Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ 10046335 PO 4502042346 PR 11148099 411128.exe

Overview

General Information

Sample name:RFQ 10046335 PO 4502042346 PR 11148099 411128.exe
Analysis ID:1463997
MD5:0b57430159e81d152455d3d2936f44e0
SHA1:245c53304354ad8c703b2dd4fce1cc1ec46573bb
SHA256:bea6547e13a91dea30b43f7b50a6e95d8cbc285c9a2c397fa52d17ce8351cc30
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RedLine Stealer
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • RFQ 10046335 PO 4502042346 PR 11148099 411128.exe (PID: 7576 cmdline: "C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exe" MD5: 0B57430159E81D152455D3D2936F44E0)
    • conhost.exe (PID: 7596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7640 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7860 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • jsc.exe (PID: 7752 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["195.10.205.102:1912"], "Bot Id": "foz", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000004.00000002.1995159842.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            00000000.00000002.1885755676.0000020ED3916000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Process Memory Space: RFQ 10046335 PO 4502042346 PR 11148099 411128.exe PID: 7576JoeSecurity_RedLineYara detected RedLine StealerJoe Security
                Click to see the 2 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                4.2.jsc.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.2.RFQ 10046335 PO 4502042346 PR 11148099 411128.exe.20ed3996548.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    0.2.RFQ 10046335 PO 4502042346 PR 11148099 411128.exe.20ed394b310.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      0.2.RFQ 10046335 PO 4502042346 PR 11148099 411128.exe.20ed3996548.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                        0.2.RFQ 10046335 PO 4502042346 PR 11148099 411128.exe.20ed394b310.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                          Sigma Signatures

                          System Summary

                          barindex
                          Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exe", ParentImage: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exe, ParentProcessId: 7576, ParentProcessName: RFQ 10046335 PO 4502042346 PR 11148099 411128.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile, ProcessId: 7640, ProcessName: powershell.exe
                          Sigma detected: Powershell Defender Exclusion
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exe", ParentImage: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exe, ParentProcessId: 7576, ParentProcessName: RFQ 10046335 PO 4502042346 PR 11148099 411128.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile, ProcessId: 7640, ProcessName: powershell.exe
                          Sigma detected: Non Interactive PowerShell Process Spawned
                          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exe", ParentImage: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exe, ParentProcessId: 7576, ParentProcessName: RFQ 10046335 PO 4502042346 PR 11148099 411128.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile, ProcessId: 7640, ProcessName: powershell.exe

                          Snort Signatures

                          Timestamp:06/28/24-08:47:31.833377
                          SID:2043231
                          Source Port:49731
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:06/28/24-08:47:29.500952
                          SID:2046056
                          Source Port:1912
                          Destination Port:49731
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:06/28/24-08:47:24.044676
                          SID:2046045
                          Source Port:49731
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:06/28/24-08:47:24.248710
                          SID:2043234
                          Source Port:1912
                          Destination Port:49731
                          Protocol:TCP
                          Classtype:A Network Trojan was detected

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Found malware configuration
                          Source: 4.2.jsc.exe.400000.0.unpackMalware Configuration Extractor: RedLine {"C2 url": ["195.10.205.102:1912"], "Bot Id": "foz", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
                          Multi AV Scanner detection for dropped file
                          Source: C:\Users\user\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeReversingLabs: Detection: 39%
                          Multi AV Scanner detection for submitted file
                          Source: RFQ 10046335 PO 4502042346 PR 11148099 411128.exeVirustotal: Detection: 12%Perma Link
                          Source: RFQ 10046335 PO 4502042346 PR 11148099 411128.exeReversingLabs: Detection: 39%
                          AI detected suspicious sample
                          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                          Source: RFQ 10046335 PO 4502042346 PR 11148099 411128.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 4x nop then push r140_2_00007FF65F3DD7E0
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 4x nop then push rdi0_2_00007FF65F363D20
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 4x nop then push rbx0_2_00007FF65F32DD30
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 4x nop then sub rsp, 28h0_2_00007FF65F32DD30
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 4x nop then push rbx0_2_00007FF65F32DD30
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 4x nop then push rbx0_2_00007FF65F32DD30
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 4x nop then push rbx0_2_00007FF65F32DD30
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 4x nop then push rbx0_2_00007FF65F32DD30
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 4x nop then push rbx0_2_00007FF65F32DD30
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 4x nop then sub rsp, 28h0_2_00007FF65F32DD30
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 4x nop then push rsi0_2_00007FF65F32DD30
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 4x nop then push rdi0_2_00007FF65F32DD30
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 4x nop then push rbx0_2_00007FF65F2A1C50
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 4x nop then push rbx0_2_00007FF65F2A1C50

                          Networking

                          barindex
                          Snort IDS alert for network traffic
                          Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.4:49731 -> 195.10.205.102:1912
                          Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.4:49731 -> 195.10.205.102:1912
                          Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 195.10.205.102:1912 -> 192.168.2.4:49731
                          Source: TrafficSnort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 195.10.205.102:1912 -> 192.168.2.4:49731
                          C2 URLs / IPs found in malware configuration
                          Source: Malware configuration extractorURLs: 195.10.205.102:1912
                          Source: global trafficTCP traffic: 192.168.2.4:49731 -> 195.10.205.102:1912
                          Source: Joe Sandbox ViewASN Name: TSSCOM-ASRU TSSCOM-ASRU
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3ResponseD
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                          Source: jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002E63000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002F38000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                          Source: RFQ 10046335 PO 4502042346 PR 11148099 411128.exe, RFQ 10046335 PO 4502042346 PR 11148099 411128.exe.0.drString found in binary or memory: https://aka.ms/GlobalizationInvariantMode
                          Source: RFQ 10046335 PO 4502042346 PR 11148099 411128.exeString found in binary or memory: https://aka.ms/nativeaot-c
                          Source: RFQ 10046335 PO 4502042346 PR 11148099 411128.exe, 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/nativeaot-compatibility
                          Source: RFQ 10046335 PO 4502042346 PR 11148099 411128.exe, RFQ 10046335 PO 4502042346 PR 11148099 411128.exe.0.drString found in binary or memory: https://aka.ms/nativeaot-compatibilityY
                          Source: RFQ 10046335 PO 4502042346 PR 11148099 411128.exe, RFQ 10046335 PO 4502042346 PR 11148099 411128.exe.0.drString found in binary or memory: https://aka.ms/nativeaot-compatibilityy
                          Source: RFQ 10046335 PO 4502042346 PR 11148099 411128.exe, 00000000.00000002.1885755676.0000020ED3916000.00000004.00001000.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1995159842.0000000000402000.00000040.00000400.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002E63000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002F38000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002E63000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002F38000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002E63000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002F38000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002E63000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002F38000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002E63000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002EDA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002F38000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabS
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002E63000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002F38000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002E63000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002F38000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                          Source: jsc.exe, 00000004.00000002.1996982292.0000000002E63000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002F38000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                          System Summary

                          barindex
                          Initial sample is a PE file and has a suspicious name
                          Source: initial sampleStatic PE information: Filename: RFQ 10046335 PO 4502042346 PR 11148099 411128.exe
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 0_2_00007FF65F2D38B00_2_00007FF65F2D38B0
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 0_2_00007FF65F2D21B00_2_00007FF65F2D21B0
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 0_2_00007FF65F2CC0A00_2_00007FF65F2CC0A0
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 0_2_00007FF65F2B20800_2_00007FF65F2B2080
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 0_2_00007FF65F2DE8E00_2_00007FF65F2DE8E0
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 0_2_00007FF65F2D58C00_2_00007FF65F2D58C0
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 0_2_00007FF65F2B31300_2_00007FF65F2B3130
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 0_2_00007FF65F2C17B40_2_00007FF65F2C17B4
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 0_2_00007FF65F357F400_2_00007FF65F357F40
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 0_2_00007FF65F2ABF900_2_00007FF65F2ABF90
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 0_2_00007FF65F2D67E00_2_00007FF65F2D67E0
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 0_2_00007FF65F2CC7D00_2_00007FF65F2CC7D0
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 0_2_00007FF65F2B3EF00_2_00007FF65F2B3EF0
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 0_2_00007FF65F2AB6F00_2_00007FF65F2AB6F0
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 0_2_00007FF65F2A6ED00_2_00007FF65F2A6ED0
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 0_2_00007FF65F2C1D600_2_00007FF65F2C1D60
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 0_2_00007FF65F2BD6200_2_00007FF65F2BD620
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 0_2_00007FF65F2C6C900_2_00007FF65F2C6C90
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 0_2_00007FF65F2D54900_2_00007FF65F2D5490
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 0_2_00007FF65F2CBC800_2_00007FF65F2CBC80
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 0_2_00007FF65F2C02A00_2_00007FF65F2C02A0
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 0_2_00007FF65F2B9A900_2_00007FF65F2B9A90
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 0_2_00007FF65F2A82D00_2_00007FF65F2A82D0
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 0_2_00007FF65F2D4B100_2_00007FF65F2D4B10
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 0_2_00007FF65F2D71B00_2_00007FF65F2D71B0
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 0_2_00007FF65F2D29B00_2_00007FF65F2D29B0
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 0_2_00007FF65F2B81F00_2_00007FF65F2B81F0
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 0_2_00007FF65F2D31E00_2_00007FF65F2D31E0
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 0_2_00007FF65F2A39D00_2_00007FF65F2A39D0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 4_2_00B325D84_2_00B325D8
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 4_2_00B3DC744_2_00B3DC74
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 4_2_054376604_2_05437660
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 4_2_054396C84_2_054396C8
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 4_2_0543B1704_2_0543B170
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 4_2_054369284_2_05436928
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 4_2_0543B9E84_2_0543B9E8
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: String function: 00007FF65F2ADBD0 appears 64 times
                          Source: RFQ 10046335 PO 4502042346 PR 11148099 411128.exeBinary or memory string: OriginalFilename vs RFQ 10046335 PO 4502042346 PR 11148099 411128.exe
                          Source: RFQ 10046335 PO 4502042346 PR 11148099 411128.exe, 00000000.00000000.1865499941.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSorterObjectArrayNegateSaturate.dll` vs RFQ 10046335 PO 4502042346 PR 11148099 411128.exe
                          Source: RFQ 10046335 PO 4502042346 PR 11148099 411128.exe, 00000000.00000003.1880665917.0000020ECF0EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSorterObjectArrayNegateSaturate.dll` vs RFQ 10046335 PO 4502042346 PR 11148099 411128.exe
                          Source: RFQ 10046335 PO 4502042346 PR 11148099 411128.exe, 00000000.00000002.1885755676.0000020ED3916000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs RFQ 10046335 PO 4502042346 PR 11148099 411128.exe
                          Source: RFQ 10046335 PO 4502042346 PR 11148099 411128.exe, 00000000.00000002.1885755676.0000020ED3916000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSorterObjectArrayNegateSaturate.dll` vs RFQ 10046335 PO 4502042346 PR 11148099 411128.exe
                          Source: RFQ 10046335 PO 4502042346 PR 11148099 411128.exeBinary or memory string: OriginalFilenameSorterObjectArrayNegateSaturate.dll` vs RFQ 10046335 PO 4502042346 PR 11148099 411128.exe
                          Source: RFQ 10046335 PO 4502042346 PR 11148099 411128.exe.0.drBinary or memory string: OriginalFilenameSorterObjectArrayNegateSaturate.dll` vs RFQ 10046335 PO 4502042346 PR 11148099 411128.exe
                          Source: RFQ 10046335 PO 4502042346 PR 11148099 411128.exeStatic PE information: Section: .rsrc ZLIB complexity 0.9971849173553718
                          Source: RFQ 10046335 PO 4502042346 PR 11148099 411128.exe.0.drStatic PE information: Section: .rsrc ZLIB complexity 0.9971849173553718
                          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/8@0/1
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 0_2_00007FF65F2B2F60 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLargePageMinimum,VirtualAlloc,GetCurrentProcess,VirtualAllocExNuma,0_2_00007FF65F2B2F60
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeFile created: C:\Users\user\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMutant created: NULL
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7648:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7596:120:WilError_03
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cc2dcv04.rrt.ps1Jump to behavior
                          Source: RFQ 10046335 PO 4502042346 PR 11148099 411128.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: RFQ 10046335 PO 4502042346 PR 11148099 411128.exeVirustotal: Detection: 12%
                          Source: RFQ 10046335 PO 4502042346 PR 11148099 411128.exeReversingLabs: Detection: 39%
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeFile read: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeJump to behavior
                          Source: unknownProcess created: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exe "C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exe"
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfileJump to behavior
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeSection loaded: icu.dllJump to behavior
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: dwrite.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: rstrtmgr.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: windowscodecs.dllJump to behavior
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32Jump to behavior
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                          Source: RFQ 10046335 PO 4502042346 PR 11148099 411128.exeStatic PE information: Image base 0x140000000 > 0x60000000
                          Source: RFQ 10046335 PO 4502042346 PR 11148099 411128.exeStatic file information: File size 2440192 > 1048576
                          Source: RFQ 10046335 PO 4502042346 PR 11148099 411128.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                          Source: RFQ 10046335 PO 4502042346 PR 11148099 411128.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                          Source: RFQ 10046335 PO 4502042346 PR 11148099 411128.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                          Source: RFQ 10046335 PO 4502042346 PR 11148099 411128.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                          Source: RFQ 10046335 PO 4502042346 PR 11148099 411128.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                          Source: RFQ 10046335 PO 4502042346 PR 11148099 411128.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                          Source: RFQ 10046335 PO 4502042346 PR 11148099 411128.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                          Source: RFQ 10046335 PO 4502042346 PR 11148099 411128.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                          Source: RFQ 10046335 PO 4502042346 PR 11148099 411128.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                          Source: RFQ 10046335 PO 4502042346 PR 11148099 411128.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                          Source: RFQ 10046335 PO 4502042346 PR 11148099 411128.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                          Source: RFQ 10046335 PO 4502042346 PR 11148099 411128.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                          Source: RFQ 10046335 PO 4502042346 PR 11148099 411128.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                          Source: RFQ 10046335 PO 4502042346 PR 11148099 411128.exeStatic PE information: section name: .managed
                          Source: RFQ 10046335 PO 4502042346 PR 11148099 411128.exeStatic PE information: section name: hydrated
                          Source: RFQ 10046335 PO 4502042346 PR 11148099 411128.exe.0.drStatic PE information: section name: .managed
                          Source: RFQ 10046335 PO 4502042346 PR 11148099 411128.exe.0.drStatic PE information: section name: hydrated
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeFile created: \rfq 10046335 po 4502042346 pr 11148099 411128.exe
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeFile created: \rfq 10046335 po 4502042346 pr 11148099 411128.exe
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeFile created: \rfq 10046335 po 4502042346 pr 11148099 411128.exe
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeFile created: \rfq 10046335 po 4502042346 pr 11148099 411128.exeJump to behavior
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeFile created: \rfq 10046335 po 4502042346 pr 11148099 411128.exeJump to behavior
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeFile created: C:\Users\user\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeJump to dropped file
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeFile created: C:\Users\user\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeJump to dropped file

                          Boot Survival

                          barindex
                          Drops PE files to the user root directory
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeFile created: C:\Users\user\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeJump to dropped file

                          Hooking and other Techniques for Hiding and Protection

                          barindex
                          Loading BitLocker PowerShell Module
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                          Malware Analysis System Evasion

                          barindex
                          Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeMemory allocated: 20ECF1A0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: B30000 memory reserve | memory write watchJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: 28A0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: 25F0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6543Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3182Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWindow / User API: threadDelayed 669Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWindow / User API: threadDelayed 2081Jump to behavior
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-16182
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7844Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8072Thread sleep time: -10145709240540247s >= -30000sJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7772Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 0_2_00007FF65F2B2B90 GetSystemInfo,GetNumaHighestNodeNumber,GetCurrentProcess,GetProcessGroupAffinity,GetLastError,GetCurrentProcess,GetProcessAffinityMask,0_2_00007FF65F2B2B90
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: RFQ 10046335 PO 4502042346 PR 11148099 411128.exe, RFQ 10046335 PO 4502042346 PR 11148099 411128.exe.0.drBinary or memory string: qEMutating a value collection derived from a dictionary is not allowed.Y
                          Source: jsc.exe, 00000004.00000002.2003410185.0000000005A1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll%
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 0_2_00007FF65F2A8130 RtlAddVectoredExceptionHandler,RaiseFailFastException,0_2_00007FF65F2A8130
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 0_2_00007FF65F30B70C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF65F30B70C
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: page read and write | page guardJump to behavior

                          HIPS / PFW / Operating System Protection Evasion

                          barindex
                          Adds a directory exclusion to Windows Defender
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfileJump to behavior
                          Allocates memory in foreign processes
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000 protect: page execute and read and writeJump to behavior
                          Injects a PE file into a foreign processes
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000 value starts with: 4D5AJump to behavior
                          Writes to foreign memory regions
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000Jump to behavior
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 402000Jump to behavior
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 432000Jump to behavior
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 450000Jump to behavior
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 682008Jump to behavior
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 0_2_00007FF65F30BDA4 cpuid 0_2_00007FF65F30BDA4
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: GetLocaleInfoEx,0_2_00007FF65F370D30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exeCode function: 0_2_00007FF65F2AEB00 GetSystemTimeAsFileTime,0_2_00007FF65F2AEB00
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                          Stealing of Sensitive Information

                          barindex
                          Yara detected RedLine Stealer
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Source: Yara matchFile source: 4.2.jsc.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.RFQ 10046335 PO 4502042346 PR 11148099 411128.exe.20ed3996548.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.RFQ 10046335 PO 4502042346 PR 11148099 411128.exe.20ed394b310.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.RFQ 10046335 PO 4502042346 PR 11148099 411128.exe.20ed3996548.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.RFQ 10046335 PO 4502042346 PR 11148099 411128.exe.20ed394b310.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000004.00000002.1995159842.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1885755676.0000020ED3916000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: RFQ 10046335 PO 4502042346 PR 11148099 411128.exe PID: 7576, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 7752, type: MEMORYSTR
                          Tries to harvest and steal browser information (history, passwords, etc)
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                          Tries to steal Crypto Currency Wallets
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                          Source: Yara matchFile source: 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 7752, type: MEMORYSTR

                          Remote Access Functionality

                          barindex
                          Yara detected RedLine Stealer
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Source: Yara matchFile source: 4.2.jsc.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.RFQ 10046335 PO 4502042346 PR 11148099 411128.exe.20ed3996548.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.RFQ 10046335 PO 4502042346 PR 11148099 411128.exe.20ed394b310.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.RFQ 10046335 PO 4502042346 PR 11148099 411128.exe.20ed3996548.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.RFQ 10046335 PO 4502042346 PR 11148099 411128.exe.20ed394b310.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000004.00000002.1995159842.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1885755676.0000020ED3916000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: RFQ 10046335 PO 4502042346 PR 11148099 411128.exe PID: 7576, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 7752, type: MEMORYSTR

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                          Windows Management Instrumentation                          		1
                          DLL Side-Loading                          		1
                          Access Token Manipulation                          		111
                          Masquerading                          		1
                          OS Credential Dumping                          		1
                          System Time Discovery                          		Remote Services1
                          Archive Collected Data                          		1
                          Encrypted Channel                          		Exfiltration Over Other Network MediumAbuse Accessibility Features
                          CredentialsDomainsDefault Accounts1
                          Native API                          		Boot or Logon Initialization Scripts311
                          Process Injection                          		11
                          Disable or Modify Tools                          		LSASS Memory321
                          Security Software Discovery                          		Remote Desktop Protocol2
                          Data from Local System                          		1
                          Non-Standard Port                          		Exfiltration Over BluetoothNetwork Denial of Service
                          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                          DLL Side-Loading                          		241
                          Virtualization/Sandbox Evasion                          		Security Account Manager1
                          Process Discovery                          		SMB/Windows Admin SharesData from Network Shared Drive1
                          Application Layer Protocol                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                          Access Token Manipulation                          		NTDS241
                          Virtualization/Sandbox Evasion                          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script311
                          Process Injection                          		LSA Secrets1
                          Application Window Discovery                          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                          Deobfuscate/Decode Files or Information                          		Cached Domain Credentials135
                          System Information Discovery                          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                          Obfuscated Files or Information                          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                          Software Packing                          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                          DLL Side-Loading                          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 signatures2 2 Behavior Graph ID: 1463997 Sample: RFQ 10046335 PO 4502042346 ... Startdate: 28/06/2024 Architecture: WINDOWS Score: 100 29 Snort IDS alert for network traffic 2->29 31 Found malware configuration 2->31 33 Multi AV Scanner detection for dropped file 2->33 35 8 other signatures 2->35 7 RFQ 10046335 PO 4502042346 PR 11148099 411128.exe 3 2->7         started        process3 file4 23 RFQ 10046335 PO 45...11148099 411128.exe, PE32+ 7->23 dropped 25 RFQ 10046335 PO 45...exe:Zone.Identifier, ASCII 7->25 dropped 37 Writes to foreign memory regions 7->37 39 Allocates memory in foreign processes 7->39 41 Adds a directory exclusion to Windows Defender 7->41 43 Injects a PE file into a foreign processes 7->43 11 jsc.exe 5 4 7->11         started        15 powershell.exe 23 7->15         started        17 conhost.exe 7->17         started        signatures5 process6 dnsIp7 27 195.10.205.102, 1912, 49731 TSSCOM-ASRU Russian Federation 11->27 45 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->45 47 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 11->47 49 Tries to harvest and steal browser information (history, passwords, etc) 11->49 51 Tries to steal Crypto Currency Wallets 11->51 53 Loading BitLocker PowerShell Module 15->53 19 WmiPrvSE.exe 15->19         started        21 conhost.exe 15->21         started        signatures8 process9

