199F291CB34CD66DBA0
                                                  Function 00EFD228 Relevance: .1, Instructions: 64COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 917552d5598547132d6ee501a83877c8bc8728b35980068f4fe812dc521d318f
                                                  • Instruction ID: 17d1b5c4ee77e9f6621db7e32e38b2f0afc8ff38e33df137d5fb55c534541a99
                                                  • Opcode Fuzzy Hash: 917552d5598547132d6ee501a83877c8bc8728b35980068f4fe812dc521d318f
                                                  • Instruction Fuzzy Hash: 622129359012098BCF14EFB4D840AEDB7B2FB8A305F109428D405733A4DB39A941CF65
                                                  Function 00EF5A70 Relevance: .1, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 950a930d7f89add39f40029918b78824cd0e5dcf660fc5275d8b21a53d969f01
                                                  • Instruction ID: d721739b79279762bf293e74c3d4dabe02fc82aada40ee8f112066538ac4c1fa
                                                  • Opcode Fuzzy Hash: 950a930d7f89add39f40029918b78824cd0e5dcf660fc5275d8b21a53d969f01
                                                  • Instruction Fuzzy Hash: 6411E132705E158FC7199A39C8A893FB7A6FF8876171445A9EA06DB350DF30DC1287D0
                                                  Function 00EF1F08 Relevance: .1, Instructions: 57COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4152f637eed9982370f881c21f1bad9c3a30f5bcc7507b46f5c5cf98e362dd0c
                                                  • Instruction ID: 6350c540cebd77c6c5cf9782f381fe045240b437375f25acabf0587330f9ced5
                                                  • Opcode Fuzzy Hash: 4152f637eed9982370f881c21f1bad9c3a30f5bcc7507b46f5c5cf98e362dd0c
                                                  • Instruction Fuzzy Hash: 5B21E275C09609CFCB11EFA8C4945EEBBB1BF49304F1455AAD445B7220EB315A86CBA1
                                                  Function 00EF1F61 Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d370c2c56e19006e564e4af62668add7980923c233af0585099aa8d284701e23
                                                  • Instruction ID: 8943cfbef2e5d0550004c0cbb2d4828b82496767361b5ce56febaf940ee392a8
                                                  • Opcode Fuzzy Hash: d370c2c56e19006e564e4af62668add7980923c233af0585099aa8d284701e23
                                                  • Instruction Fuzzy Hash: B421C0B5D0520A8FCB41EFA8D9555EDBFF0BF09300F10556AD805F7221EB305A95CBA1
                                                  Function 00EF5607 Relevance: .0, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 945cd67eda0ae4bd88d3787fa76a69c66b91e5bca86b620b4191ad1ca6fb4e6e
                                                  • Instruction ID: 7e4c9f5de17cf13bb5b0e3e6ee0b1d3a64b7f02439ea3b770ee733f1e7256ed5
                                                  • Opcode Fuzzy Hash: 945cd67eda0ae4bd88d3787fa76a69c66b91e5bca86b620b4191ad1ca6fb4e6e
                                                  • Instruction Fuzzy Hash: 8101F572A041185FCB158E649800BFF3BE7DFD8751F18C02AFA19D7280CA318822A790
                                                  Function 00EF2010 Relevance: .0, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1854713f79f26f0d432640dddd474135a7a7b1ffb86f7f344e29391534ec546c
                                                  • Instruction ID: de30d2e7cac9ef04199a976fd56346226e31fa19f60270cf63860437b469887c
                                                  • Opcode Fuzzy Hash: 1854713f79f26f0d432640dddd474135a7a7b1ffb86f7f344e29391534ec546c
                                                  • Instruction Fuzzy Hash: F7E09A359283A68ACB12ABB49C640EEBF30EDD7610B1586AAD4A067042EB30151BC7A1
                                                  Function 00EF2020 Relevance: .0, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 693e3798f3d864d92280617fab8e19dbf6bcb0216b9282827441e10483da261b
                                                  • Instruction ID: d26cce68da823cebe3fb35b2015d34ae8ca9a8fea085066bcf97393b9e8d8307
                                                  • Opcode Fuzzy Hash: 693e3798f3d864d92280617fab8e19dbf6bcb0216b9282827441e10483da261b
                                                  • Instruction Fuzzy Hash: 65D01235D2132A578B00A6A5DC044EEFB38EE96621B504626D51437140EB70265986B1
                                                  Function 00EF8258 Relevance: .0, Instructions: 18COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                                  • Instruction ID: 265d4fdfb301120bfb006c12b3a0542369c1e311b588c0cffe53c7b84fccc425
                                                  • Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                                  • Instruction Fuzzy Hash: 70C0123320D1282AA624108E7C40AB7AB8CC2C17B8A250137FA5CA7210A842AC8001A8
                                                  Function 00EFA70D Relevance: .0, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 80e7347e8ac65dd899fa63a1b18c2ab0e199a78b370e23686eb0426f76a326e9
                                                  • Instruction ID: 9242a458832f1ea216d1a47ed1f195317b6a9819b8492759d06e561818ac1b5f
                                                  • Opcode Fuzzy Hash: 80e7347e8ac65dd899fa63a1b18c2ab0e199a78b370e23686eb0426f76a326e9
                                                  • Instruction Fuzzy Hash: 5ED0677BB45008EFDB049F98E8409DDB7B6FB9C221B048566E915E3260C6319961DB54
                                                  Function 00EF5EA8 Relevance: .0, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b72f8e22bd67c5f45416d51cab3f0b5bd6c40025b68681612a14dea9b945590d
                                                  • Instruction ID: 3b0a6669688ecd87d4605bfacdcd99bee4e695b785d0d9c99698670a249f5f4d
                                                  • Opcode Fuzzy Hash: b72f8e22bd67c5f45416d51cab3f0b5bd6c40025b68681612a14dea9b945590d
                                                  • Instruction Fuzzy Hash: 6DD02E709083C20FDB12F370F9924A93B32AB82204F4486D6A8054941BEF7A486F8B22
                                                  Function 00EF5EB8 Relevance: .0, Instructions: 12COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.1492916986.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_ef0000_rwlPT9YJt0.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e7d9fddfddaa016dc9e6df87f11564685e56efdbdc91a8c087d373058cf83998
                                                  • Instruction ID: a2ca77d28c30b2eb6a0c10912a6389a78fd79abb49520c9e8317b3dfc091c5de
                                                  • Opcode Fuzzy Hash: e7d9fddfddaa016dc9e6df87f11564685e56efdbdc91a8c087d373058cf83998
                                                  • Instruction Fuzzy Hash: 20C0807150470B47D505F7B1F945956336AF6C0600F408951B00D0551FDF7D59695792