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          RFQ 10046335 PO 4502042346 PR 11148099 411128.exe12%VirustotalBrowse
                          RFQ 10046335 PO 4502042346 PR 11148099 411128.exe39%ReversingLabsWin64.Spyware.RedLine

                          Dropped Files

                          SourceDetectionScannerLabelLink
                          C:\Users\user\RFQ 10046335 PO 4502042346 PR 11148099 411128.exe39%ReversingLabsWin64.Spyware.RedLine

                          Unpacked PE Files

                          No Antivirus matches

                          Domains

                          No Antivirus matches

                          URLs

                          SourceDetectionScannerLabelLink
                          http://tempuri.org/0%URL Reputationsafe
                          https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                          https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%VirustotalBrowse
                          http://schemas.xmlsoap.org/ws/2005/02/sc/sct0%VirustotalBrowse
                          https://duckduckgo.com/ac/?q=0%VirustotalBrowse
                          https://duckduckgo.com/chrome_newtab0%VirustotalBrowse
                          http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk0%VirustotalBrowse
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary0%VirustotalBrowse
                          http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk0%Avira URL Cloudsafe
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2005/02/sc/sct0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id23ResponseD0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id12Response0%Avira URL Cloudsafe
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                          https://api.ip.sb/ip0%URL Reputationsafe
                          https://www.ecosia.org/newtab/0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
                          http://tempuri.org/Entity/Id2Response2%VirustotalBrowse
                          http://tempuri.org/Entity/Id12Response2%VirustotalBrowse
                          http://tempuri.org/Entity/Id23ResponseD1%VirustotalBrowse
                          http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap0%VirustotalBrowse
                          http://tempuri.org/Entity/Id21Response4%VirustotalBrowse
                          http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha10%VirustotalBrowse
                          http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id21Response0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id90%Avira URL Cloudsafe
                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id80%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha10%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id2Response0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                          http://tempuri.org/Entity/Id50%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id81%VirustotalBrowse
                          http://tempuri.org/Entity/Id51%VirustotalBrowse
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare0%VirustotalBrowse
                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID0%VirustotalBrowse
                          http://tempuri.org/Entity/Id61%VirustotalBrowse
                          http://tempuri.org/Entity/Id71%VirustotalBrowse
                          http://tempuri.org/Entity/Id41%VirustotalBrowse
                          http://tempuri.org/Entity/Id93%VirustotalBrowse
                          http://tempuri.org/Entity/Id40%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id70%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id60%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id19Response0%Avira URL Cloudsafe
                          http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence0%Avira URL Cloudsafe
                          https://aka.ms/nativeaot-compatibility0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted0%VirustotalBrowse
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/fault0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id19Response2%VirustotalBrowse
                          http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license0%VirustotalBrowse
                          https://aka.ms/nativeaot-compatibility0%VirustotalBrowse
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%VirustotalBrowse
                          http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence0%VirustotalBrowse
                          http://schemas.xmlsoap.org/ws/2004/10/wsat0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret0%VirustotalBrowse
                          http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id15Response0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/fault0%VirustotalBrowse
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id6Response0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id15Response2%VirustotalBrowse
                          http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey0%VirustotalBrowse
                          http://schemas.xmlsoap.org/ws/2004/04/sc0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register0%VirustotalBrowse
                          http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey0%VirustotalBrowse
                          http://tempuri.org/Entity/Id1ResponseD0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew0%VirustotalBrowse
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id6Response2%VirustotalBrowse
                          http://tempuri.org/Entity/Id9Response0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel0%Avira URL Cloudsafe
                          https://aka.ms/nativeaot-compatibilityy0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat0%VirustotalBrowse
                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id200%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id210%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id220%Avira URL Cloudsafe
                          http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA10%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id230%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA10%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id240%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id24Response0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id1Response0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay0%Avira URL Cloudsafe
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC0%Avira URL Cloudsafe

                          Domains and IPs

                          Contacted Domains

                          No contacted domains info

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Textjsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/sc/sctjsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://duckduckgo.com/chrome_newtabjsc.exe, 00000004.00000002.1996982292.0000000002E63000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002EDA000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkjsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://duckduckgo.com/ac/?q=jsc.exe, 00000004.00000002.1996982292.0000000002E63000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002F38000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id23ResponseDjsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryjsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id12Responsejsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 2%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id2Responsejsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 2%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id21Responsejsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 4%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrapjsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id9jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 3%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDjsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id8jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id5jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Preparejsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id4jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id7jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id6jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretjsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id19Responsejsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 2%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licensejsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuejsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Abortedjsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequencejsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://aka.ms/nativeaot-compatibilityRFQ 10046335 PO 4502042346 PR 11148099 411128.exe, 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/faultjsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsatjsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyjsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id15Responsejsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 2%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namejsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renewjsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/Registerjsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id6Responsejsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 2%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyjsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://api.ip.sb/ipRFQ 10046335 PO 4502042346 PR 11148099 411128.exe, 00000000.00000002.1885755676.0000020ED3916000.00000004.00001000.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1995159842.0000000000402000.00000040.00000400.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/scjsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id1ResponseDjsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCjsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Canceljsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id9Responsejsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://aka.ms/nativeaot-compatibilityyRFQ 10046335 PO 4502042346 PR 11148099 411128.exe, RFQ 10046335 PO 4502042346 PR 11148099 411128.exe.0.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=jsc.exe, 00000004.00000002.1996982292.0000000002E63000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002F38000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id20jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id21jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id22jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id23jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id24jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issuejsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id24Responsejsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.ecosia.org/newtab/jsc.exe, 00000004.00000002.1996982292.0000000002E63000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002F38000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id1Responsejsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedjsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyjsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Replayjsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegojsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binaryjsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCjsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyjsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/08/addressingjsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://aka.ms/nativeaot-compatibilityYRFQ 10046335 PO 4502042346 PR 11148099 411128.exe, RFQ 10046335 PO 4502042346 PR 11148099 411128.exe.0.drfalse
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuejsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Completionjsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/04/trustjsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id10jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id11jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id12jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id16Responsejsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponsejsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Canceljsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id13jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id14jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id15jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id16jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/trust/Noncejsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id17jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id18jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id5Responsejsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id19jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsjsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id10Responsejsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/trust/Renewjsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/Entity/Id8Responsejsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyjsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDjsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://aka.ms/nativeaot-cRFQ 10046335 PO 4502042346 PR 11148099 411128.exefalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTjsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2006/02/addressingidentityjsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/soap/envelope/jsc.exe, 00000004.00000002.1996982292.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyjsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1jsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=jsc.exe, 00000004.00000002.1996982292.0000000002E63000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002F38000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/trustjsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://duckduckgo.com/chrome_newtabSjsc.exe, 00000004.00000002.1996982292.0000000002F38000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000004.00000002.1996982292.0000000002EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollbackjsc.exe, 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            195.10.205.102
                            		unknownRussian Federation
                            		35813TSSCOM-ASRUtrue

                            General Information

                            Joe Sandbox version:40.0.0 Tourmaline
                            Analysis ID:1463997
                            Start date and time:2024-06-28 08:46:08 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 6m 30s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:10
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:RFQ 10046335 PO 4502042346 PR 11148099 411128.exe
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@8/8@0/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:Failed
                            Cookbook Comments:
                            • Found application associated with file extension: .exe

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtCreateKey calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • Report size getting too big, too many NtReadVirtualMemory calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            02:47:21API Interceptor19x Sleep call for process: powershell.exe modified
                            02:47:29API Interceptor15x Sleep call for process: jsc.exe modified

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            No context

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            TSSCOM-ASRUsWXyzk4Kv3.exeGet hashmaliciousAsyncRATBrowse
                            • 195.10.205.90
                            SecuriteInfo.com.Win32.TrojanX-gen.9663.10822.exeGet hashmaliciousXmrigBrowse
                            • 195.10.205.162
                            JCqU250N6g.exeGet hashmaliciousRedLineBrowse
                            • 195.10.205.91
                            1f3d6f01961645f.exeGet hashmaliciousUnknownBrowse
                            • 195.10.205.74
                            1f3d6f01961645f.exeGet hashmaliciousUnknownBrowse
                            • 195.10.205.74
                            Ck5Yckrogl.exeGet hashmaliciousRedLineBrowse
                            • 195.10.205.79
                            SD5IYbZmDL.exeGet hashmaliciousRedLineBrowse
                            • 195.10.205.16
                            3DmdxH8ksO.exeGet hashmaliciousLummaC Stealer, PrivateLoader, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoaderBrowse
                            • 195.10.205.16
                            DjZ61wINTx.exeGet hashmaliciousLummaC Stealer, PrivateLoader, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader, XmrigBrowse
                            • 195.10.205.16
                            4e70f9de2a4e122b0ba1db7c63ac443e39bbfd9e2b475.exeGet hashmaliciousLummaC Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoaderBrowse
                            • 195.10.205.16

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jsc.exe.log

                            Download File
                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):3094
                            Entropy (8bit):5.33145931749415
                            Encrypted:false
                            SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
                            MD5:3FD5C0634443FB2EF2796B9636159CB6
                            SHA1:366DDE94AEFCFFFAB8E03AD8B448E05D7489EB48
                            SHA-256:58307E94C67E2348F5A838DE4FF668983B38B7E9A3B1D61535D3A392814A57D6
                            SHA-512:8535E7C0777C6B0876936D84BDE2BDC59963CF0954D4E50D65808E6E806E8B131DF5DB8FA0E030FAE2702143A7C3A70698A2B9A80519C9E2FFC286A71F0B797C
                            Malicious:false
                            Reputation:high, very likely benign file
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):64
                            Entropy (8bit):1.1628158735648508
                            Encrypted:false
                            SSDEEP:3:Nlllul5mxllp:NllU4x/
                            MD5:3A925CB766CE4286E251C26E90B55CE8
                            SHA1:3FA8EE6E901101A4661723B94D6C9309E281BD28
                            SHA-256:4E844662CDFFAAD50BA6320DC598EBE0A31619439D0F6AB379DF978FE81C7BF8
                            SHA-512:F348B4AFD42C262BBED07D6BDEA6EE4B7F5CFA2E18BFA725225584E93251188D9787506C2AFEAC482B606B1EA0341419F229A69FF1E9100B01DE42025F915788
                            Malicious:false
                            Reputation:moderate, very likely benign file
                            Preview:@...e................................................@..........

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cc2dcv04.rrt.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Reputation:high, very likely benign file
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_duhjypiv.foh.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q3ymev40.pqy.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zkhfamjp.oc5.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\RFQ 10046335 PO 4502042346 PR 11148099 411128.exe

                            Download File
                            Process:C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exe
                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):2440192
                            Entropy (8bit):7.07799900264123
                            Encrypted:false
                            SSDEEP:49152:IF50a6aPVOFMx3SmroCZscivbS6mqxEWoKmqZJffp3vSsqPUYeaw1GlNOmTCbCuF:KroA7PxBOb
                            MD5:0B57430159E81D152455D3D2936F44E0
                            SHA1:245C53304354AD8C703B2DD4FCE1CC1EC46573BB
                            SHA-256:BEA6547E13A91DEA30B43F7B50A6E95D8CBC285C9A2C397FA52D17CE8351CC30
                            SHA-512:C70103E599A534BD6AAD4238DF567223FC4D2A7B07632BE09C42EA2F46E3C941523EAD3B3EE27ABE72445DED4E33A646421A176D82FAB637B4B500782B629F40
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 39%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'..Ec...c...c....v..j....v..n....v..M...j.D.m...(...h...c...n....w..k....w..b...c...b....w..$...pq..b...pq..b...Richc...................PE..d...2.}f.........."....(......................@..............................+...........`.........................................`.#.X.....#......@&.......%..6............+......f!.T....................h!.(....d!.@............................................text............................... ..`.managed............................ ..`hydrated@................................rdata.............................@..@.data...h.....$......*..............@....pdata...6....%..8...D..............@..@.rsrc........@&......| .............@..@.reloc........+......6%.............@..B........................................................................................................................................................

                            C:\Users\user\RFQ 10046335 PO 4502042346 PR 11148099 411128.exe:Zone.Identifier

                            Download File
                            Process:C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:modified
                            Size (bytes):26
                            Entropy (8bit):3.95006375643621
                            Encrypted:false
                            SSDEEP:3:ggPYV:rPYV
                            MD5:187F488E27DB4AF347237FE461A079AD
                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                            Malicious:true
                            Preview:[ZoneTransfer]....ZoneId=0

                            Static File Info

                            General

                            File type:PE32+ executable (GUI) x86-64, for MS Windows
                            Entropy (8bit):7.07799900264123
                            TrID:
                            • Win64 Executable GUI Net Framework (217006/5) 49.88%
                            • Win64 Executable GUI (202006/5) 46.43%
                            • Win64 Executable (generic) (12005/4) 2.76%
                            • Generic Win/DOS Executable (2004/3) 0.46%
                            • DOS Executable Generic (2002/1) 0.46%
                            File name:RFQ 10046335 PO 4502042346 PR 11148099 411128.exe
                            File size:2'440'192 bytes
                            MD5:0b57430159e81d152455d3d2936f44e0
                            SHA1:245c53304354ad8c703b2dd4fce1cc1ec46573bb
                            SHA256:bea6547e13a91dea30b43f7b50a6e95d8cbc285c9a2c397fa52d17ce8351cc30
                            SHA512:c70103e599a534bd6aad4238df567223fc4d2a7b07632be09c42ea2f46e3c941523ead3b3ee27abe72445ded4e33a646421a176d82fab637b4b500782b629f40
                            SSDEEP:49152:IF50a6aPVOFMx3SmroCZscivbS6mqxEWoKmqZJffp3vSsqPUYeaw1GlNOmTCbCuF:KroA7PxBOb
                            TLSH:C6B5BD15E3E801A8D877D630CA62A332DBB079961730D58F065DD65A2F73EA19B3F312
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'..Ec...c...c....v..j....v..n....v..M...j.D.m...(...h...c...n....w..k....w..b...c...b....w..$...pq..b...pq..b...Richc..........

                            File Icon

                            Icon Hash:90cececece8e8eb0

                            Static PE Info

                            General

                            Entrypoint:0x14006b3dc
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x140000000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                            Time Stamp:0x667DA332 [Thu Jun 27 17:36:50 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:6
                            OS Version Minor:0
                            File Version Major:6
                            File Version Minor:0
                            Subsystem Version Major:6
                            Subsystem Version Minor:0
                            Import Hash:97f00b2383bd4369e5094078fdccae7a

                            Entrypoint Preview

                            Instruction
                            dec eax
                            sub esp, 28h
                            call 00007F4F7D1F6780h
                            dec eax
                            add esp, 28h
                            jmp 00007F4F7D1F5FC7h
                            int3
                            int3
                            jmp 00007F4F7D1F6AFCh
                            int3
                            int3
                            int3
                            dec eax
                            sub esp, 28h
                            dec ebp
                            mov eax, dword ptr [ecx+38h]
                            dec eax
                            mov ecx, edx
                            dec ecx
                            mov edx, ecx
                            call 00007F4F7D1F6162h
                            mov eax, 00000001h
                            dec eax
                            add esp, 28h
                            ret
                            int3
                            int3
                            int3
                            inc eax
                            push ebx
                            inc ebp
                            mov ebx, dword ptr [eax]
                            dec eax
                            mov ebx, edx
                            inc ecx
                            and ebx, FFFFFFF8h
                            dec esp
                            mov ecx, ecx
                            inc ecx
                            test byte ptr [eax], 00000004h
                            dec esp
                            mov edx, ecx
                            je 00007F4F7D1F6165h
                            inc ecx
                            mov eax, dword ptr [eax+08h]
                            dec ebp
                            arpl word ptr [eax+04h], dx
                            neg eax
                            dec esp
                            add edx, ecx
                            dec eax
                            arpl ax, cx
                            dec esp
                            and edx, ecx
                            dec ecx
                            arpl bx, ax
                            dec edx
                            mov edx, dword ptr [eax+edx]
                            dec eax
                            mov eax, dword ptr [ebx+10h]
                            mov ecx, dword ptr [eax+08h]
                            dec eax
                            mov eax, dword ptr [ebx+08h]
                            test byte ptr [ecx+eax+03h], 0000000Fh
                            je 00007F4F7D1F615Dh
                            movzx eax, byte ptr [ecx+eax+03h]
                            and eax, FFFFFFF0h
                            dec esp
                            add ecx, eax
                            dec esp
                            xor ecx, edx
                            dec ecx
                            mov ecx, ecx
                            pop ebx
                            jmp 00007F4F7D1F6172h
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            nop word ptr [eax+eax+00000000h]
                            dec eax
                            cmp ecx, dword ptr [001D73A9h]
                            jne 00007F4F7D1F6162h
                            dec eax
                            rol ecx, 10h
                            test cx, FFFFh
                            jne 00007F4F7D1F6153h

                            Rich Headers

                            Programming Language:
                            • [IMP] VS2008 SP1 build 30729

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x23ec600x58.rdata
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x23ecb80x104.rdata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x2640000x4b918.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x2500000x1368c.pdata
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x2b00000x5ec.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x2166000x54.rdata
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x2168000x28.rdata
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2164c00x140.rdata
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x1980000x818.rdata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000x6fef80x70000dd316bc2c65b1ae399457fdba120fa82False0.45282200404575895data6.641185225824904IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .managed0x710000xd9b180xd9c0074b435642e339cdb1b2a678eb60c92d8False0.4628401711394948data6.464502436229499IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            hydrated0x14b0000x4c5400x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rdata0x1980000xa89e40xa8a005136a3db5b9bcc5734abe5310647f73eFalse0.48930052353595255data6.720923141068736IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .data0x2410000xe6680x1a00f7893d3998d6fe23c3c2fd83a455cf8dFalse0.22581129807692307data3.2697501080046183IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .pdata0x2500000x1368c0x13800e5aeded247d82c5d18901a5f5b1c4999False0.49800931490384615data6.163194359627306IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .rsrc0x2640000x4b9180x4ba00eb47f429e2704c0f322922e73df5efebFalse0.9971849173553718data7.998508779194308IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0x2b00000x5ec0x60022b17bd43d0ff4894ef88b7e105d8348False0.5989583333333334data5.299377162126531IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            BINARY0x2641100x4b2a4data1.0003280541516715
                            RT_VERSION0x2af3b40x378data0.35923423423423423
                            RT_MANIFEST0x2af72c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                            Imports

                            DLLImport
                            ADVAPI32.dllAdjustTokenPrivileges, CreateWellKnownSid, DeregisterEventSource, DuplicateTokenEx, GetSecurityDescriptorLength, GetTokenInformation, GetWindowsAccountDomainSid, LookupPrivilegeValueW, OpenProcessToken, OpenThreadToken, RegCloseKey, RegCreateKeyExW, RegDeleteKeyExW, RegDeleteTreeW, RegDeleteValueW, RegEnumKeyExW, RegEnumValueW, RegFlushKey, RegOpenKeyExW, RegQueryInfoKeyW, RegQueryValueExW, RegSetValueExA, RegSetValueExW, RegisterEventSourceW, ReportEventW, RevertToSelf, SetThreadToken
                            bcrypt.dllBCryptDestroyKey, BCryptEncrypt, BCryptGenRandom, BCryptOpenAlgorithmProvider, BCryptSetProperty, BCryptDecrypt, BCryptCloseAlgorithmProvider, BCryptImportKey
                            KERNEL32.dllTlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, EncodePointer, RaiseException, RtlPcToFileHeader, AllocConsole, CancelThreadpoolIo, CloseHandle, CloseThreadpoolIo, CompareStringEx, CompareStringOrdinal, CopyFileExW, CreateDirectoryW, CreateEventExW, CreateFileW, CreateProcessA, CreateSymbolicLinkW, CreateThreadpoolIo, DeleteCriticalSection, DeleteFileW, DeleteVolumeMountPointW, DeviceIoControl, DuplicateHandle, EnterCriticalSection, EnumCalendarInfoExEx, EnumTimeFormatsEx, ExitProcess, ExpandEnvironmentStringsW, FileTimeToSystemTime, FindClose, FindFirstFileExW, FindNLSStringEx, FindNextFileW, FindStringOrdinal, FlushFileBuffers, FormatMessageW, FreeConsole, FreeLibrary, GetCPInfo, GetCalendarInfoEx, GetConsoleOutputCP, GetConsoleWindow, GetCurrentProcess, GetCurrentProcessId, GetCurrentProcessorNumberEx, GetCurrentThread, GetDynamicTimeZoneInformation, GetEnvironmentVariableW, GetFileAttributesExW, GetFileInformationByHandle, GetFileInformationByHandleEx, GetFileType, GetFinalPathNameByHandleW, GetFullPathNameW, GetLastError, GetLocaleInfoEx, GetLogicalDrives, GetLongPathNameW, GetModuleFileNameW, GetModuleHandleA, GetOverlappedResult, GetProcAddress, GetStdHandle, GetSystemDirectoryW, GetSystemTime, GetThreadPriority, GetTickCount64, GetTimeZoneInformation, GetUserPreferredUILanguages, GetVolumeInformationW, InitializeConditionVariable, InitializeCriticalSection, IsDebuggerPresent, LCMapStringEx, LeaveCriticalSection, LoadLibraryExW, LocalAlloc, LocalFree, LocaleNameToLCID, MoveFileExW, MultiByteToWideChar, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseFailFastException, ReadFile, RemoveDirectoryW, ReplaceFileW, ResetEvent, ResolveLocaleName, ResumeThread, SetEvent, SetFileAttributesW, SetFileInformationByHandle, SetLastError, SetThreadErrorMode, SetThreadPriority, Sleep, SleepConditionVariableCS, StartThreadpoolIo, SystemTimeToFileTime, TzSpecificLocalTimeToSystemTime, VirtualAlloc, VirtualFree, WaitForMultipleObjectsEx, WakeConditionVariable, WideCharToMultiByte, WriteFile, FlushProcessWriteBuffers, WaitForSingleObjectEx, RtlVirtualUnwind, RtlCaptureContext, RtlRestoreContext, VerSetConditionMask, AddVectoredExceptionHandler, FlsAlloc, FlsGetValue, FlsSetValue, CreateEventW, SwitchToThread, CreateThread, GetCurrentThreadId, SuspendThread, GetThreadContext, SetThreadContext, QueryInformationJobObject, GetModuleHandleW, GetModuleHandleExW, GetProcessAffinityMask, VerifyVersionInfoW, InitializeContext, GetEnabledXStateFeatures, SetXStateFeaturesMask, VirtualQuery, GetSystemTimeAsFileTime, InitializeCriticalSectionEx, DebugBreak, WaitForSingleObject, SleepEx, GlobalMemoryStatusEx, GetSystemInfo, GetLogicalProcessorInformation, GetLogicalProcessorInformationEx, GetLargePageMinimum, VirtualUnlock, VirtualAllocExNuma, IsProcessInJob, GetNumaHighestNodeNumber, GetProcessGroupAffinity, K32GetProcessMemoryInfo, RtlUnwindEx, InitializeSListHead, IsProcessorFeaturePresent, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlLookupFunctionEntry
                            ole32.dllCoTaskMemAlloc, CoTaskMemFree, CoUninitialize, CoWaitForMultipleHandles, CoInitializeEx, CoCreateGuid, CoGetApartmentType
                            USER32.dllLoadStringW
                            api-ms-win-crt-math-l1-1-0.dll__setusermatherr, floor, pow, modf, sin, cos, ceil, tan
                            api-ms-win-crt-heap-l1-1-0.dllfree, calloc, _set_new_mode, malloc, _callnewh
                            api-ms-win-crt-string-l1-1-0.dllstrncpy_s, strcpy_s, _stricmp, wcsncmp, strcmp
                            api-ms-win-crt-convert-l1-1-0.dllstrtoull
                            api-ms-win-crt-runtime-l1-1-0.dll_register_thread_local_exe_atexit_callback, _c_exit, _cexit, __p___wargv, __p___argc, _exit, exit, _initterm_e, terminate, _crt_atexit, _initterm, _register_onexit_function, _get_initial_wide_environment, abort, _initialize_onexit_table, _initialize_wide_environment, _configure_wide_argv, _seh_filter_exe, _set_app_type
                            api-ms-win-crt-stdio-l1-1-0.dll__stdio_common_vsscanf, __p__commode, __acrt_iob_func, __stdio_common_vfprintf, __stdio_common_vsprintf_s, _set_fmode
                            api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale

                            Exports

                            NameOrdinalAddress
                            DotNetRuntimeDebugHeader10x140241d50

                            Network Behavior

                            Snort IDS Alerts

                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                            06/28/24-08:47:31.833377TCP2043231ET TROJAN Redline Stealer TCP CnC Activity497311912192.168.2.4195.10.205.102
                            06/28/24-08:47:29.500952TCP2046056ET TROJAN Redline Stealer/MetaStealer Family Activity (Response)191249731195.10.205.102192.168.2.4
                            06/28/24-08:47:24.044676TCP2046045ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)497311912192.168.2.4195.10.205.102
                            06/28/24-08:47:24.248710TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response191249731195.10.205.102192.168.2.4

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jun 28, 2024 08:47:23.101418972 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:23.106427908 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:23.109050035 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:23.118577003 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:23.123532057 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:23.777523041 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:23.824374914 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:24.044676065 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:24.050185919 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:24.248709917 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:24.293123960 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:29.296793938 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:29.301635027 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:29.500952005 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:29.500981092 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:29.500998020 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:29.501013041 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:29.501028061 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:29.501035929 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:29.501055002 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:29.501131058 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.785341978 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.791244030 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.791380882 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.791551113 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.791610003 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.791652918 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.791666985 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.791713953 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.791954994 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.792009115 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.792021990 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.792028904 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.792035103 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.792052984 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.792066097 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.792069912 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.792108059 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.796566010 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.796590090 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.796641111 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.796647072 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.796653986 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.796694040 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.796711922 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.796762943 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.796839952 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.796912909 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.797327995 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.797414064 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.797467947 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.797530890 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.801944971 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.802005053 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.802182913 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.802264929 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.802270889 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.802324057 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.802412033 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.802473068 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.802484035 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.802496910 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.802544117 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.802584887 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.802598000 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.802611113 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.802642107 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.802650928 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.802654028 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.802665949 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.802704096 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.802751064 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.802762985 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.802850008 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.802854061 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.802862883 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.802875042 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.802911043 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.804439068 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.804451942 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.804464102 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.804774046 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.807244062 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.807320118 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.807332993 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.807343006 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.807344913 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.807367086 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.807372093 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.807379007 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.807396889 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.807411909 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.807425022 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.807456017 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.807461023 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.807590008 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.807602882 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.807614088 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.807615042 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.807629108 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.807631969 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.807651043 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.807661057 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.807662964 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.807674885 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.807706118 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.807713985 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.807718039 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.807766914 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.807780027 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.807791948 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.807815075 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.807826996 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.807838917 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.807877064 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.807889938 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.807902098 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.807915926 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.807928085 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.807985067 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.807997942 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.808010101 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.808104038 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.808123112 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.808239937 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.808253050 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.808264971 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.808312893 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.808326006 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.808336973 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.808358908 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.808372021 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.808382988 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.808394909 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.808408976 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.808491945 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.808505058 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.808516979 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.808537006 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.808552980 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.808573008 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.808573961 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.808585882 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.808598042 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.808609962 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.808633089 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.808643103 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.808645964 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.808657885 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.808789015 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.808800936 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.808811903 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.808824062 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.808836937 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.808847904 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.809695959 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.812027931 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.812081099 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.812093019 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.812112093 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.812135935 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.812149048 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.812160969 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.812172890 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.812186956 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.812206984 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.812310934 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.812323093 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.812345028 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.812357903 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.812411070 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.812423944 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.812438011 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.813184977 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.813278913 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.813395023 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.813462973 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.813474894 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.813487053 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.813508034 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.813519955 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.813571930 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.813585043 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.813596964 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.813625097 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.813637018 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.813648939 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.813672066 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.813684940 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.813697100 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.813716888 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.813730955 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.813743114 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.813764095 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.813776970 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.813788891 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.813821077 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.813854933 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.813885927 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.813915014 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.813967943 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.813981056 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.814008951 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.814021111 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.814033031 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.814044952 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.814059019 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.814069986 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.814104080 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.814116001 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.814126968 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.814147949 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.814160109 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.814172983 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.814445019 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.814450026 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.814455032 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.814523935 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.814536095 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.814548016 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.814569950 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.814583063 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.814599991 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.814611912 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.814624071 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.814635038 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.814657927 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.814676046 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.814688921 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.814709902 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.814722061 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.814733982 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.814929008 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.814941883 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.814953089 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.814965963 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.814976931 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.814989090 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.815078974 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.815080881 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.815093040 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.815104961 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.815116882 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.818759918 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.818772078 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.818784952 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.818797112 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.818820000 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.818831921 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.818854094 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.818866014 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.818907976 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.818934917 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.818941116 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.818988085 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.818996906 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.819000959 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.819041014 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.819055080 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.819067955 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.819081068 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.819092989 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.819104910 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.819118977 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.819130898 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.819142103 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.819154024 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.819165945 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.819178104 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.819227934 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.819240093 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.819251060 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.819262981 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.819284916 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.819297075 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.819308996 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.819320917 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.819333076 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.819344044 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.819355965 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.819367886 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.819380999 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.819394112 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.819405079 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.819427013 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.819438934 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.819504023 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.819515944 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.819542885 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.819555998 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.819566965 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.819578886 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.819591045 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.819665909 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.819678068 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.819689035 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.820856094 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.820868969 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.823971987 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.824136972 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.824146986 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.824160099 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.824208975 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.824213028 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.824280977 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.824292898 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.824315071 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.824326992 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.824338913 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.824351072 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.824362993 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.824393034 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.824405909 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.824433088 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.824445009 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.824505091 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.824517012 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.824528933 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.824542999 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.824594021 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.824635029 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.824675083 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.824687958 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.824733973 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.824747086 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.824765921 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.824780941 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.824794054 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.824805021 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.824824095 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.824892998 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.824904919 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.824915886 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.825223923 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.825243950 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.825256109 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.825269938 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.825283051 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.825294018 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.825306892 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.825318098 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.825330019 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.825344086 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.825355053 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.825366974 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.825377941 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.825391054 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.825402021 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.825413942 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.825424910 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.825437069 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.825592041 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.825603962 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.828985929 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.828999043 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.829102993 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.829114914 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.829127073 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.829138041 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.829171896 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.829185009 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.829262972 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.829274893 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.829294920 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.829308987 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.829323053 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.829377890 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.829384089 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.829391003 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.829402924 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.829452038 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.829454899 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.829464912 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.829477072 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.829488993 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.829500914 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.829514980 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.829546928 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.829585075 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.829622030 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.829668045 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.829679966 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.829691887 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.829705000 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.829751015 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.829762936 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.829773903 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.829787016 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.829808950 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.829823971 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.829854965 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.829866886 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.829889059 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.829957008 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.829969883 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.829982042 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.829994917 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.830029964 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.830041885 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.830054045 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.830070972 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.830075979 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.830117941 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.830130100 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.830141068 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.830162048 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.830173969 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.830188036 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.834331989 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.834343910 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.834356070 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.834389925 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.834402084 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.834450006 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.834462881 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.834476948 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.834558964 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.834572077 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.834583998 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.834608078 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.834614038 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.834625959 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.834638119 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.834661961 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.834675074 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.834676027 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.834687948 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.834702015 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.834733009 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.834744930 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.834755898 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.834779024 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.834790945 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.834868908 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.834913969 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.834927082 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.834966898 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.834971905 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.834983110 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.834995031 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.835006952 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.835028887 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.835040092 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.835052013 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.877223969 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.877429962 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.877530098 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.877530098 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.877573967 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.882464886 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.882515907 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.882529020 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.882543087 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.882555008 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.882566929 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.882596970 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.882608891 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.882631063 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.882642031 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.882654905 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.882666111 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.882678986 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.882694006 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.882709026 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.882733107 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.882746935 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.882759094 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.882805109 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.882817984 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.882829905 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.882842064 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.882853031 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.882865906 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.882877111 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.925144911 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:30.925381899 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:30.977224112 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:31.832619905 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:31.833376884 CEST497311912192.168.2.4195.10.205.102
                            Jun 28, 2024 08:47:31.838313103 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:32.037343979 CEST191249731195.10.205.102192.168.2.4
                            Jun 28, 2024 08:47:32.071404934 CEST497311912192.168.2.4195.10.205.102

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:02:47:18
                            Start date:28/06/2024
                            Path:C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\Desktop\RFQ 10046335 PO 4502042346 PR 11148099 411128.exe"
                            Imagebase:0x7ff65f2a0000
                            File size:2'440'192 bytes
                            MD5 hash:0B57430159E81D152455D3D2936F44E0
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1885755676.0000020ED3916000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:1
                            Start time:02:47:18
                            Start date:28/06/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:2
                            Start time:02:47:19
                            Start date:28/06/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile
                            Imagebase:0x7ff788560000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:3
                            Start time:02:47:19
                            Start date:28/06/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:4
                            Start time:02:47:19
                            Start date:28/06/2024
                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
                            Imagebase:0x4c0000
                            File size:47'584 bytes
                            MD5 hash:94C8E57A80DFCA2482DEDB87B93D4FD9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000002.1995159842.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000002.1996982292.0000000002936000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:5
                            Start time:02:47:23
                            Start date:28/06/2024
                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                            Imagebase:0x7ff693ab0000
                            File size:496'640 bytes
                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                            Has elevated privileges:true
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:5.8%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:26.4%
                              Total number of Nodes:978
                              Total number of Limit Nodes:28
                              execution_graph 15681 7ff65f2b1150 15682 7ff65f2b116e 15681->15682 15688 7ff65f2b1211 15682->15688 15689 7ff65f2ad3c0 VirtualAlloc 15682->15689 15690 7ff65f2a1f2f 15691 7ff65f36dfd0 15690->15691 15692 7ff65f36e1bc 15691->15692 15693 7ff65f36e1a1 15691->15693 15697 7ff65f36dfe3 15691->15697 15720 7ff65f2a47c0 15692->15720 15696 7ff65f36e1ba 15693->15696 15709 7ff65f3e7170 15693->15709 15727 7ff65f363cf0 15696->15727 15699 7ff65f36e1ec 15700 7ff65f36e1f7 15699->15700 15701 7ff65f36e21f 15699->15701 15702 7ff65f36e21d 15700->15702 15704 7ff65f3e7170 26 API calls 15700->15704 15703 7ff65f2a47c0 26 API calls 15701->15703 15733 7ff65f36e270 15702->15733 15703->15702 15704->15702 15706 7ff65f36e246 15737 7ff65f363d20 15706->15737 15708 7ff65f36e257 15710 7ff65f3e718b 15709->15710 15711 7ff65f3e720a 15709->15711 15712 7ff65f3e7193 15710->15712 15713 7ff65f3e71ea 15710->15713 15742 7ff65f32da90 15711->15742 15718 7ff65f2a47c0 26 API calls 15712->15718 15719 7ff65f3e71a3 15712->15719 15715 7ff65f2a47c0 26 API calls 15713->15715 15717 7ff65f3e71f5 15715->15717 15716 7ff65f3e7219 15716->15696 15717->15696 15718->15719 15719->15696 15721 7ff65f2a47c9 15720->15721 15722 7ff65f2a480e 15721->15722 15723 7ff65f2a4c10 26 API calls 15721->15723 15722->15696 15724 7ff65f362310 15723->15724 15725 7ff65f3624a0 26 API calls 15724->15725 15726 7ff65f3623d3 15725->15726 15728 7ff65f363cfc 15727->15728 15729 7ff65f363d18 15727->15729 15728->15699 15732 7ff65f363d40 15729->15732 15916 7ff65f363e30 15729->15916 15732->15699 15734 7ff65f36e294 15733->15734 15736 7ff65f36e2ce 15734->15736 15936 7ff65f395550 15734->15936 15736->15706 15738 7ff65f363d2c 15737->15738 15739 7ff65f363e30 26 API calls 15738->15739 15741 7ff65f363d40 15738->15741 15740 7ff65f363e0f 15739->15740 15740->15708 15741->15708 15743 7ff65f32da99 15742->15743 15748 7ff65f2a4c10 15743->15748 15749 7ff65f2a4ccb 15748->15749 15754 7ff65f3623e0 15749->15754 15755 7ff65f3623f2 15754->15755 15758 7ff65f3624a0 15755->15758 15771 7ff65f2a76e0 15758->15771 15760 7ff65f36260c 15803 7ff65f2a4350 15760->15803 15761 7ff65f3625d7 15761->15760 15799 7ff65f362060 15761->15799 15763 7ff65f36251f 15763->15761 15791 7ff65f2a7820 15763->15791 15772 7ff65f2a772b 15771->15772 15773 7ff65f2a7770 15772->15773 15774 7ff65f2a7730 15772->15774 15775 7ff65f2a778a 15773->15775 15777 7ff65f2aec00 4 API calls 15773->15777 15776 7ff65f2a774a 15774->15776 15806 7ff65f2aec00 15774->15806 15779 7ff65f2a77a6 15775->15779 15780 7ff65f2a77bb 15775->15780 15812 7ff65f2a6b30 15776->15812 15777->15775 15783 7ff65f2a72e0 2 API calls 15779->15783 15784 7ff65f2a72e0 2 API calls 15780->15784 15786 7ff65f2a77b2 15783->15786 15784->15786 15787 7ff65f2a776e 15786->15787 15788 7ff65f2aec00 4 API calls 15786->15788 15789 7ff65f2a77f2 15787->15789 15825 7ff65f2a64c0 15787->15825 15788->15787 15789->15763 15792 7ff65f2a7862 15791->15792 15866 7ff65f2a6ed0 15792->15866 15794 7ff65f2a7871 15795 7ff65f2a7892 15794->15795 15796 7ff65f2aec00 4 API calls 15794->15796 15797 7ff65f2a64c0 2 API calls 15795->15797 15798 7ff65f2a78a3 15795->15798 15796->15795 15797->15798 15798->15763 15800 7ff65f362094 15799->15800 15895 7ff65f2a40c0 15800->15895 15802 7ff65f3620d1 15802->15760 15804 7ff65f2a4385 15803->15804 15805 7ff65f2a4378 RaiseFailFastException 15803->15805 15805->15804 15807 7ff65f2aec3b 15806->15807 15808 7ff65f2aecac 15806->15808 15807->15808 15811 7ff65f2aec74 15807->15811 15831 7ff65f2ae920 15807->15831 15808->15776 15811->15808 15839 7ff65f2aecc0 15811->15839 15814 7ff65f2a6b4d _swprintf_c_l 15812->15814 15813 7ff65f2a6d11 15820 7ff65f2a72e0 15813->15820 15814->15813 15815 7ff65f2a6cf0 15814->15815 15816 7ff65f2a6cd9 RaiseFailFastException 15814->15816 15817 7ff65f2a6ce8 15814->15817 15815->15813 15818 7ff65f2aec00 4 API calls 15815->15818 15816->15815 15860 7ff65f2a7520 15817->15860 15818->15813 15821 7ff65f2a7340 15820->15821 15822 7ff65f2a72f2 15820->15822 15821->15787 15822->15821 15823 7ff65f2a64c0 2 API calls 15822->15823 15824 7ff65f2a731b 15823->15824 15824->15787 15826 7ff65f2a64d8 15825->15826 15827 7ff65f2a64e0 15825->15827 15826->15827 15828 7ff65f2a6556 15826->15828 15829 7ff65f2a6549 RaiseFailFastException 15826->15829 15827->15789 15828->15827 15830 7ff65f2a6571 RaiseFailFastException 15828->15830 15829->15828 15830->15827 15835 7ff65f2ae944 15831->15835 15834 7ff65f30b4b0 _swprintf_c_l 3 API calls 15836 7ff65f2ae9df 15834->15836 15835->15836 15843 7ff65f30b4b0 15835->15843 15837 7ff65f2aea6c 15836->15837 15846 7ff65f2ace60 GetCurrentThreadId 15836->15846 15837->15811 15840 7ff65f2aecfa 15839->15840 15842 7ff65f2aed24 15840->15842 15856 7ff65f2ae750 15840->15856 15842->15808 15847 7ff65f30bda4 15843->15847 15845 7ff65f2ae9b4 15845->15834 15845->15837 15846->15837 15848 7ff65f30bdbe malloc 15847->15848 15849 7ff65f30bdc8 15848->15849 15850 7ff65f30bdaf 15848->15850 15849->15845 15850->15848 15851 7ff65f30bdce 15850->15851 15852 7ff65f30bdd9 15851->15852 15853 7ff65f30c204 Concurrency::cancel_current_task RtlPcToFileHeader RaiseException 15851->15853 15854 7ff65f30c224 _swprintf_c_l RtlPcToFileHeader RaiseException 15852->15854 15853->15852 15855 7ff65f30bddf 15854->15855 15855->15845 15857 7ff65f2ae77a _swprintf_c_l 15856->15857 15858 7ff65f2ae7a1 15857->15858 15859 7ff65f30b4b0 _swprintf_c_l 3 API calls 15857->15859 15858->15842 15859->15858 15861 7ff65f2a7533 15860->15861 15862 7ff65f2a7673 RaiseFailFastException 15861->15862 15863 7ff65f2a75f2 RaiseFailFastException 15861->15863 15864 7ff65f2a7608 RaiseFailFastException 15861->15864 15865 7ff65f2a76a1 15861->15865 15862->15861 15863->15861 15864->15861 15865->15815 15879 7ff65f2a6f0a 15866->15879 15867 7ff65f2a6f80 RaiseFailFastException 15867->15879 15868 7ff65f2a71f8 15869 7ff65f2a6b30 8 API calls 15868->15869 15871 7ff65f2a71fe 15868->15871 15869->15871 15870 7ff65f2a72ca 15870->15794 15871->15870 15876 7ff65f2a64c0 2 API calls 15871->15876 15872 7ff65f2a724c 15874 7ff65f2a7520 3 API calls 15872->15874 15873 7ff65f2a723d RaiseFailFastException 15873->15871 15874->15871 15875 7ff65f2a70d4 RaiseFailFastException 15875->15879 15878 7ff65f2a72a3 15876->15878 15878->15794 15879->15867 15879->15868 15879->15871 15879->15872 15879->15873 15879->15875 15880 7ff65f2a64c0 2 API calls 15879->15880 15881 7ff65f2a71ab RaiseFailFastException 15879->15881 15882 7ff65f2a71c1 RaiseFailFastException 15879->15882 15883 7ff65f2aec00 4 API calls 15879->15883 15884 7ff65f2a6750 15879->15884 15880->15879 15881->15879 15882->15879 15883->15879 15885 7ff65f2a677d 15884->15885 15888 7ff65f2a67a7 15884->15888 15886 7ff65f2aec00 4 API calls 15885->15886 15886->15888 15887 7ff65f2a6916 15889 7ff65f2a6929 15887->15889 15890 7ff65f2a691c RaiseFailFastException 15887->15890 15888->15887 15892 7ff65f2a67d4 15888->15892 15891 7ff65f2a64c0 2 API calls 15889->15891 15890->15889 15894 7ff65f2a6901 15891->15894 15893 7ff65f2a64c0 2 API calls 15892->15893 15893->15894 15894->15879 15896 7ff65f2a40da _swprintf_c_l 15895->15896 15899 7ff65f2ad3f0 RtlCaptureContext 15896->15899 15902 7ff65f30b490 15899->15902 15903 7ff65f30b499 15902->15903 15904 7ff65f2a40e9 15903->15904 15905 7ff65f30b740 IsProcessorFeaturePresent 15903->15905 15904->15802 15906 7ff65f30b758 15905->15906 15911 7ff65f30b938 RtlCaptureContext 15906->15911 15912 7ff65f30b952 RtlLookupFunctionEntry 15911->15912 15913 7ff65f30b968 RtlVirtualUnwind 15912->15913 15914 7ff65f30b76b 15912->15914 15913->15912 15913->15914 15915 7ff65f30b70c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 15914->15915 15921 7ff65f364470 15916->15921 15918 7ff65f363e47 15919 7ff65f2a4c10 26 API calls 15918->15919 15920 7ff65f363e6f 15919->15920 15922 7ff65f364489 15921->15922 15923 7ff65f364531 15922->15923 15925 7ff65f365660 15922->15925 15923->15918 15929 7ff65f36567c 15925->15929 15926 7ff65f36583d 15927 7ff65f365540 26 API calls 15926->15927 15928 7ff65f365784 15927->15928 15928->15923 15929->15926 15929->15928 15931 7ff65f365540 15929->15931 15932 7ff65f2a47c0 26 API calls 15931->15932 15933 7ff65f365582 15932->15933 15934 7ff65f2a47c0 26 API calls 15933->15934 15935 7ff65f3655be 15933->15935 15934->15935 15935->15929 15937 7ff65f395577 15936->15937 15942 7ff65f3b8560 15937->15942 15939 7ff65f39558e 15950 7ff65f3b8ea0 15939->15950 15941 7ff65f39559a 15941->15736 15961 7ff65f3b8660 15942->15961 15944 7ff65f3b856a 15945 7ff65f3b856f 15944->15945 15946 7ff65f2a4c10 26 API calls 15944->15946 15945->15939 15947 7ff65f3b8598 15946->15947 15948 7ff65f3b8660 26 API calls 15947->15948 15949 7ff65f3b85b2 15948->15949 15949->15939 15952 7ff65f3b8eaa 15950->15952 15951 7ff65f3b8eaf 15951->15941 15952->15951 15953 7ff65f2a4c10 26 API calls 15952->15953 15954 7ff65f3b8ed8 15953->15954 15955 7ff65f3b8efe 15954->15955 15958 7ff65f3b8f17 15954->15958 15969 7ff65f3b9050 15955->15969 15957 7ff65f3b8f0e 15957->15941 15959 7ff65f2a4c10 26 API calls 15958->15959 15960 7ff65f3b8f5a 15959->15960 15960->15941 15962 7ff65f3b8683 15961->15962 15963 7ff65f3b86aa 15961->15963 15962->15944 15964 7ff65f3b8741 15963->15964 15966 7ff65f3b8760 15963->15966 15964->15944 15967 7ff65f2a47c0 26 API calls 15966->15967 15968 7ff65f3b879e 15967->15968 15968->15964 15970 7ff65f3b906c 15969->15970 15971 7ff65f3b90c8 15970->15971 15973 7ff65f3b90e0 15970->15973 15971->15957 15974 7ff65f2a47c0 26 API calls 15973->15974 15975 7ff65f3b9115 15974->15975 15975->15971 15976 7ff65f2bcb8f 15977 7ff65f2bcb94 15976->15977 15984 7ff65f2e1970 15977->15984 15979 7ff65f2bcc9d 15980 7ff65f2bccc8 15979->15980 15992 7ff65f2d4960 15979->15992 15996 7ff65f2c4420 15980->15996 15983 7ff65f2bcd32 15985 7ff65f2e1989 15984->15985 15989 7ff65f2e1999 15984->15989 15985->15979 15986 7ff65f2e1adb SwitchToThread 15986->15989 15987 7ff65f2e19e9 SwitchToThread 15987->15989 15988 7ff65f2e1ae7 15988->15979 15989->15986 15989->15987 15989->15988 15990 7ff65f2e1a90 SwitchToThread 15989->15990 15991 7ff65f2e1aa6 SwitchToThread 15989->15991 15990->15989 15991->15989 15993 7ff65f2d497e 15992->15993 15995 7ff65f2d49e9 _swprintf_c_l 15992->15995 15993->15995 16001 7ff65f2b30b0 VirtualAlloc 15993->16001 15995->15980 15997 7ff65f2d4960 2 API calls 15996->15997 15998 7ff65f2c4455 _swprintf_c_l 15997->15998 15999 7ff65f2e1970 4 API calls 15998->15999 16000 7ff65f2c45a5 15999->16000 16000->15983 16000->16000 16002 7ff65f2b30fc 16001->16002 16003 7ff65f2b30eb 16001->16003 16002->15995 16003->16002 16004 7ff65f2b30f0 VirtualUnlock 16003->16004 16004->16002 16005 7ff65f2a20b0 16006 7ff65f2a20e0 16005->16006 16007 7ff65f2a2178 16006->16007 16010 7ff65f2b8d69 16006->16010 16014 7ff65f2b8dcb 16006->16014 16011 7ff65f2b8d2a 16010->16011 16012 7ff65f2b8d6d 16010->16012 16011->16007 16012->16011 16030 7ff65f2bb8a0 16012->16030 16016 7ff65f2b8dec 16014->16016 16015 7ff65f2b8e55 16040 7ff65f2e34a0 16015->16040 16016->16015 16019 7ff65f2b8e2e GetTickCount64 16016->16019 16024 7ff65f2b8ed7 16016->16024 16019->16015 16021 7ff65f2b8e42 16019->16021 16021->16024 16022 7ff65f2b8da0 16061 7ff65f2e3570 16022->16061 16023 7ff65f2b8d2a 16023->16007 16024->16022 16050 7ff65f2bf1b0 16024->16050 16025 7ff65f2b8f39 16025->16023 16029 7ff65f2bb8a0 3 API calls 16025->16029 16027 7ff65f2b8e79 16027->16022 16027->16024 16028 7ff65f2b8eb3 GetTickCount64 16027->16028 16028->16021 16028->16024 16029->16023 16031 7ff65f2bb943 16030->16031 16033 7ff65f2bb8d2 16030->16033 16032 7ff65f2bba25 16031->16032 16036 7ff65f2bba20 DebugBreak 16031->16036 16032->16011 16033->16031 16034 7ff65f2bb916 SwitchToThread 16033->16034 16037 7ff65f2b2dc0 16033->16037 16034->16033 16036->16032 16038 7ff65f2b2dc4 SleepEx 16037->16038 16039 7ff65f2b2dcd 16037->16039 16038->16039 16039->16033 16041 7ff65f2e34c0 16040->16041 16042 7ff65f2e355a 16040->16042 16065 7ff65f2b2570 16041->16065 16042->16027 16045 7ff65f2e354a 16045->16027 16051 7ff65f2bf1e7 16050->16051 16059 7ff65f2bf24b 16050->16059 16052 7ff65f2b2dc0 SleepEx 16051->16052 16051->16059 16053 7ff65f2bf225 16052->16053 16056 7ff65f2cc550 3 API calls 16053->16056 16053->16059 16054 7ff65f2b8f13 16054->16022 16054->16023 16054->16025 16055 7ff65f2b2570 10 API calls 16055->16059 16056->16059 16057 7ff65f2b8800 WaitForSingleObject 16057->16059 16059->16054 16059->16055 16059->16057 16060 7ff65f2cc550 3 API calls 16059->16060 16083 7ff65f2e02b0 16059->16083 16060->16059 16062 7ff65f2e3586 16061->16062 16064 7ff65f2e35bd 16062->16064 16114 7ff65f2b3120 WaitForSingleObject 16062->16114 16064->16022 16066 7ff65f2b265f GlobalMemoryStatusEx 16065->16066 16067 7ff65f2b25a7 GetCurrentProcess 16065->16067 16069 7ff65f2b25c8 16066->16069 16068 7ff65f2b25c0 16067->16068 16068->16066 16068->16069 16070 7ff65f30b490 8 API calls 16069->16070 16071 7ff65f2b2738 16070->16071 16071->16045 16072 7ff65f2b8800 16071->16072 16073 7ff65f2b8818 16072->16073 16082 7ff65f2b3120 WaitForSingleObject 16073->16082 16084 7ff65f2e02e7 16083->16084 16086 7ff65f2e053a _swprintf_c_l 16084->16086 16087 7ff65f2d0810 16084->16087 16086->16059 16088 7ff65f2d0832 16087->16088 16089 7ff65f2d0885 16088->16089 16092 7ff65f2d0909 EnterCriticalSection LeaveCriticalSection 16088->16092 16090 7ff65f2d094c 16089->16090 16093 7ff65f2d29b0 16089->16093 16090->16084 16092->16089 16094 7ff65f2d29c9 16093->16094 16096 7ff65f2d29d6 16093->16096 16097 7ff65f2c5b70 16094->16097 16096->16090 16098 7ff65f2c5c34 16097->16098 16099 7ff65f2c5bb0 16097->16099 16098->16096 16099->16098 16103 7ff65f2c5a70 EnterCriticalSection 16099->16103 16102 7ff65f2c5a70 7 API calls 16102->16098 16104 7ff65f2c5ae1 16103->16104 16105 7ff65f2c5af7 LeaveCriticalSection 16104->16105 16106 7ff65f2c5b49 LeaveCriticalSection 16104->16106 16111 7ff65f2b2e10 16105->16111 16109 7ff65f2c5b55 16106->16109 16108 7ff65f2c5b28 16108->16109 16110 7ff65f2c5b2c EnterCriticalSection 16108->16110 16109->16098 16109->16102 16110->16106 16112 7ff65f2b2e4e GetCurrentProcess VirtualAllocExNuma 16111->16112 16113 7ff65f2b2e2b VirtualAlloc 16111->16113 16112->16108 16113->16108 16115 7ff65f2a8130 16145 7ff65f2ad0f0 FlsAlloc 16115->16145 16117 7ff65f2a82c6 16118 7ff65f2a813f 16118->16117 16158 7ff65f2ace80 GetModuleHandleExW 16118->16158 16120 7ff65f2a8168 16159 7ff65f2a5710 16120->16159 16122 7ff65f2a8170 16122->16117 16167 7ff65f2ae010 16122->16167 16126 7ff65f2a81a6 16126->16117 16127 7ff65f2a81c9 RtlAddVectoredExceptionHandler 16126->16127 16128 7ff65f2a81e2 16127->16128 16129 7ff65f2a81dc 16127->16129 16193 7ff65f2ae360 16128->16193 16131 7ff65f2a8217 16129->16131 16132 7ff65f2ae360 8 API calls 16129->16132 16133 7ff65f2a826e 16131->16133 16176 7ff65f2aeb00 16131->16176 16132->16131 16184 7ff65f2a21f0 16133->16184 16136 7ff65f2a8273 16136->16117 16196 7ff65f2b2080 16136->16196 16139 7ff65f2a829f 16202 7ff65f2ad250 16139->16202 16140 7ff65f2a82b8 16205 7ff65f2b1430 16140->16205 16143 7ff65f2a82ab RaiseFailFastException 16143->16140 16146 7ff65f2ad110 16145->16146 16147 7ff65f2ad23e 16145->16147 16209 7ff65f2b3ef0 16146->16209 16147->16118 16152 7ff65f2ae360 8 API calls 16153 7ff65f2ad142 16152->16153 16154 7ff65f2ad164 16153->16154 16155 7ff65f2ad16d GetCurrentProcess GetProcessAffinityMask 16153->16155 16157 7ff65f2ad1d8 16153->16157 16156 7ff65f2ad1b4 QueryInformationJobObject 16154->16156 16155->16154 16156->16157 16157->16118 16158->16120 16160 7ff65f30b4b0 _swprintf_c_l 3 API calls 16159->16160 16161 7ff65f2a5725 16160->16161 16163 7ff65f2a5764 16161->16163 16395 7ff65f2b10f0 16161->16395 16163->16122 16164 7ff65f2a5732 16164->16163 16398 7ff65f2b10d0 16164->16398 16168 7ff65f2b10d0 InitializeCriticalSectionEx 16167->16168 16169 7ff65f2a8196 16168->16169 16169->16117 16170 7ff65f2a3b00 16169->16170 16171 7ff65f30b4b0 _swprintf_c_l 3 API calls 16170->16171 16172 7ff65f2a3b1e 16171->16172 16173 7ff65f2a3bba 16172->16173 16400 7ff65f2a7ae0 16172->16400 16173->16126 16175 7ff65f2a3b50 16175->16126 16177 7ff65f2aeb2b 16176->16177 16183 7ff65f2aebd6 16176->16183 16178 7ff65f30b4b0 _swprintf_c_l 3 API calls 16177->16178 16179 7ff65f2aeb4a 16178->16179 16180 7ff65f2b10d0 InitializeCriticalSectionEx 16179->16180 16181 7ff65f2aeb75 16180->16181 16182 7ff65f2aebbe GetSystemTimeAsFileTime 16181->16182 16182->16183 16183->16133 16185 7ff65f2a223c 16184->16185 16187 7ff65f2a2236 16184->16187 16186 7ff65f2ae360 8 API calls 16185->16186 16186->16187 16188 7ff65f2a22b3 16187->16188 16405 7ff65f2a4520 16187->16405 16188->16136 16190 7ff65f2a2298 16190->16188 16412 7ff65f2afb30 16190->16412 16191 7ff65f2a22a8 16191->16136 16442 7ff65f2ae570 16193->16442 16195 7ff65f2ae388 16195->16129 16197 7ff65f2b20c9 16196->16197 16201 7ff65f2a828b 16196->16201 16198 7ff65f2b211f GetEnabledXStateFeatures 16197->16198 16197->16201 16199 7ff65f2b2130 16198->16199 16198->16201 16200 7ff65f2b2176 GetEnabledXStateFeatures 16199->16200 16199->16201 16200->16201 16201->16139 16201->16140 16203 7ff65f2ad264 16202->16203 16203->16203 16204 7ff65f2ad26d GetStdHandle WriteFile 16203->16204 16204->16143 16206 7ff65f2b144a _swprintf_c_l 16205->16206 16446 7ff65f2ace80 GetModuleHandleExW 16206->16446 16208 7ff65f2a82bd 16357 7ff65f2adb00 16209->16357 16211 7ff65f2b3f0e 16212 7ff65f2adb00 8 API calls 16211->16212 16213 7ff65f2b3f3b 16212->16213 16214 7ff65f2adb00 8 API calls 16213->16214 16215 7ff65f2b3f63 16214->16215 16216 7ff65f2adb00 8 API calls 16215->16216 16217 7ff65f2b3f8b 16216->16217 16218 7ff65f2adb00 8 API calls 16217->16218 16219 7ff65f2b3fb8 16218->16219 16220 7ff65f2adb00 8 API calls 16219->16220 16221 7ff65f2b3fe0 16220->16221 16222 7ff65f2adb00 8 API calls 16221->16222 16223 7ff65f2b400d 16222->16223 16224 7ff65f2adb00 8 API calls 16223->16224 16225 7ff65f2b4035 16224->16225 16226 7ff65f2adb00 8 API calls 16225->16226 16227 7ff65f2b405d 16226->16227 16228 7ff65f2adb00 8 API calls 16227->16228 16229 7ff65f2b4085 16228->16229 16230 7ff65f2adb00 8 API calls 16229->16230 16231 7ff65f2b40b2 16230->16231 16232 7ff65f2adb00 8 API calls 16231->16232 16233 7ff65f2b40df 16232->16233 16362 7ff65f2adbd0 16233->16362 16236 7ff65f2adbd0 18 API calls 16237 7ff65f2b4130 16236->16237 16238 7ff65f2adbd0 18 API calls 16237->16238 16239 7ff65f2b415e 16238->16239 16240 7ff65f2adbd0 18 API calls 16239->16240 16241 7ff65f2b4187 16240->16241 16242 7ff65f2adbd0 18 API calls 16241->16242 16243 7ff65f2b41b0 16242->16243 16244 7ff65f2adbd0 18 API calls 16243->16244 16245 7ff65f2b41de 16244->16245 16246 7ff65f2adbd0 18 API calls 16245->16246 16247 7ff65f2b420c 16246->16247 16248 7ff65f2adbd0 18 API calls 16247->16248 16249 7ff65f2b4235 16248->16249 16250 7ff65f2adbd0 18 API calls 16249->16250 16251 7ff65f2b425e 16250->16251 16252 7ff65f2adbd0 18 API calls 16251->16252 16253 7ff65f2b4287 16252->16253 16254 7ff65f2adbd0 18 API calls 16253->16254 16255 7ff65f2b42b0 16254->16255 16256 7ff65f2adbd0 18 API calls 16255->16256 16257 7ff65f2b42d9 16256->16257 16258 7ff65f2adbd0 18 API calls 16257->16258 16259 7ff65f2b4302 16258->16259 16260 7ff65f2adbd0 18 API calls 16259->16260 16261 7ff65f2b4330 16260->16261 16262 7ff65f2adbd0 18 API calls 16261->16262 16263 7ff65f2b435e 16262->16263 16264 7ff65f2adbd0 18 API calls 16263->16264 16265 7ff65f2b4387 16264->16265 16266 7ff65f2adbd0 18 API calls 16265->16266 16267 7ff65f2b43b0 16266->16267 16268 7ff65f2adbd0 18 API calls 16267->16268 16269 7ff65f2b43d9 16268->16269 16270 7ff65f2adbd0 18 API calls 16269->16270 16271 7ff65f2b4402 16270->16271 16272 7ff65f2adbd0 18 API calls 16271->16272 16273 7ff65f2b4430 16272->16273 16274 7ff65f2adbd0 18 API calls 16273->16274 16275 7ff65f2b445e 16274->16275 16276 7ff65f2adbd0 18 API calls 16275->16276 16277 7ff65f2b4487 16276->16277 16278 7ff65f2adbd0 18 API calls 16277->16278 16279 7ff65f2b44b0 16278->16279 16280 7ff65f2adbd0 18 API calls 16279->16280 16281 7ff65f2b44d9 16280->16281 16282 7ff65f2adbd0 18 API calls 16281->16282 16283 7ff65f2b4502 16282->16283 16284 7ff65f2adbd0 18 API calls 16283->16284 16285 7ff65f2b452b 16284->16285 16286 7ff65f2adbd0 18 API calls 16285->16286 16287 7ff65f2b4554 16286->16287 16288 7ff65f2adbd0 18 API calls 16287->16288 16289 7ff65f2b457d 16288->16289 16290 7ff65f2adbd0 18 API calls 16289->16290 16291 7ff65f2b45a6 16290->16291 16292 7ff65f2adbd0 18 API calls 16291->16292 16293 7ff65f2b45cf 16292->16293 16294 7ff65f2adbd0 18 API calls 16293->16294 16295 7ff65f2b45f8 16294->16295 16296 7ff65f2adbd0 18 API calls 16295->16296 16297 7ff65f2b4621 16296->16297 16298 7ff65f2adbd0 18 API calls 16297->16298 16299 7ff65f2b464a 16298->16299 16300 7ff65f2adbd0 18 API calls 16299->16300 16301 7ff65f2b4673 16300->16301 16302 7ff65f2adbd0 18 API calls 16301->16302 16303 7ff65f2b469c 16302->16303 16304 7ff65f2adbd0 18 API calls 16303->16304 16305 7ff65f2b46c5 16304->16305 16306 7ff65f2adbd0 18 API calls 16305->16306 16307 7ff65f2b46ee 16306->16307 16308 7ff65f2adbd0 18 API calls 16307->16308 16309 7ff65f2b4717 16308->16309 16310 7ff65f2adbd0 18 API calls 16309->16310 16311 7ff65f2b4740 16310->16311 16312 7ff65f2adbd0 18 API calls 16311->16312 16313 7ff65f2b4769 16312->16313 16314 7ff65f2adbd0 18 API calls 16313->16314 16315 7ff65f2b4792 16314->16315 16316 7ff65f2adbd0 18 API calls 16315->16316 16317 7ff65f2b47bb 16316->16317 16318 7ff65f2adbd0 18 API calls 16317->16318 16319 7ff65f2b47e4 16318->16319 16320 7ff65f2adbd0 18 API calls 16319->16320 16321 7ff65f2b480d 16320->16321 16322 7ff65f2adbd0 18 API calls 16321->16322 16323 7ff65f2b483b 16322->16323 16324 7ff65f2adbd0 18 API calls 16323->16324 16325 7ff65f2b4869 16324->16325 16326 7ff65f2adbd0 18 API calls 16325->16326 16327 7ff65f2b4897 16326->16327 16328 7ff65f2adbd0 18 API calls 16327->16328 16329 7ff65f2b48c5 16328->16329 16330 7ff65f2adbd0 18 API calls 16329->16330 16331 7ff65f2b48f3 16330->16331 16332 7ff65f2adbd0 18 API calls 16331->16332 16333 7ff65f2b4921 16332->16333 16334 7ff65f2adbd0 18 API calls 16333->16334 16335 7ff65f2b494a 16334->16335 16336 7ff65f2adbd0 18 API calls 16335->16336 16337 7ff65f2b4978 16336->16337 16338 7ff65f2adbd0 18 API calls 16337->16338 16339 7ff65f2b49a1 16338->16339 16340 7ff65f2adbd0 18 API calls 16339->16340 16341 7ff65f2b49ca 16340->16341 16342 7ff65f2adbd0 18 API calls 16341->16342 16343 7ff65f2b49f8 16342->16343 16344 7ff65f2adbd0 18 API calls 16343->16344 16345 7ff65f2ad115 16344->16345 16346 7ff65f2b2b90 GetSystemInfo 16345->16346 16347 7ff65f2b2bd4 16346->16347 16348 7ff65f2b2bfe GetCurrentProcess GetProcessGroupAffinity 16347->16348 16349 7ff65f2b2bd8 GetNumaHighestNodeNumber 16347->16349 16351 7ff65f2b2c29 GetLastError 16348->16351 16352 7ff65f2b2c34 16348->16352 16349->16348 16350 7ff65f2b2be7 16349->16350 16350->16348 16351->16352 16355 7ff65f2b2c56 16352->16355 16389 7ff65f2b2970 GetLogicalProcessorInformationEx 16352->16389 16354 7ff65f2b2cc0 GetCurrentProcess GetProcessAffinityMask 16356 7ff65f2ad11a 16354->16356 16355->16354 16355->16356 16356->16147 16356->16152 16358 7ff65f2adb24 16357->16358 16359 7ff65f2adb28 16358->16359 16360 7ff65f2ae360 8 API calls 16358->16360 16359->16211 16361 7ff65f2adb54 16360->16361 16361->16211 16363 7ff65f2add0f 16362->16363 16364 7ff65f2adbfa 16362->16364 16367 7ff65f2ae360 8 API calls 16363->16367 16365 7ff65f2adc1f 16364->16365 16366 7ff65f2adc07 strcmp 16364->16366 16370 7ff65f2adc3f 16365->16370 16371 7ff65f2adc2c strcmp 16365->16371 16366->16365 16368 7ff65f2adc17 16366->16368 16369 7ff65f2add26 16367->16369 16368->16236 16369->16368 16384 7ff65f2ae4e0 16369->16384 16372 7ff65f2adc5f 16370->16372 16373 7ff65f2adc4c strcmp 16370->16373 16371->16368 16371->16370 16374 7ff65f2adc7f 16372->16374 16375 7ff65f2adc6c strcmp 16372->16375 16373->16368 16373->16372 16376 7ff65f2adca3 16374->16376 16377 7ff65f2adc8c strcmp 16374->16377 16375->16368 16375->16374 16379 7ff65f2adcb0 strcmp 16376->16379 16380 7ff65f2adcc7 16376->16380 16377->16368 16377->16376 16379->16368 16379->16380 16381 7ff65f2adcd4 strcmp 16380->16381 16382 7ff65f2adceb 16380->16382 16381->16368 16381->16382 16382->16363 16383 7ff65f2adcf8 strcmp 16382->16383 16383->16363 16383->16368 16385 7ff65f2ae52e 16384->16385 16386 7ff65f2ae504 16384->16386 16385->16368 16386->16385 16387 7ff65f2ae510 _stricmp 16386->16387 16387->16386 16388 7ff65f2ae545 strtoull 16387->16388 16388->16385 16390 7ff65f2b29a2 GetLastError 16389->16390 16391 7ff65f2b2b5c 16389->16391 16390->16391 16392 7ff65f2b29b1 16390->16392 16391->16355 16392->16391 16393 7ff65f2b29cd GetLogicalProcessorInformationEx 16392->16393 16394 7ff65f2b29f0 16393->16394 16394->16355 16396 7ff65f2b10d0 InitializeCriticalSectionEx 16395->16396 16397 7ff65f2b112e 16396->16397 16397->16164 16399 7ff65f30b0d4 InitializeCriticalSectionEx 16398->16399 16401 7ff65f30b4b0 _swprintf_c_l 3 API calls 16400->16401 16402 7ff65f2a7afe 16401->16402 16403 7ff65f2b10d0 InitializeCriticalSectionEx 16402->16403 16404 7ff65f2a7b30 16402->16404 16403->16404 16404->16175 16406 7ff65f2a4532 16405->16406 16407 7ff65f2a456d 16406->16407 16419 7ff65f2b0f60 CreateEventW 16406->16419 16407->16190 16409 7ff65f2a4544 16409->16407 16420 7ff65f2ad350 CreateThread 16409->16420 16411 7ff65f2a4563 16411->16190 16413 7ff65f2afb47 16412->16413 16414 7ff65f2afb4f 16413->16414 16415 7ff65f30b4b0 _swprintf_c_l 3 API calls 16413->16415 16414->16191 16417 7ff65f2afb81 16415->16417 16418 7ff65f2afc15 16417->16418 16423 7ff65f2b57e0 16417->16423 16418->16191 16419->16409 16421 7ff65f2ad37f 16420->16421 16422 7ff65f2ad385 SetThreadPriority ResumeThread FindCloseChangeNotification 16420->16422 16421->16411 16422->16411 16424 7ff65f2b5813 _swprintf_c_l 16423->16424 16428 7ff65f2b5839 _swprintf_c_l 16424->16428 16429 7ff65f2b6920 16424->16429 16426 7ff65f2b5830 16427 7ff65f2b10d0 InitializeCriticalSectionEx 16426->16427 16426->16428 16427->16428 16428->16417 16428->16428 16438 7ff65f2b2ee0 16429->16438 16431 7ff65f2b6942 16432 7ff65f2b694a 16431->16432 16433 7ff65f2b2e10 3 API calls 16431->16433 16432->16426 16434 7ff65f2b6968 16433->16434 16437 7ff65f2b6973 _swprintf_c_l 16434->16437 16441 7ff65f2b2ec0 VirtualFree 16434->16441 16436 7ff65f2b6a8e 16436->16426 16437->16426 16439 7ff65f2b2f24 GetCurrentProcess VirtualAllocExNuma 16438->16439 16440 7ff65f2b2f05 VirtualAlloc 16438->16440 16439->16431 16440->16439 16441->16436 16443 7ff65f2ae5a6 16442->16443 16444 7ff65f30b490 8 API calls 16443->16444 16445 7ff65f2ae64a 16444->16445 16445->16195 16446->16208 16447 7ff65f2d38b0 16448 7ff65f2d38ed 16447->16448 16450 7ff65f2d3917 16447->16450 16449 7ff65f2b2570 10 API calls 16448->16449 16449->16450 16451 7ff65f36f860 16464 7ff65f2a3630 16451->16464 16453 7ff65f36f880 16480 7ff65f2a3e40 16453->16480 16457 7ff65f36f8a6 16458 7ff65f2a47c0 26 API calls 16457->16458 16459 7ff65f36f8b8 16458->16459 16460 7ff65f36f8d9 16459->16460 16492 7ff65f36fbb0 16459->16492 16496 7ff65f3615d0 16460->16496 16463 7ff65f36f8e6 16465 7ff65f2a368e 16464->16465 16467 7ff65f2a365f 16464->16467 16465->16453 16466 7ff65f2a371f 16468 7ff65f2a373f 16466->16468 16469 7ff65f2a3726 16466->16469 16467->16465 16467->16466 16474 7ff65f2a36e7 16467->16474 16475 7ff65f2a36c8 16467->16475 16478 7ff65f2a3706 16467->16478 16471 7ff65f2a3765 16468->16471 16510 7ff65f2a34c0 GetLastError 16468->16510 16470 7ff65f2ad250 2 API calls 16469->16470 16473 7ff65f2a3732 RaiseFailFastException 16470->16473 16471->16453 16473->16468 16474->16478 16479 7ff65f2a36f9 RaiseFailFastException 16474->16479 16477 7ff65f2a36d0 Sleep 16475->16477 16477->16474 16477->16477 16504 7ff65f2a79b0 16478->16504 16479->16478 16481 7ff65f30b4b0 _swprintf_c_l 3 API calls 16480->16481 16482 7ff65f2a3e5a 16481->16482 16483 7ff65f36fa00 16482->16483 16488 7ff65f36fa3c 16483->16488 16484 7ff65f36fb26 16491 7ff65f36fb33 16484->16491 16521 7ff65f370b20 16484->16521 16487 7ff65f36fb17 16489 7ff65f2a47c0 26 API calls 16487->16489 16488->16484 16488->16487 16516 7ff65f2a3dd0 16488->16516 16489->16484 16491->16457 16493 7ff65f36fbd8 16492->16493 16495 7ff65f36fc08 16493->16495 16529 7ff65f36fdc0 16493->16529 16495->16459 16498 7ff65f3615da 16496->16498 16497 7ff65f3615df 16497->16463 16498->16497 16499 7ff65f2a4c10 26 API calls 16498->16499 16501 7ff65f361604 16499->16501 16500 7ff65f36161f 16500->16463 16501->16500 16502 7ff65f2a4c10 26 API calls 16501->16502 16503 7ff65f361644 16502->16503 16505 7ff65f2a79d6 16504->16505 16509 7ff65f2a79f4 16505->16509 16513 7ff65f2accd0 FlsGetValue 16505->16513 16507 7ff65f2a79ec 16508 7ff65f2a2ab0 6 API calls 16507->16508 16508->16509 16509->16466 16511 7ff65f2a34e4 SetLastError 16510->16511 16514 7ff65f2accf8 FlsSetValue 16513->16514 16515 7ff65f2accea RaiseFailFastException 16513->16515 16515->16514 16525 7ff65f2af0e0 16516->16525 16519 7ff65f30b4b0 _swprintf_c_l 3 API calls 16520 7ff65f2a3dfa 16519->16520 16520->16488 16522 7ff65f370b31 16521->16522 16523 7ff65f2a4c10 26 API calls 16522->16523 16524 7ff65f370b44 16523->16524 16526 7ff65f2af10c 16525->16526 16528 7ff65f2a3ddf 16525->16528 16527 7ff65f30b4b0 _swprintf_c_l 3 API calls 16526->16527 16526->16528 16527->16528 16528->16519 16530 7ff65f2a47c0 26 API calls 16529->16530 16532 7ff65f36fe06 16530->16532 16531 7ff65f36ff0f 16531->16495 16532->16531 16534 7ff65f2a2350 16532->16534 16535 7ff65f2a2396 16534->16535 16538 7ff65f2a20b0 16535->16538 16537 7ff65f2a23a6 16537->16532 16539 7ff65f2a20e0 16538->16539 16540 7ff65f2a2178 16539->16540 16541 7ff65f2b8d69 3 API calls 16539->16541 16542 7ff65f2b8dcb 27 API calls 16539->16542 16540->16537 16541->16540 16542->16540 16543 7ff65f2bee2a 16544 7ff65f2bee39 16543->16544 16546 7ff65f2bee97 16544->16546 16547 7ff65f2d7c50 16544->16547 16555 7ff65f2d7d90 16547->16555 16556 7ff65f2d7c90 16547->16556 16548 7ff65f30b490 8 API calls 16549 7ff65f2d7dfd 16548->16549 16549->16546 16550 7ff65f2d7cfe EnterCriticalSection 16550->16556 16551 7ff65f2d7d3f LeaveCriticalSection 16553 7ff65f2b2e10 3 API calls 16551->16553 16552 7ff65f2d7e3b LeaveCriticalSection 16552->16555 16552->16556 16553->16556 16554 7ff65f2d7e1a EnterCriticalSection 16554->16552 16555->16548 16556->16550 16556->16551 16556->16552 16556->16554 16556->16555 16558 7ff65f2d7e7e EnterCriticalSection LeaveCriticalSection 16556->16558 16559 7ff65f2b2ea0 VirtualFree 16556->16559 16558->16556 16559->16556 16560 7ff65f2beb61 16562 7ff65f2beb80 16560->16562 16563 7ff65f2bebe2 16562->16563 16584 7ff65f2d7bb0 16562->16584 16572 7ff65f2beb22 16563->16572 16575 7ff65f2bf800 16563->16575 16565 7ff65f2bed04 16568 7ff65f2bf1b0 23 API calls 16565->16568 16566 7ff65f2bec2f 16567 7ff65f2bec69 16569 7ff65f2e34a0 14 API calls 16567->16569 16573 7ff65f2becb8 16567->16573 16568->16572 16570 7ff65f2bec9b 16569->16570 16570->16572 16570->16573 16574 7ff65f2d7bb0 GetTickCount64 16570->16574 16571 7ff65f2e3570 WaitForSingleObject 16571->16572 16572->16566 16572->16571 16573->16563 16573->16565 16573->16572 16574->16573 16577 7ff65f2bf842 16575->16577 16576 7ff65f2bf915 16576->16572 16577->16576 16578 7ff65f2bf927 16577->16578 16579 7ff65f2bf8d6 16577->16579 16578->16576 16580 7ff65f2b8800 WaitForSingleObject 16578->16580 16581 7ff65f2bf8e5 SwitchToThread 16579->16581 16582 7ff65f2bf8f3 16580->16582 16581->16582 16582->16576 16583 7ff65f2cc550 3 API calls 16582->16583 16583->16576 16585 7ff65f2d7bf2 16584->16585 16586 7ff65f2d7bce 16584->16586 16585->16586 16587 7ff65f2d7c16 GetTickCount64 16585->16587 16586->16567 16587->16586 16588 7ff65f2d7c31 16587->16588 16588->16586 16589 7ff65f2bb740 16590 7ff65f2bb74b 16589->16590 16591 7ff65f2bb750 16590->16591 16598 7ff65f2adf20 16590->16598 16593 7ff65f2bb789 16594 7ff65f2b2750 14 API calls 16593->16594 16595 7ff65f2bb7db 16594->16595 16596 7ff65f2b4a40 18 API calls 16595->16596 16597 7ff65f2bb7e7 16596->16597 16599 7ff65f2adf2d 16598->16599 16602 7ff65f2a7f30 16599->16602 16603 7ff65f2a7f72 16602->16603 16604 7ff65f2a7f96 FlushProcessWriteBuffers 16603->16604 16606 7ff65f2a7fb3 16604->16606 16605 7ff65f2a8099 16606->16605 16608 7ff65f2a8029 SwitchToThread 16606->16608 16609 7ff65f2a3000 16606->16609 16608->16606 16610 7ff65f2a3027 16609->16610 16611 7ff65f2a3007 16609->16611 16610->16606 16611->16610 16612 7ff65f2acef1 LoadLibraryExW GetProcAddress 16611->16612 16624 7ff65f2acff4 16611->16624 16613 7ff65f2acf25 GetCurrentProcess 16612->16613 16614 7ff65f2acfdd GetProcAddress 16612->16614 16622 7ff65f2acf3a _swprintf_c_l 16613->16622 16614->16624 16615 7ff65f2ad055 SuspendThread 16616 7ff65f2ad063 GetThreadContext 16615->16616 16617 7ff65f2ad0b9 16615->16617 16618 7ff65f2ad0b0 ResumeThread 16616->16618 16619 7ff65f2ad083 16616->16619 16620 7ff65f30b490 8 API calls 16617->16620 16618->16617 16619->16618 16621 7ff65f2ad0c9 16620->16621 16621->16606 16622->16614 16623 7ff65f2acf71 VerSetConditionMask VerSetConditionMask VerSetConditionMask VerifyVersionInfoW 16622->16623 16623->16614 16625 7ff65f2ad049 16623->16625 16624->16615 16624->16617 16626 7ff65f2ad03e GetLastError 16624->16626 16625->16615 16625->16617 16626->16625 16627 7ff65f2a44a0 16628 7ff65f2a79b0 9 API calls 16627->16628 16629 7ff65f2a44b2 16628->16629 16632 7ff65f361de0 16629->16632 16633 7ff65f2a3630 16 API calls 16632->16633 16634 7ff65f361e01 16633->16634 16639 7ff65f34ce60 16634->16639 16636 7ff65f361e06 16642 7ff65f2a4600 16636->16642 16647 7ff65f2a45d0 16636->16647 16651 7ff65f34cfb0 16639->16651 16641 7ff65f34ce70 16641->16636 16643 7ff65f2a4610 16642->16643 16644 7ff65f2a461c WaitForSingleObjectEx 16643->16644 16645 7ff65f2a4645 16643->16645 16644->16643 16646 7ff65f2a4654 16644->16646 16645->16636 16646->16636 16648 7ff65f2a45e6 16647->16648 16649 7ff65f2b0fc1 SetEvent 16648->16649 16650 7ff65f2b0fba 16648->16650 16649->16636 16650->16636 16652 7ff65f34cfdc 16651->16652 16653 7ff65f34d022 CoInitializeEx 16652->16653 16657 7ff65f34d04e 16652->16657 16654 7ff65f34d039 16653->16654 16655 7ff65f34d03d 16654->16655 16658 7ff65f34d050 16654->16658 16655->16657 16663 7ff65f34d0d0 16655->16663 16657->16641 16658->16657 16659 7ff65f34d0ae 16658->16659 16661 7ff65f2a4c10 26 API calls 16658->16661 16660 7ff65f2a4c10 26 API calls 16659->16660 16662 7ff65f34d0ce 16660->16662 16661->16659 16664 7ff65f34d0f6 16663->16664 16665 7ff65f34d137 16664->16665 16666 7ff65f34d129 CoUninitialize 16664->16666 16665->16657 16666->16665 16667 7ff65f2a6342 16668 7ff65f2a6350 16667->16668 16671 7ff65f361660 16668->16671 16669 7ff65f2b13e7 16669->16669 16672 7ff65f361679 16671->16672 16675 7ff65f361760 16672->16675 16674 7ff65f361689 16674->16669 16676 7ff65f361799 16675->16676 16678 7ff65f361776 16675->16678 16680 7ff65f361800 16676->16680 16678->16674 16679 7ff65f3617ad 16679->16674 16683 7ff65f361822 16680->16683 16681 7ff65f361966 16684 7ff65f2a4c10 26 API calls 16681->16684 16682 7ff65f361882 16682->16679 16683->16681 16683->16682 16685 7ff65f2a4c10 26 API calls 16683->16685 16686 7ff65f361979 16684->16686 16685->16681 16687 7ff65f2d2aa0 16688 7ff65f2d2abd 16687->16688 16709 7ff65f2b2dd0 VirtualAlloc 16688->16709 16690 7ff65f2d2ae3 16712 7ff65f2b2b70 InitializeCriticalSection 16690->16712 16692 7ff65f2d2b2d 16693 7ff65f2d2f53 16692->16693 16713 7ff65f2e31f0 16692->16713 16695 7ff65f2d2b5c _swprintf_c_l 16708 7ff65f2d2d9a 16695->16708 16723 7ff65f2d27b0 16695->16723 16697 7ff65f2d2d2f 16698 7ff65f2b2ee0 3 API calls 16697->16698 16699 7ff65f2d2d69 16698->16699 16699->16708 16727 7ff65f2d2f80 16699->16727 16701 7ff65f2d2d8b 16702 7ff65f2d2d8f 16701->16702 16704 7ff65f2d2dbe 16701->16704 16782 7ff65f2b2ec0 VirtualFree 16702->16782 16704->16708 16744 7ff65f2e5e20 16704->16744 16710 7ff65f2b2df1 VirtualFree 16709->16710 16711 7ff65f2b2e09 16709->16711 16710->16690 16711->16690 16712->16692 16714 7ff65f2e321f 16713->16714 16715 7ff65f2e3242 16714->16715 16716 7ff65f2e324c 16714->16716 16719 7ff65f2e3277 16714->16719 16783 7ff65f2b2f60 16715->16783 16718 7ff65f2b2ee0 3 API calls 16716->16718 16721 7ff65f2e325d 16718->16721 16719->16695 16721->16719 16794 7ff65f2b2ec0 VirtualFree 16721->16794 16725 7ff65f2d27cf 16723->16725 16726 7ff65f2d27eb 16725->16726 16795 7ff65f2b2450 16725->16795 16726->16697 16728 7ff65f2d2fb5 16727->16728 16729 7ff65f2d2fb9 16728->16729 16733 7ff65f2d2fd3 16728->16733 16730 7ff65f30b490 8 API calls 16729->16730 16731 7ff65f2d2fcb 16730->16731 16731->16701 16732 7ff65f2d301e EnterCriticalSection 16732->16733 16733->16732 16734 7ff65f2d305e LeaveCriticalSection 16733->16734 16735 7ff65f2d3169 LeaveCriticalSection 16733->16735 16738 7ff65f2d3148 EnterCriticalSection 16733->16738 16740 7ff65f2d30af 16733->16740 16736 7ff65f2b2e10 3 API calls 16734->16736 16735->16740 16742 7ff65f2d317e 16735->16742 16736->16733 16737 7ff65f30b490 8 API calls 16739 7ff65f2d3140 16737->16739 16738->16735 16739->16701 16740->16737 16742->16740 16743 7ff65f2d31a3 EnterCriticalSection LeaveCriticalSection 16742->16743 16802 7ff65f2b2ea0 VirtualFree 16742->16802 16743->16742 16803 7ff65f2e5d60 16744->16803 16747 7ff65f2d21b0 16748 7ff65f2d2218 16747->16748 16780 7ff65f2d2241 16748->16780 16807 7ff65f2b2390 16748->16807 16749 7ff65f2d2774 16821 7ff65f2b22f0 CloseHandle 16749->16821 16750 7ff65f2d2780 16751 7ff65f2d2795 16750->16751 16752 7ff65f2d2789 16750->16752 16751->16708 16822 7ff65f2b22f0 CloseHandle 16752->16822 16756 7ff65f2d2282 16757 7ff65f2b2390 4 API calls 16756->16757 16756->16780 16758 7ff65f2d2298 _swprintf_c_l 16757->16758 16759 7ff65f2b2570 10 API calls 16758->16759 16758->16780 16760 7ff65f2d25a6 16759->16760 16761 7ff65f2b2390 4 API calls 16760->16761 16762 7ff65f2d261e 16761->16762 16763 7ff65f2d2660 16762->16763 16766 7ff65f2b2390 4 API calls 16762->16766 16764 7ff65f2d2720 16763->16764 16765 7ff65f2d272c 16763->16765 16763->16780 16817 7ff65f2b22f0 CloseHandle 16764->16817 16768 7ff65f2d2735 16765->16768 16769 7ff65f2d2741 16765->16769 16770 7ff65f2d2634 16766->16770 16818 7ff65f2b22f0 CloseHandle 16768->16818 16772 7ff65f2d274a 16769->16772 16773 7ff65f2d2756 16769->16773 16770->16763 16812 7ff65f2b2310 16770->16812 16819 7ff65f2b22f0 CloseHandle 16772->16819 16776 7ff65f2d275f 16773->16776 16773->16780 16820 7ff65f2b22f0 CloseHandle 16776->16820 16777 7ff65f2d264a 16777->16763 16779 7ff65f2b2390 4 API calls 16777->16779 16779->16763 16780->16749 16780->16750 16781 7ff65f2d26ff 16780->16781 16781->16708 16782->16708 16784 7ff65f2b2f8e LookupPrivilegeValueW 16783->16784 16785 7ff65f2b3026 GetLargePageMinimum 16783->16785 16786 7ff65f2b305f 16784->16786 16787 7ff65f2b2faa GetCurrentProcess OpenProcessToken 16784->16787 16788 7ff65f2b3063 GetCurrentProcess VirtualAllocExNuma 16785->16788 16789 7ff65f2b3046 VirtualAlloc 16785->16789 16791 7ff65f30b490 8 API calls 16786->16791 16787->16786 16790 7ff65f2b2fe1 AdjustTokenPrivileges GetLastError CloseHandle 16787->16790 16788->16786 16789->16786 16790->16786 16792 7ff65f2b301b 16790->16792 16793 7ff65f2b3096 16791->16793 16792->16785 16792->16786 16793->16721 16794->16719 16796 7ff65f2b2458 16795->16796 16797 7ff65f2b2471 GetLogicalProcessorInformation 16796->16797 16801 7ff65f2b249d 16796->16801 16798 7ff65f2b24a4 16797->16798 16799 7ff65f2b2492 GetLastError 16797->16799 16800 7ff65f2b24e1 GetLogicalProcessorInformation 16798->16800 16798->16801 16799->16798 16799->16801 16800->16801 16801->16726 16802->16742 16804 7ff65f2e5d79 16803->16804 16806 7ff65f2d2f32 16803->16806 16805 7ff65f2e5d90 GetEnabledXStateFeatures 16804->16805 16804->16806 16805->16806 16806->16747 16808 7ff65f30b4b0 _swprintf_c_l 3 API calls 16807->16808 16809 7ff65f2b23b6 16808->16809 16810 7ff65f2b23be CreateEventW 16809->16810 16811 7ff65f2b23e0 16809->16811 16810->16811 16811->16756 16813 7ff65f30b4b0 _swprintf_c_l 3 API calls 16812->16813 16814 7ff65f2b2336 16813->16814 16815 7ff65f2b233e CreateEventW 16814->16815 16816 7ff65f2b235e 16814->16816 16815->16816 16816->16777 16817->16765 16818->16769 16819->16773 16820->16780 16821->16750 16822->16751 16823 7ff65f33ea10 16826 7ff65f33e920 16823->16826 16825 7ff65f33ea26 16832 7ff65f370d30 16826->16832 16828 7ff65f33e953 16829 7ff65f33e957 16828->16829 16836 7ff65f31d410 16828->16836 16829->16825 16831 7ff65f33e97e 16831->16825 16833 7ff65f370d53 16832->16833 16834 7ff65f370d77 GetLocaleInfoEx 16833->16834 16835 7ff65f370d96 16834->16835 16835->16828 16837 7ff65f31d458 16836->16837 16838 7ff65f31d41e 16836->16838 16837->16831 16838->16837 16841 7ff65f2a4760 16838->16841 16840 7ff65f31d438 16840->16831 16842 7ff65f2a4769 16841->16842 16843 7ff65f2a47a8 16842->16843 16844 7ff65f2a4c10 26 API calls 16842->16844 16843->16840 16845 7ff65f362310 16844->16845 16846 7ff65f3624a0 26 API calls 16845->16846 16847 7ff65f3623d3 16846->16847 16848 7ff65f2bf97d 16851 7ff65f2e1b20 16848->16851 16850 7ff65f2bf95b 16854 7ff65f2bc690 16851->16854 16853 7ff65f2e1b5a 16853->16850 16855 7ff65f2bc6da 16854->16855 16856 7ff65f2e1970 4 API calls 16855->16856 16860 7ff65f2bc7b1 16855->16860 16861 7ff65f2bc7eb _swprintf_c_l 16856->16861 16857 7ff65f2d4960 2 API calls 16858 7ff65f2bc9d3 16857->16858 16859 7ff65f2c4420 6 API calls 16858->16859 16858->16860 16859->16860 16860->16853 16861->16857 16861->16858

                              Executed Functions

                              Function 00007FF65F2B2B90 Relevance: 10.6, APIs: 7, Instructions: 120COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF65F2AD11A), ref: 00007FF65F2B2B9F
                              • GetNumaHighestNodeNumber.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF65F2AD11A), ref: 00007FF65F2B2BDD
                              • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF65F2AD11A), ref: 00007FF65F2B2C09
                              • GetProcessGroupAffinity.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF65F2AD11A), ref: 00007FF65F2B2C1A
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF65F2AD11A), ref: 00007FF65F2B2C29
                              • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF65F2AD11A), ref: 00007FF65F2B2CC0
                              • GetProcessAffinityMask.KERNEL32 ref: 00007FF65F2B2CD3
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID: Process$AffinityCurrent$ErrorGroupHighestInfoLastMaskNodeNumaNumberSystem
                              • String ID:
                              • API String ID: 580471860-0
                              • Opcode ID: 4c9e7b62ca1d93063124db9da2326d3f3828c88f021132ba50495a9616bc8b52
                              • Instruction ID: 8bdaea054c69ba259bbf63517628004378daed328d42c6811354087e4ed3886b
                              • Opcode Fuzzy Hash: 4c9e7b62ca1d93063124db9da2326d3f3828c88f021132ba50495a9616bc8b52
                              • Instruction Fuzzy Hash: 6E515AB2A18B4686EB51CF59E5041B963A2FB48780F8C4431DA4DE73E6EF3CE545CB01
                              Function 00007FF65F2A8130 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 105COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 00007FF65F2AD0F0: FlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,00007FF65F2A813F,?,?,?,?,?,?,00007FF65F2A2000), ref: 00007FF65F2AD0FB
                                • Part of subcall function 00007FF65F2AD0F0: QueryInformationJobObject.KERNEL32 ref: 00007FF65F2AD1CE
                                • Part of subcall function 00007FF65F2ACE80: GetModuleHandleExW.KERNEL32(?,?,?,?,00007FF65F2A8168,?,?,?,?,?,?,00007FF65F2A2000), ref: 00007FF65F2ACE91
                              • RtlAddVectoredExceptionHandler.NTDLL ref: 00007FF65F2A81C9
                              • RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00007FF65F2A2000), ref: 00007FF65F2A82B3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID: Exception$AllocFailFastHandleHandlerInformationModuleObjectQueryRaiseVectored
                              • String ID: The required instruction sets are not supported by the current CPU.$StressLogLevel$TotalStressLogSize
                              • API String ID: 2052584837-2841289747
                              • Opcode ID: d0ac9821fb6c0add4b9ebbe98daa48ccbd8c985c351c2d863065a78766f66ba6
                              • Instruction ID: 849a2ec5a78b9a7fe721a1b0e128b58cce2593962d4dd7c8eda40bf7eaae07d3
                              • Opcode Fuzzy Hash: d0ac9821fb6c0add4b9ebbe98daa48ccbd8c985c351c2d863065a78766f66ba6
                              • Instruction Fuzzy Hash: FB4140B2E08A8341EB10ABA19A112FA63D1AF41784F4C4431E9CDB7A9BDFACF445C701
                              Function 00007FF65F30BDA4 Relevance: 3.2, APIs: 2, Instructions: 199COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 260 7ff65f30bda4-7ff65f30bdad 261 7ff65f30bdbe-7ff65f30bdc6 malloc 260->261 262 7ff65f30bdc8-7ff65f30bdcd 261->262 263 7ff65f30bdaf-7ff65f30bdb9 call 7ff65f30f601 261->263 266 7ff65f30bdbb 263->266 267 7ff65f30bdce-7ff65f30bdd2 263->267 266->261 268 7ff65f30bdda-7ff65f30be39 call 7ff65f30c224 267->268 269 7ff65f30bdd4-7ff65f30bdd9 call 7ff65f30c204 267->269 274 7ff65f30be96 268->274 275 7ff65f30be3b-7ff65f30be58 268->275 269->268 276 7ff65f30be9d-7ff65f30bead 274->276 277 7ff65f30be5a-7ff65f30be5f 275->277 278 7ff65f30be82-7ff65f30be94 275->278 279 7ff65f30beaf-7ff65f30becc 276->279 280 7ff65f30bf14-7ff65f30bf43 276->280 277->278 281 7ff65f30be61-7ff65f30be66 277->281 278->276 282 7ff65f30bed9-7ff65f30bedc 279->282 283 7ff65f30bece-7ff65f30bed2 279->283 284 7ff65f30bf60-7ff65f30bf64 280->284 285 7ff65f30bf45-7ff65f30bf5a 280->285 281->278 286 7ff65f30be68-7ff65f30be70 281->286 287 7ff65f30bef7-7ff65f30beff 282->287 288 7ff65f30bede-7ff65f30bef4 282->288 283->282 289 7ff65f30bf6a-7ff65f30bf7e 284->289 290 7ff65f30c095-7ff65f30c0a9 284->290 285->284 286->274 291 7ff65f30be72-7ff65f30be80 286->291 287->280 292 7ff65f30bf01-7ff65f30bf11 287->292 288->287 293 7ff65f30c07a-7ff65f30c07f 289->293 294 7ff65f30bf84-7ff65f30bf8c 289->294 291->274 291->278 292->280 293->290 295 7ff65f30c081-7ff65f30c08a 293->295 294->293 296 7ff65f30bf92-7ff65f30bfb1 294->296 295->290 297 7ff65f30c08c 295->297 298 7ff65f30c010 296->298 299 7ff65f30bfb3-7ff65f30bfe3 296->299 297->290 300 7ff65f30c017-7ff65f30c01b 298->300 299->300 301 7ff65f30bfe5-7ff65f30bfed 299->301 303 7ff65f30c029-7ff65f30c02e 300->303 304 7ff65f30c01d-7ff65f30c022 300->304 301->298 302 7ff65f30bfef-7ff65f30c00e 301->302 302->300 303->293 305 7ff65f30c030-7ff65f30c038 303->305 304->303 305->293 306 7ff65f30c03a-7ff65f30c06d 305->306 306->293 307 7ff65f30c06f-7ff65f30c073 306->307 307->293
                              APIs
                              • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF65F30B4B9,?,?,?,?,00007FF65F2AE7A1,?,?,?,00007FF65F2AED24,00000000,00000020,?), ref: 00007FF65F30BDBE
                              • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF65F30BDD4
                                • Part of subcall function 00007FF65F30C204: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF65F30C20D
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID: Concurrency::cancel_current_taskmallocstd::bad_alloc::bad_alloc
                              • String ID:
                              • API String ID: 205171174-0
                              • Opcode ID: bf961b2ab8b72b6bb4696f625dc9e1acb4f646454a2333270e2ccd61e10cc9a7
                              • Instruction ID: 71463b96c90df93166cc6c63d3a51067d7bd3fd5aa3c95074c7d73f0fa7c4144
                              • Opcode Fuzzy Hash: bf961b2ab8b72b6bb4696f625dc9e1acb4f646454a2333270e2ccd61e10cc9a7
                              • Instruction Fuzzy Hash: D9819E71E086039AF758CF29A85126937E4FB143A4F18473ADA6DEB7E1CF7CA5408740
                              Function 00007FF65F370D30 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetLocaleInfoEx.KERNEL32(?,?,?,?,?,00000010,0000020ED0C002C0,?,?,00000000,?,?,00007FF65F33E953), ref: 00007FF65F370D86
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID: InfoLocale
                              • String ID:
                              • API String ID: 2299586839-0
                              • Opcode ID: 204640446f1087154f6338ca72d232791813a4a0625229ff24d57606c327cb8e
                              • Instruction ID: 02dee8a99a57b437ffa133fe0c6b6d75cbae02a3f0d8aaceba0cb67298e56ebe
                              • Opcode Fuzzy Hash: 204640446f1087154f6338ca72d232791813a4a0625229ff24d57606c327cb8e
                              • Instruction Fuzzy Hash: E1011373B09B1099FB11DAB5AC014EE3BB8B758318B54413AEE4DA7A48EF34A452C640
                              Function 00007FF65F2D38B0 Relevance: .4, Instructions: 397COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID: CurrentProcess
                              • String ID:
                              • API String ID: 2050909247-0
                              • Opcode ID: 08012919a8b1b8081b4c713736aa929bcbe064cfab43f142deed8e71929d45e1
                              • Instruction ID: 1fd377f7e1a59227fb4cea89fe98252fd2fc4b2fcd532c293f4d7c1d1574ad48
                              • Opcode Fuzzy Hash: 08012919a8b1b8081b4c713736aa929bcbe064cfab43f142deed8e71929d45e1
                              • Instruction Fuzzy Hash: 9802CFA1E4964786FB15CB69E94063477A2BF54780F0C8636D64DF72A2DF3CB982C701
                              Function 00007FF65F2D21B0 Relevance: .3, Instructions: 316COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: da6522dfba86e506d4cce0a791ffe426ab58007ea9c2e4f0f8ba7e2c60a8adf3
                              • Instruction ID: 44eee595bc87b828ad235b2496e86ccdad4f704fbe4e182faa28b594f1e8547c
                              • Opcode Fuzzy Hash: da6522dfba86e506d4cce0a791ffe426ab58007ea9c2e4f0f8ba7e2c60a8adf3
                              • Instruction Fuzzy Hash: 91F1BE61D1DB4346FB52DB64EA1127463A1AFA6380F0D8736EA4DF22A7EF2C74D18701
                              Function 00007FF65F2B2750 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 96COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID: GlobalMemoryStatus$Process$CurrentInformationObjectQuery
                              • String ID: @$@$@
                              • API String ID: 2645093340-1177533131
                              • Opcode ID: 46198da623394d7b15bb719f5e4a5128e58e6380a5aeb4f160e59a8db540b038
                              • Instruction ID: b47af6881a7d3efcc3ab5cb1301ef36b594fadc2faaf8327a2d6cee7c8e578ac
                              • Opcode Fuzzy Hash: 46198da623394d7b15bb719f5e4a5128e58e6380a5aeb4f160e59a8db540b038
                              • Instruction Fuzzy Hash: 27418472608BC185EB728F51E5043AAB3A0FB84BA0F5C4635DEAD97AD9DF3CD4448B10
                              Function 00007FF65F2AD0F0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • FlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,00007FF65F2A813F,?,?,?,?,?,?,00007FF65F2A2000), ref: 00007FF65F2AD0FB
                                • Part of subcall function 00007FF65F2B2B90: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF65F2AD11A), ref: 00007FF65F2B2B9F
                                • Part of subcall function 00007FF65F2B2B90: GetNumaHighestNodeNumber.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF65F2AD11A), ref: 00007FF65F2B2BDD
                                • Part of subcall function 00007FF65F2B2B90: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF65F2AD11A), ref: 00007FF65F2B2C09
                                • Part of subcall function 00007FF65F2B2B90: GetProcessGroupAffinity.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF65F2AD11A), ref: 00007FF65F2B2C1A
                                • Part of subcall function 00007FF65F2B2B90: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF65F2AD11A), ref: 00007FF65F2B2C29
                              • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,00007FF65F2A813F,?,?,?,?,?,?,00007FF65F2A2000), ref: 00007FF65F2AD16D
                              • GetProcessAffinityMask.KERNEL32 ref: 00007FF65F2AD180
                              • QueryInformationJobObject.KERNEL32 ref: 00007FF65F2AD1CE
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID: Process$AffinityCurrent$AllocErrorGroupHighestInfoInformationLastMaskNodeNumaNumberObjectQuerySystem
                              • String ID: PROCESSOR_COUNT
                              • API String ID: 1701933505-4048346908
                              • Opcode ID: 25420fbf59497c97a6a616538860f2c47e8523c816d87657a417c9793d34a5e2
                              • Instruction ID: 33e7e78919a77006d14d16aa54ff9db682a2d168153600c05fac047a3f534452
                              • Opcode Fuzzy Hash: 25420fbf59497c97a6a616538860f2c47e8523c816d87657a417c9793d34a5e2
                              • Instruction Fuzzy Hash: 8A3193A1A0CA4386FB149B94D9403B9A3E1EF84354F980431DA8DE76DADF6CE449C710
                              Function 00007FF65F2A3630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Strings
                              • Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code., xrefs: 00007FF65F2A3726
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID: ExceptionFailFastRaise$Sleep
                              • String ID: Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code.
                              • API String ID: 3706814929-926682358
                              • Opcode ID: 6d8d11b0511a8dae8a9ce044f43be3adb427a5065ca878d9ad955d00c565f2fa
                              • Instruction ID: ae508a077f19e7bd33f72d9986cdc23be727332210c0fb17792d8fc806aac30b
                              • Opcode Fuzzy Hash: 6d8d11b0511a8dae8a9ce044f43be3adb427a5065ca878d9ad955d00c565f2fa
                              • Instruction Fuzzy Hash: 15413B72A58A4282FB90DF55EA5037933E0EB04B84F0C5039CA8DE67A5DF7EE855C741
                              Function 00007FF65F2AD350 Relevance: 6.0, APIs: 4, Instructions: 26threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID: Thread$ChangeCloseCreateFindNotificationPriorityResume
                              • String ID:
                              • API String ID: 2150560229-0
                              • Opcode ID: 1fd97627cfe8389e38b2286a366fd33d3ebac3e1f7f8eb4fcf4620db7d9795ed
                              • Instruction ID: 0d12fe2462e8afe0a94b8b9d63933cefd72b6b33062c0bdee8d399c72f65de69
                              • Opcode Fuzzy Hash: 1fd97627cfe8389e38b2286a366fd33d3ebac3e1f7f8eb4fcf4620db7d9795ed
                              • Instruction Fuzzy Hash: F2E092A6E1970282FB159F61B82837AA360BF98B85F4C4034DD8F563E1EF3D91958704
                              Function 00007FF65F2B2570 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 175 7ff65f2b2570-7ff65f2b25a1 176 7ff65f2b265f-7ff65f2b267c GlobalMemoryStatusEx 175->176 177 7ff65f2b25a7-7ff65f2b25c2 GetCurrentProcess call 7ff65f30b0da 175->177 179 7ff65f2b2702-7ff65f2b2705 176->179 180 7ff65f2b2682-7ff65f2b2685 176->180 177->176 188 7ff65f2b25c8-7ff65f2b25d0 177->188 181 7ff65f2b270e-7ff65f2b2711 179->181 182 7ff65f2b2707-7ff65f2b270b 179->182 184 7ff65f2b26f1-7ff65f2b26f4 180->184 185 7ff65f2b2687-7ff65f2b2692 180->185 186 7ff65f2b2713-7ff65f2b2718 181->186 187 7ff65f2b271b-7ff65f2b271e 181->187 182->181 191 7ff65f2b26f9-7ff65f2b26fc 184->191 192 7ff65f2b26f6 184->192 189 7ff65f2b2694-7ff65f2b2699 185->189 190 7ff65f2b269b-7ff65f2b26ac 185->190 186->187 194 7ff65f2b2728-7ff65f2b274b call 7ff65f30b490 187->194 195 7ff65f2b2720 187->195 196 7ff65f2b25d2-7ff65f2b25d8 188->196 197 7ff65f2b263a-7ff65f2b263f 188->197 198 7ff65f2b26b0-7ff65f2b26c1 189->198 190->198 193 7ff65f2b26fe-7ff65f2b2700 191->193 191->194 192->191 199 7ff65f2b2725 193->199 195->199 200 7ff65f2b25e1-7ff65f2b25f5 196->200 201 7ff65f2b25da-7ff65f2b25df 196->201 205 7ff65f2b2651-7ff65f2b2654 197->205 206 7ff65f2b2641-7ff65f2b2644 197->206 203 7ff65f2b26c3-7ff65f2b26c8 198->203 204 7ff65f2b26ca-7ff65f2b26de 198->204 199->194 210 7ff65f2b25f9-7ff65f2b260a 200->210 201->210 212 7ff65f2b26e2-7ff65f2b26ee 203->212 204->212 205->194 209 7ff65f2b265a 205->209 207 7ff65f2b2646-7ff65f2b2649 206->207 208 7ff65f2b264b-7ff65f2b264e 206->208 207->205 208->205 209->199 213 7ff65f2b2613-7ff65f2b2627 210->213 214 7ff65f2b260c-7ff65f2b2611 210->214 212->184 215 7ff65f2b262b-7ff65f2b2637 213->215 214->215 215->197
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID: CurrentGlobalMemoryProcessStatus
                              • String ID: @
                              • API String ID: 3261791682-2766056989
                              • Opcode ID: d415d27f6ddf2cca45eba18734769ddeecb613225847b9f00db101291d5e82da
                              • Instruction ID: 904b5edb3021b6cf38e637cc4ed645b2174cc6e903e241324539b899d6b17381
                              • Opcode Fuzzy Hash: d415d27f6ddf2cca45eba18734769ddeecb613225847b9f00db101291d5e82da
                              • Instruction Fuzzy Hash: F241B4A1A19B4641EA57CB76D21033997926F5ABC0F1CCB31DE4EB6784FF3CE4818A00
                              Function 00007FF65F2B8DCB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID: Count64Tick
                              • String ID: D)
                              • API String ID: 1927824332-848725745
                              • Opcode ID: f82d4a9a810ac6d4e96cf24114986ca43aa22862ede0ef90aa7aa3fe145d4e2e
                              • Instruction ID: 76330d5432f59c025eabbdc44b0015684ed8e9cad2f9b7170e9157cbb363f75b
                              • Opcode Fuzzy Hash: f82d4a9a810ac6d4e96cf24114986ca43aa22862ede0ef90aa7aa3fe145d4e2e
                              • Instruction Fuzzy Hash: DC4182B1E0974785FB65CBA4D6402BA2390AF50784F1D4936DE5DF3B92DE3CE4468302
                              Function 00007FF65F2B2E10 Relevance: 4.5, APIs: 3, Instructions: 34memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • VirtualAlloc.KERNELBASE(?,?,?,?,00000000,00007FF65F2B6968,?,?,0000000B,00007FF65F2B5830,?,?,00000000,00007FF65F2AFBF1), ref: 00007FF65F2B2E37
                              • GetCurrentProcess.KERNEL32(?,?,?,?,00000000,00007FF65F2B6968,?,?,0000000B,00007FF65F2B5830,?,?,00000000,00007FF65F2AFBF1), ref: 00007FF65F2B2E57
                              • VirtualAllocExNuma.KERNEL32 ref: 00007FF65F2B2E78
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID: AllocVirtual$CurrentNumaProcess
                              • String ID:
                              • API String ID: 647533253-0
                              • Opcode ID: 5188d5bc0a99c14dc0d2229a5aba8e7e5169a6da6aec5c86698c49050b78a37c
                              • Instruction ID: 49ea7f10510925756adf4240e5816c52ca9ca07691a96cb0dacdb83f1cfe1f31
                              • Opcode Fuzzy Hash: 5188d5bc0a99c14dc0d2229a5aba8e7e5169a6da6aec5c86698c49050b78a37c
                              • Instruction Fuzzy Hash: A7F0A471B0869182E7208B06F40021AA760AB49BD4F184138EF4C67BA8DF3DD5C18B04
                              Function 00007FF65F2B2DD0 Relevance: 2.5, APIs: 2, Instructions: 17memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID: Virtual$AllocFree
                              • String ID:
                              • API String ID: 2087232378-0
                              • Opcode ID: 3b0924aad5c9d8f1e4054d63f84a8e7ac6c370ab154e50dab9d8d9c549d06468
                              • Instruction ID: ff3c5a4ef7ffffcb6e8ffbc53d2748abf1ff186d64e83b8bfd93835808577034
                              • Opcode Fuzzy Hash: 3b0924aad5c9d8f1e4054d63f84a8e7ac6c370ab154e50dab9d8d9c549d06468
                              • Instruction Fuzzy Hash: FBE0C225F1A20182EB18DB13A84666A13916F5DB00FC88038C90D93790EE2DA19B8F40
                              Function 00007FF65F34CFB0 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • CoInitializeEx.OLE32(?,?,?,?,00000030,?,?,?,?,?,?,?,00007FF65F34CE70,?,?,00000030), ref: 00007FF65F34D029
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID: Initialize
                              • String ID:
                              • API String ID: 2538663250-0
                              • Opcode ID: ce31ffd1ec9d8b5bbdb0ed3b55378968654e8df619020ba143fb855d25076bc4
                              • Instruction ID: 207cd58be83318c17f7907891fd597e6d8c70b6e434fb741f765f08ae6bfb463
                              • Opcode Fuzzy Hash: ce31ffd1ec9d8b5bbdb0ed3b55378968654e8df619020ba143fb855d25076bc4
                              • Instruction Fuzzy Hash: CD31B262F0860645FB10EB51A8192BD23A06F44B54F4C4036DE8DAB79ADE6DE886C380
                              Function 00007FF65F2A2AB0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID: CurrentExceptionFailFastQueryRaiseThreadVirtual
                              • String ID:
                              • API String ID: 2131581837-0
                              • Opcode ID: 81512a36198997ebbb2f8b2451833254b7240adeb84ca046804f6c980f224bd1
                              • Instruction ID: 78d7b63ab0ffccf604bc9b1bb3cf50580fc61a680b210c5ff37b95ee40807ea4
                              • Opcode Fuzzy Hash: 81512a36198997ebbb2f8b2451833254b7240adeb84ca046804f6c980f224bd1
                              • Instruction Fuzzy Hash: 12115EB2908B8182EB64AF65B4011AAB351F7457B0F584339E6FD9B7D6DF78D0468700
                              Function 00007FF65F2B2EA0 Relevance: 1.3, APIs: 1, Instructions: 7COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID: FreeVirtual
                              • String ID:
                              • API String ID: 1263568516-0
                              • Opcode ID: c77d0b216ed602b1f63c297f10537e1da20961e91553004aa9498b52e676b055
                              • Instruction ID: 5f4ff1aed4ea0b5975fc04adfebe9e0a2eb415a4a7d5faa994d545baf78e953d
                              • Opcode Fuzzy Hash: c77d0b216ed602b1f63c297f10537e1da20961e91553004aa9498b52e676b055
                              • Instruction Fuzzy Hash: 5CB01200F1A001C2E30427237C82B0D03142B19B12FC90024C608F1690DD2C81E51B10

                              Non-executed Functions

                              Function 00007FF65F2B3130 Relevance: 123.1, Strings: 98, Instructions: 569COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID:
                              • String ID: BGCFLEnableFF$BGCFLEnableKd$BGCFLEnableKi$BGCFLEnableSmooth$BGCFLEnableTBH$BGCFLGradualD$BGCFLSmoothFactor$BGCFLSweepGoal$BGCFLSweepGoalLOH$BGCFLTuningEnabled$BGCFLff$BGCFLkd$BGCFLki$BGCFLkp$BGCG2RatioStep$BGCMLki$BGCMLkp$BGCMemGoal$BGCMemGoalSlack$BGCSpin$BreakOnOOM$CompactRatio$ConcurrentGC$ConfigLogEnabled$ConfigLogFile$ConservativeGC$ForceCompact$GCConfigLogFile$GCConserveMem$GCCpuGroup$GCDTargetTCP$GCDynamicAdaptationMode$GCEnableSpecialRegions$GCEnabledInstructionSets$GCGen0MaxBudget$GCGen1MaxBudget$GCHeapAffinitizeMask$GCHeapAffinitizeRanges$GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent$GCHighMemPercent$GCLargePages$GCLogFile$GCLowSkipRatio$GCName$GCNumaAware$GCPath$GCProvModeStress$GCRegionRange$GCRegionSize$GCSpinCountUnit$GCTotalPhysicalMemory$Gen0Size$HeapCount$HeapVerifyLevel$LOHCompactionMode$LOHThreshold$LatencyLevel$LatencyMode$LogEnabled$LogFile$LogFileSize$MaxHeapCount$NoAffinitize$RetainVM$SegmentSize$ServerGC$System.GC.Concurrent$System.GC.ConserveMemory$System.GC.CpuGroup$System.GC.DTargetTCP$System.GC.DynamicAdaptationMode$System.GC.HeapAffinitizeMask$System.GC.HeapAffinitizeRanges$System.GC.HeapCount$System.GC.HeapHardLimit$System.GC.HeapHardLimitLOH$System.GC.HeapHardLimitLOHPercent$System.GC.HeapHardLimitPOH$System.GC.HeapHardLimitPOHPercent$System.GC.HeapHardLimitPercent$System.GC.HeapHardLimitSOH$System.GC.HeapHardLimitSOHPercent$System.GC.HighMemoryPercent$System.GC.LOHThreshold$System.GC.LargePages$System.GC.MaxHeapCount$System.GC.Name$System.GC.NoAffinitize$System.GC.Path$System.GC.RetainVM$System.GC.Server
                              • API String ID: 0-1379766591
                              • Opcode ID: d99b99d8d7d8079bc8fcfdef839217da97d7cae1de85db9ed7a85a6efaf86363
                              • Instruction ID: da98103661fa897cc1f7428dd9c546de5cce7ee1b75073dbcc25b87f0ed1d337
                              • Opcode Fuzzy Hash: d99b99d8d7d8079bc8fcfdef839217da97d7cae1de85db9ed7a85a6efaf86363
                              • Instruction Fuzzy Hash: 5D427E71A08A5782EF20DB55F850AAD63A5FF887C8F492532DA8C57B66DF3CD206C704
                              Function 00007FF65F2B3EF0 Relevance: 113.0, Strings: 90, Instructions: 479COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID: strcmp
                              • String ID: BGCFLEnableFF$BGCFLEnableKd$BGCFLEnableKi$BGCFLEnableSmooth$BGCFLEnableTBH$BGCFLGradualD$BGCFLSmoothFactor$BGCFLSweepGoal$BGCFLSweepGoalLOH$BGCFLTuningEnabled$BGCFLff$BGCFLkd$BGCFLki$BGCFLkp$BGCG2RatioStep$BGCMLki$BGCMLkp$BGCMemGoal$BGCMemGoalSlack$BGCSpin$BGCSpinCount$GCBreakOnOOM$GCCompactRatio$GCConfigLogEnabled$GCConserveMemory$GCCpuGroup$GCDTargetTCP$GCDynamicAdaptationMode$GCEnableSpecialRegions$GCEnabledInstructionSets$GCGen0MaxBudget$GCGen1MaxBudget$GCHeapAffinitizeMask$GCHeapCount$GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent$GCHighMemPercent$GCLOHCompact$GCLOHThreshold$GCLargePages$GCLatencyLevel$GCLatencyMode$GCLogEnabled$GCLogFileSize$GCLowSkipRatio$GCMaxHeapCount$GCNoAffinitize$GCNumaAware$GCProvModeStress$GCRegionRange$GCRegionSize$GCRetainVM$GCSegmentSize$GCSpinCountUnit$GCTotalPhysicalMemory$GCWriteBarrier$GCgen0size$HeapVerify$System.GC.Concurrent$System.GC.ConserveMemory$System.GC.CpuGroup$System.GC.DTargetTCP$System.GC.DynamicAdaptationMode$System.GC.HeapAffinitizeMask$System.GC.HeapCount$System.GC.HeapHardLimit$System.GC.HeapHardLimitLOH$System.GC.HeapHardLimitLOHPercent$System.GC.HeapHardLimitPOH$System.GC.HeapHardLimitPOHPercent$System.GC.HeapHardLimitPercent$System.GC.HeapHardLimitSOH$System.GC.HeapHardLimitSOHPercent$System.GC.HighMemoryPercent$System.GC.LOHThreshold$System.GC.LargePages$System.GC.MaxHeapCount$System.GC.NoAffinitize$System.GC.RetainVM$System.GC.Server$gcConcurrent$gcConservative$gcForceCompact$gcServer
                              • API String ID: 1004003707-1492036319
                              • Opcode ID: 4191eb02c31c6530e6ec1d622d11567a61af9ffd1ff6ecc5b188b8cc01225dc0
                              • Instruction ID: c0fc5e5332f97e88c23946828e320d672df5bea436a49e1fbf913276f68eac46
                              • Opcode Fuzzy Hash: 4191eb02c31c6530e6ec1d622d11567a61af9ffd1ff6ecc5b188b8cc01225dc0
                              • Instruction Fuzzy Hash: 3D629460D0DB8790EF01DBA5E8504F927A2AF95784F8C4536C68CEB2B7DE7CA159C342
                              Function 00007FF65F2B2F60 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81memoryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID: Process$AllocCurrentTokenVirtual$AdjustCloseErrorHandleLargeLastLookupMinimumNumaOpenPagePrivilegePrivilegesValue
                              • String ID: SeLockMemoryPrivilege
                              • API String ID: 1752251271-475654710
                              • Opcode ID: 15b15ab6d6ee02b3c5b0b81b0fa05c43a8a43f1a4b1e1b9cf4b9317159724ae4
                              • Instruction ID: 9bc4a2536e14afa67609c462016aea7d332a40dbdfd05f773e9d246e19d46122
                              • Opcode Fuzzy Hash: 15b15ab6d6ee02b3c5b0b81b0fa05c43a8a43f1a4b1e1b9cf4b9317159724ae4
                              • Instruction Fuzzy Hash: E4318572A0CA4286FB609BA1F54437BA7A1EF84B84F184435DE4EA7796DF7DD4848B00
                              Function 00007FF65F2A6ED0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 245COMMON
                              Download Yara Rule
                              APIs
                              • RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF65F2A7871), ref: 00007FF65F2A6F88
                              • RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF65F2A7871), ref: 00007FF65F2A70DB
                              • RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF65F2A7871), ref: 00007FF65F2A71B3
                              • RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF65F2A7871), ref: 00007FF65F2A71C9
                              • RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF65F2A7871), ref: 00007FF65F2A7245
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID: ExceptionFailFastRaise
                              • String ID: [ KeepUnwinding ]
                              • API String ID: 2546344036-400895726
                              • Opcode ID: a194a7c0d0f8bf0d13eda8b02fc6739eea9f927413269e725c7a1e9c4323ee48
                              • Instruction ID: a2dd28ab9202ea637f4ef474f98bebb074d0ed9c4475eb40fdffc31120a37364
                              • Opcode Fuzzy Hash: a194a7c0d0f8bf0d13eda8b02fc6739eea9f927413269e725c7a1e9c4323ee48
                              • Instruction Fuzzy Hash: B6B1CFB2A09B4281EB90CFA0D5802A933E6FB44B48F5C4536CE8DAB398DF7DE455C354
                              Function 00007FF65F2D31E0 Relevance: 4.8, APIs: 3, Instructions: 256threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID: SwitchThread
                              • String ID:
                              • API String ID: 115865932-0
                              • Opcode ID: de3af9872942d2e5463f82b08a78e24417d9ee751223df948923f138561bc3d3
                              • Instruction ID: 24878a6afa12a239dd0759f111d2ee7a9c4f249b22c68cf06cdec25e74075a87
                              • Opcode Fuzzy Hash: de3af9872942d2e5463f82b08a78e24417d9ee751223df948923f138561bc3d3
                              • Instruction Fuzzy Hash: 43B17BB1E49A4386EB508BA8D6442B833A0FF04B94F4D4635DA5DE7396DF3CE9868341
                              Function 00007FF65F2BD620 Relevance: 4.7, APIs: 2, Strings: 1, Instructions: 195COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterLeave
                              • String ID: @
                              • API String ID: 3168844106-2766056989
                              • Opcode ID: 5db7b6a377614d9f480f265109a2fe80749a182d1a3adcd727705f5ae378369e
                              • Instruction ID: 5efc018fee047ce3cf09c579e8b32524522ca8f4476630c583959fd42d249e5c
                              • Opcode Fuzzy Hash: 5db7b6a377614d9f480f265109a2fe80749a182d1a3adcd727705f5ae378369e
                              • Instruction Fuzzy Hash: AC913FA1E0CA4382FB51CBA5EA403B523A1AF54788F5C4435DE4DE77AADE3CF4858702
                              Function 00007FF65F2DE8E0 Relevance: 3.3, APIs: 2, Instructions: 344threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID: SwitchThread
                              • String ID:
                              • API String ID: 115865932-0
                              • Opcode ID: c2dd94c7d96df3f2775cdd799debc1e0e9d9a61e5e2074260edde2e60430f6ac
                              • Instruction ID: b0ca1c3561eb575e38fb7036c4f329a9836c8a13cb8903a56a07a49a8bbc10a9
                              • Opcode Fuzzy Hash: c2dd94c7d96df3f2775cdd799debc1e0e9d9a61e5e2074260edde2e60430f6ac
                              • Instruction Fuzzy Hash: 5DE18172A09E9282EB60CF55E5403A9B360FF44B94F594232DA9DE7799DF7CE442CB00
                              Function 00007FF65F2B2080 Relevance: 3.2, APIs: 2, Instructions: 175COMMON
                              Download Yara Rule
                              APIs
                              • GetEnabledXStateFeatures.KERNEL32(?,?,?,?,?,00007FF65F2A828B,?,?,?,?,?,?,00007FF65F2A2000), ref: 00007FF65F2B211F
                              • GetEnabledXStateFeatures.KERNEL32(?,?,?,?,?,00007FF65F2A828B,?,?,?,?,?,?,00007FF65F2A2000), ref: 00007FF65F2B217C
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID: EnabledFeaturesState
                              • String ID:
                              • API String ID: 1557480591-0
                              • Opcode ID: 72210cc46d501d66917d4aa4741235ebaad592b546a2f8b3c708735d4c7245cd
                              • Instruction ID: ffb96169523f3a504e59e78f28306bd975f46ffcf9d4e449a9da2b83a2b4e4e6
                              • Opcode Fuzzy Hash: 72210cc46d501d66917d4aa4741235ebaad592b546a2f8b3c708735d4c7245cd
                              • Instruction Fuzzy Hash: 8651CEB2F1832206FF69449DD669375038B5BE5360F4E8938DE4EE76C3CD7EA8424A04
                              Function 00007FF65F2CC7D0 Relevance: 2.6, APIs: 2, Instructions: 100COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterLeave
                              • String ID:
                              • API String ID: 3168844106-0
                              • Opcode ID: d59cc5cb1b18531cba8ca60925d5e3cb69ecf232ff52c5df66362fa8286c3256
                              • Instruction ID: 9247ba2c03e0d66c37f92e95af27abd4fdff8cfdc0a527f57bae9bd713b470ea
                              • Opcode Fuzzy Hash: d59cc5cb1b18531cba8ca60925d5e3cb69ecf232ff52c5df66362fa8286c3256
                              • Instruction Fuzzy Hash: A4417C72A18A9781EB10DFA6DA5017A63A0FF48BC4B1C4536DF4DA7B9ADF3CE0118740
                              Function 00007FF65F2D4B10 Relevance: 1.8, Strings: 1, Instructions: 564COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID: 0-3916222277
                              • Opcode ID: d80cb2096afa2d96802b29f732793f8d2c2ea0a515708a2f5b61d075e09ca355
                              • Instruction ID: 86242714bfec912acd77084f66f0a6e41139bc757143837051a94da6ad45e5f2
                              • Opcode Fuzzy Hash: d80cb2096afa2d96802b29f732793f8d2c2ea0a515708a2f5b61d075e09ca355
                              • Instruction Fuzzy Hash: 8442AAB2A19A8686EB11CF55EA0027837A0FF447A4F094636CA6DE77E5CF7CE456C301
                              Function 00007FF65F2C02A0 Relevance: 1.7, Strings: 1, Instructions: 441COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID:
                              • String ID: ?
                              • API String ID: 0-1684325040
                              • Opcode ID: d973c782404e594d9bcbf2e5c6d56061f7dad822c0a4488c5f43b24ac340032d
                              • Instruction ID: cb622893dd8f8eb5ec07a367ef3f4f44c3476da6206171e351532e654be97d09
                              • Opcode Fuzzy Hash: d973c782404e594d9bcbf2e5c6d56061f7dad822c0a4488c5f43b24ac340032d
                              • Instruction Fuzzy Hash: EA12CCB2A08B8692EB14CB56E6407B973A5FB84B94F584231CE5EE3794DF3CE045CB41
                              Function 00007FF65F2ABF90 Relevance: 1.6, Strings: 1, Instructions: 362COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID:
                              • String ID: 0
                              • API String ID: 0-4108050209
                              • Opcode ID: ed46fb5e053d378f1610507a2dc2373cd927df4da4c90f69d846193864f28d75
                              • Instruction ID: 20885a56f025561e42893e02e9d38a4f3eae7fdeb050adf0c94a06443da4aa25
                              • Opcode Fuzzy Hash: ed46fb5e053d378f1610507a2dc2373cd927df4da4c90f69d846193864f28d75
                              • Instruction Fuzzy Hash: 6AD1DDF3B14B4987E718AF69E60466933A2EB44BD8F185235CE9E57B98CF78D810C740
                              Function 00007FF65F2AEB00 Relevance: 1.6, APIs: 1, Instructions: 55timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTimeAsFileTime.KERNEL32(?,?,?,00007FF65F2A826E,?,?,?,?,?,?,00007FF65F2A2000), ref: 00007FF65F2AEBCC
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID: Time$FileSystem
                              • String ID:
                              • API String ID: 2086374402-0
                              • Opcode ID: 01526b02e241dee81f399a2eac65e121072c1da9abb2975d62793974b100dfe8
                              • Instruction ID: fc5bff2bde29cdd414a3faf8132b26b86e7e8e593459a29f0df6ccc3c17f1a26
                              • Opcode Fuzzy Hash: 01526b02e241dee81f399a2eac65e121072c1da9abb2975d62793974b100dfe8
                              • Instruction Fuzzy Hash: 0C211B71E0EB4386EB40DB65E84026A73A0FB88344F584539E64DE3B66DFBCE4848B41
                              Function 00007FF65F2D58C0 Relevance: 1.0, Instructions: 950COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c46563421866cb1b5f469f90219f00d70860dff413f8aa2cbdd885a1ae4a15a1
                              • Instruction ID: 1ac4701b067d21d72ef758e179f26dec2b5d1e54acfb1b34ab44bfa3a07c54ce
                              • Opcode Fuzzy Hash: c46563421866cb1b5f469f90219f00d70860dff413f8aa2cbdd885a1ae4a15a1
                              • Instruction Fuzzy Hash: 6692D0A1B18B4785EB11CBA5DA516B467A1BF48BC4F4C8236DA4EF7362DF3CE0468301
                              Function 00007FF65F2D67E0 Relevance: .7, Instructions: 655COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 801744bdd96377547b888a3c70e772e67b1585d8fb76d1f3f959e3ca14fd2e86
                              • Instruction ID: 67a6b8e801f9a4b391aad1249e181a2a0150893e1ffd01670e36712554473677
                              • Opcode Fuzzy Hash: 801744bdd96377547b888a3c70e772e67b1585d8fb76d1f3f959e3ca14fd2e86
                              • Instruction Fuzzy Hash: E7527172B09B4686EB10CFA5E5401AD7BA1FB44798B184536EE4EE7B98CF3CE446C704
                              Function 00007FF65F2D71B0 Relevance: .6, Instructions: 574COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 781d2a1a5c9ba1d80fa3332f439c67dbd3f5da6a5da9899e467eda87960517b7
                              • Instruction ID: ab1c829369a3b3f61462b4ec33d8480c949704dc42e5bc309842580c6e2c171a
                              • Opcode Fuzzy Hash: 781d2a1a5c9ba1d80fa3332f439c67dbd3f5da6a5da9899e467eda87960517b7
                              • Instruction Fuzzy Hash: 393290B2F09B5686EB10CBA5D6406BC27B5AF04798B584935CE1DF7B88DE3CE456C380
                              Function 00007FF65F2C6C90 Relevance: .4, Instructions: 431COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 12364d0ff0cea06089e9274694b767b8b30ef639dd9b265c612d6c852c853e6b
                              • Instruction ID: 0464bca642ea27aa7dc8414893541a0d1813c5f9158cb88016bf6356e39edd82
                              • Opcode Fuzzy Hash: 12364d0ff0cea06089e9274694b767b8b30ef639dd9b265c612d6c852c853e6b
                              • Instruction Fuzzy Hash: 69127EF2A16B9691EF658B59C2443686BA1FF18BA4F189635CE2CA33D4DF7DD490C300
                              Function 00007FF65F357F40 Relevance: .4, Instructions: 430COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 313dea30c798e73606019446f4cb135ba51061c0bfdcea6891a82da26de4cdd6
                              • Instruction ID: a9ef0508f3ba97cd8e7d92fd625a60c59020cbef4739b6af8a725c1ddc4a2e27
                              • Opcode Fuzzy Hash: 313dea30c798e73606019446f4cb135ba51061c0bfdcea6891a82da26de4cdd6
                              • Instruction Fuzzy Hash: FAF13862F1999242FB284B18D8417BA6352EFD1344F5CC234DE5EAFAD8EE3CE5458780
                              Function 00007FF65F2C1D60 Relevance: .4, Instructions: 412COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 00ca48302f7e549fd0b9dcb0b29a96f96b9d26f61ae64e1577846578a65f7f54
                              • Instruction ID: 8ab05ec725a6c722ac9c06ad6f8fe67447fc507050ffe54967e1f4b7a792c669
                              • Opcode Fuzzy Hash: 00ca48302f7e549fd0b9dcb0b29a96f96b9d26f61ae64e1577846578a65f7f54
                              • Instruction Fuzzy Hash: CE02BFB2A08A8696EB05CF99D6406B877A0FB44BA4F484336DA7DA77D5CF3CE445C700
                              Function 00007FF65F2C17B4 Relevance: .4, Instructions: 357COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID: CounterPerformanceQuery
                              • String ID:
                              • API String ID: 2783962273-0
                              • Opcode ID: dbabca0daaad52e6d2fee9b053951e65599bec3c22e1c459a219101abfb20a77
                              • Instruction ID: aae55be8710df788b26c0939303dec5b4a894600c26f759828f353fc9730c27c
                              • Opcode Fuzzy Hash: dbabca0daaad52e6d2fee9b053951e65599bec3c22e1c459a219101abfb20a77
                              • Instruction Fuzzy Hash: B702AEB1E1AB4785EB56CB65D65137427A0AF48B54F2C4236DA4EB33A1EF3CE491C301
                              Function 00007FF65F2AB6F0 Relevance: .3, Instructions: 320COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 21cb066ba30a2d58ebcf8ae559d9ba3061f44fe4dc0b64825ad821ff6f3f83a3
                              • Instruction ID: a3737d34a34dccac71128422510ef11f55fd213ba5478e133dc3e16978b710be
                              • Opcode Fuzzy Hash: 21cb066ba30a2d58ebcf8ae559d9ba3061f44fe4dc0b64825ad821ff6f3f83a3
                              • Instruction Fuzzy Hash: E0D1AAB3B14B8983DB598F29E144AA837A9F758BC8F484035DE4E8BB58DF38D644C750
                              Function 00007FF65F32DD30 Relevance: .3, Instructions: 262COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7da7e54ed24954a500e0de7022938a4671c5c3d7a4c5f28315c5e883fd872f53
                              • Instruction ID: dfd95ecc0d2c9ea704a869d090e8c070f67507d44bb3c5c7717f19fd18e53ba5
                              • Opcode Fuzzy Hash: 7da7e54ed24954a500e0de7022938a4671c5c3d7a4c5f28315c5e883fd872f53
                              • Instruction Fuzzy Hash: 56615F50E2940656F918BF66AC550F4A3711FAAB80F4C2832D95EFF7A3AE5CE1594380
                              Function 00007FF65F2B81F0 Relevance: .3, Instructions: 259COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7f6dc304a19f2a48ee2c861db27342cb39ee3eea17acda9183df1afc939c6c05
                              • Instruction ID: aaa6c9e560afb2f5601e621a9f04642f3e74bc22a6844d5076c57ceb16c62c98
                              • Opcode Fuzzy Hash: 7f6dc304a19f2a48ee2c861db27342cb39ee3eea17acda9183df1afc939c6c05
                              • Instruction Fuzzy Hash: 67D15CB2A0AA8786E760CB54E9442BA33A0FB44748F4D4935DE4EE7766DF3CE4568301
                              Function 00007FF65F2CBC80 Relevance: .3, Instructions: 254COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4d6254c0ef687fac40c48f3d506a17342e23e87eff8218f83829c6cce0c6783e
                              • Instruction ID: d0f9ce619d9634f2b4635c30332ca772f57e5906b522453b776add37bfa9fdd9
                              • Opcode Fuzzy Hash: 4d6254c0ef687fac40c48f3d506a17342e23e87eff8218f83829c6cce0c6783e
                              • Instruction Fuzzy Hash: E3C1ABB2A19A8791EB01CB95E95023877A4FB44BA0F0D4635DA6DE77E6CF3CE494C301
                              Function 00007FF65F2D5490 Relevance: .2, Instructions: 249COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 28436a9c3417000466a2d9979135604bb1afaa64b481e814e6aa6ec24cae149b
                              • Instruction ID: 2d4664c2f12b43b93a9f76f62a65156389a588fdf707df1dbf432d099614227d
                              • Opcode Fuzzy Hash: 28436a9c3417000466a2d9979135604bb1afaa64b481e814e6aa6ec24cae149b
                              • Instruction Fuzzy Hash: 5DC18CB2A19A8781EB01CB55E90117877A5FF44BA4B0C423ADA6DE77E5CF7CE096C301
                              Function 00007FF65F2A82D0 Relevance: .2, Instructions: 238COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 86c9ebb636796ca0e2a1abc168f63624881ec9cfa17a1a52ac6cfbaa34e87d82
                              • Instruction ID: e921e043206a2bf1b11ef1c3c97ca406208650cde3671e177b59555ec9da08cb
                              • Opcode Fuzzy Hash: 86c9ebb636796ca0e2a1abc168f63624881ec9cfa17a1a52ac6cfbaa34e87d82
                              • Instruction Fuzzy Hash: 7E91FCF3A10B5587EB18CF29D84126933A1F754BA8F189239CEAD53B98DF78D811CB40
                              Function 00007FF65F3DD7E0 Relevance: .2, Instructions: 150COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 94133470a1cdfe2213458b368141420a258a13cfa6e3db9c0818582347a24da2
                              • Instruction ID: 48b7bc66df2622d67077cd659c5fbaa1791c423e1421a54857fe9ceb46b4c74d
                              • Opcode Fuzzy Hash: 94133470a1cdfe2213458b368141420a258a13cfa6e3db9c0818582347a24da2
                              • Instruction Fuzzy Hash: DE4183A1A194429AF604AF63ED415F967646FA4FC0F4C8032ED0DEB76BEE6CE5458380
                              Function 00007FF65F2B9A90 Relevance: .1, Instructions: 125COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c4cfc7e4d115ce1370a28ac6abb2cf91c2911c6ad5a29bc3d3fae3187189239e
                              • Instruction ID: 1bddf61683e0845500f6afe44497df402bb8a25f313ab6da1ed8fd25127b34c6
                              • Opcode Fuzzy Hash: c4cfc7e4d115ce1370a28ac6abb2cf91c2911c6ad5a29bc3d3fae3187189239e
                              • Instruction Fuzzy Hash: A741F7A1F19B0F41EA06C7B79640624A3939F6A3D0E2CCB31DD1DB67D6EF6C70904200
                              Function 00007FF65F2CC0A0 Relevance: .1, Instructions: 116COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ee72cb688372a8b7ca6c53026427fe1cb6e98e11cf675aa8f3c1fed9b58c5e49
                              • Instruction ID: 3be1c782d548a1ed2dbf39ab21108c2ecb1c16a95b3d54f5d4444744255c81f6
                              • Opcode Fuzzy Hash: ee72cb688372a8b7ca6c53026427fe1cb6e98e11cf675aa8f3c1fed9b58c5e49
                              • Instruction Fuzzy Hash: AD412971F59B8A41EA1697BB56015795351AF89BC4F1CCB32DA0EB7791EF7CF0818200
                              Function 00007FF65F363D20 Relevance: .1, Instructions: 92COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7533faf894bf0ca9caf5f1480e5f2de4d9b878ab499b8342825ab4e25c589ece
                              • Instruction ID: ae80191761ff2ffdd3952ca13ae4c555d2ad2190d3c699aa4d83ca0e417359b4
                              • Opcode Fuzzy Hash: 7533faf894bf0ca9caf5f1480e5f2de4d9b878ab499b8342825ab4e25c589ece
                              • Instruction Fuzzy Hash: D531F923F8954582FB589F56D4910BC6361EB46BC4B4C9031EE0DAB395DF2CEC928390
                              Function 00007FF65F2D29B0 Relevance: .1, Instructions: 71COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 58f6a76dfd64ef7b78e5c6641dc319f4b652810589be1d7a6d8d44123e559c2a
                              • Instruction ID: 7fd1524fc6d1296ced89e91ea19c1068ad1e990a0ac9d8b766331f156524c2bc
                              • Opcode Fuzzy Hash: 58f6a76dfd64ef7b78e5c6641dc319f4b652810589be1d7a6d8d44123e559c2a
                              • Instruction Fuzzy Hash: 1721CC72B1864242FBB88769A3966BE1351EF89780F4C6031EF0C97E96DD2DD5924B00
                              Function 00007FF65F2A39D0 Relevance: .1, Instructions: 67COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID: ExceptionFailFastRaise$Sleep
                              • String ID:
                              • API String ID: 3706814929-0
                              • Opcode ID: b4f4eecb476bf04b12e31564723069907bbc9b466724c713cfc222d08a9c6718
                              • Instruction ID: ef290471a883719eb4b7246b065b129ff98835d41794251e80e0c0b5dce33ce3
                              • Opcode Fuzzy Hash: b4f4eecb476bf04b12e31564723069907bbc9b466724c713cfc222d08a9c6718
                              • Instruction Fuzzy Hash: 55212622B2854642FB20CB5AE454BBB6351EB84780F485030FF8FE6B94ED7DD408C740
                              Function 00007FF65F2A1C50 Relevance: .0, Instructions: 31COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e8e9d75f7367e1f09548789f8d2b40ec955cb63071d47f2e06fc1c59d2d11a99
                              • Instruction ID: c3f7e955553c65757e4ac35f9b02d3d5c06607e15e2b034702195b96bf704a9b
                              • Opcode Fuzzy Hash: e8e9d75f7367e1f09548789f8d2b40ec955cb63071d47f2e06fc1c59d2d11a99
                              • Instruction Fuzzy Hash: D7F0A050E6900296F914FF66AC110F5A3B11FA6780F5C2832D80EFF2A3BE4CE1484388
                              Function 00007FF65F2A3000 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 144librarythreadloaderCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID: ConditionMaskThread$AddressProc$ContextCurrentErrorInfoLastLibraryLoadProcessResumeSuspendVerifyVersion
                              • String ID: IsWow64Process2$QueueUserAPC2$kernel32
                              • API String ID: 2652322181-269241671
                              • Opcode ID: 2ed5142675b828450414f6af03e9e150d3f22da0891d8269898bcd82b2a367be
                              • Instruction ID: cd99b9493355036feb7af53759c1dc183b5d073c9bb71889d1107a2c5e993eec
                              • Opcode Fuzzy Hash: 2ed5142675b828450414f6af03e9e150d3f22da0891d8269898bcd82b2a367be
                              • Instruction Fuzzy Hash: 6551D071A08A4281EB20DB61E9402BA63A1FF84B90F484235DE9DE77D5EF7DE446C700
                              Function 00007FF65F2A3007 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 142librarythreadloaderCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID: ConditionMaskThread$AddressProc$ContextCurrentErrorInfoLastLibraryLoadProcessResumeSuspendVerifyVersion
                              • String ID: IsWow64Process2$QueueUserAPC2$kernel32
                              • API String ID: 2652322181-269241671
                              • Opcode ID: 4825748d57e2d133e0b0926e79e8171601229c5e1e52b9d54749e5c96503095b
                              • Instruction ID: 3a71a5e64bf17c10f80a15e424d22ef51f550796a1d1324b4aeddc1a01128a44
                              • Opcode Fuzzy Hash: 4825748d57e2d133e0b0926e79e8171601229c5e1e52b9d54749e5c96503095b
                              • Instruction Fuzzy Hash: B051BE71A08A4281EB60DB61E9542BA73A1FF88B80F484135DE8EE7795EF7DE446C740
                              Function 00007FF65F2ADBD0 Relevance: 24.1, APIs: 8, Strings: 8, Instructions: 101stringCOMMON
                              Download Yara Rule
                              APIs
                              • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF65F2B4107,?,?,?,?,00007FF65F2AD115), ref: 00007FF65F2ADC0E
                              • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF65F2B4107,?,?,?,?,00007FF65F2AD115), ref: 00007FF65F2ADC36
                              • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF65F2B4107,?,?,?,?,00007FF65F2AD115), ref: 00007FF65F2ADC56
                              • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF65F2B4107,?,?,?,?,00007FF65F2AD115), ref: 00007FF65F2ADC76
                              • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF65F2B4107,?,?,?,?,00007FF65F2AD115), ref: 00007FF65F2ADC96
                              • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF65F2B4107,?,?,?,?,00007FF65F2AD115), ref: 00007FF65F2ADCBA
                              • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF65F2B4107,?,?,?,?,00007FF65F2AD115), ref: 00007FF65F2ADCDE
                              • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF65F2B4107,?,?,?,?,00007FF65F2AD115), ref: 00007FF65F2ADD02
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID: strcmp
                              • String ID: GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent
                              • API String ID: 1004003707-945519297
                              • Opcode ID: a2420435b7c8d9abb28f4f8f1ce3c06c939d7a2a25c3777b265420f1345e2620
                              • Instruction ID: 5da6424c7f31c20fb7d05219927ef44eaceb6714ede0108d037c6744fc1797c8
                              • Opcode Fuzzy Hash: a2420435b7c8d9abb28f4f8f1ce3c06c939d7a2a25c3777b265420f1345e2620
                              • Instruction Fuzzy Hash: 33412DA0E09A5340FB549756964017513A6AF457F4F8C0371DABCFBAEAEFACE8568300
                              Function 00007FF65F2ACBA0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID: ContextInitialize$AddressEnabledErrorFeaturesHandleLastModuleProcState
                              • String ID: InitializeContext2$kernel32.dll
                              • API String ID: 4102459504-3117029998
                              • Opcode ID: 82a1c9d27e223d2f7ed7079b8632d6de5b9a1da43eacd26cd441cc06c39dd239
                              • Instruction ID: 32174eba507d1f8f84784e94a1992d81bf765a4a65b6097f2787977a3af2e455
                              • Opcode Fuzzy Hash: 82a1c9d27e223d2f7ed7079b8632d6de5b9a1da43eacd26cd441cc06c39dd239
                              • Instruction Fuzzy Hash: BB311A62A0DB5781FF10EB95A54027AA391BF88B90F4C0435DE8DE27A5DFBCE486C710
                              Function 00007FF65F2A33B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50threadCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID: Current$Thread$DuplicateExceptionFailFastHandleProcessQueryRaiseVirtual
                              • String ID:
                              • API String ID: 510365852-3916222277
                              • Opcode ID: f93380af70f62f54b1a1923f466ad22b5765e184aabf6e9d0340985e501fe6c0
                              • Instruction ID: a895eeda8746fba6a7ff87cac4ef51dede2b37effcdf849fd00fb361b8ab459a
                              • Opcode Fuzzy Hash: f93380af70f62f54b1a1923f466ad22b5765e184aabf6e9d0340985e501fe6c0
                              • Instruction Fuzzy Hash: 1B117CB2A08B818AE760EF65B44119A7360FB407B4F180335E6BD9BAD6CF78D5428740
                              Function 00007FF65F2D7C50 Relevance: 7.6, APIs: 6, Instructions: 138COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterLeave
                              • String ID:
                              • API String ID: 3168844106-0
                              • Opcode ID: 2dee9989788879160bfabb33313de8680af437fb421886637dde01d970805108
                              • Instruction ID: c955be289dde1c23f09916ec17badf593d0e258c45e4ddba939118eb4a24458b
                              • Opcode Fuzzy Hash: 2dee9989788879160bfabb33313de8680af437fb421886637dde01d970805108
                              • Instruction Fuzzy Hash: ED617961A09B4784EB50DB55E9802B973A4FF88784F4C0936DE8CE77AADF3CE4468741
                              Function 00007FF65F2D2F80 Relevance: 7.6, APIs: 6, Instructions: 119COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterLeave
                              • String ID:
                              • API String ID: 3168844106-0
                              • Opcode ID: 20abf027c1ecf4cec0434be30c3f4d2e3ceadcdb0d0e9a6b2ffb4e85abde6f79
                              • Instruction ID: 99c71fc2e99a5b03fbaf1dc462b7e435a31d58d81dcb0699bf7bcf3f139e9cc8
                              • Opcode Fuzzy Hash: 20abf027c1ecf4cec0434be30c3f4d2e3ceadcdb0d0e9a6b2ffb4e85abde6f79
                              • Instruction Fuzzy Hash: 25513861A08B8781EB60DB55E9403B973A4FF88784F4C0536DA8DE77AADF3CE4468701
                              Function 00007FF65F2A3EB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID: ExceptionFailFastRaise
                              • String ID: Process is terminating due to StackOverflowException.
                              • API String ID: 2546344036-2200901744
                              • Opcode ID: edcb76423634533c14701209537ab2eaed2715ea9f1ac3b1dd4543dc0ac9788a
                              • Instruction ID: f086cb7e903f48fe12a6b75462c4046c2f67879ca2bfa91ddff65d5bdc4f578d
                              • Opcode Fuzzy Hash: edcb76423634533c14701209537ab2eaed2715ea9f1ac3b1dd4543dc0ac9788a
                              • Instruction Fuzzy Hash: EC51C561B1864281FF548B65D6803B963E0EF48B94F0C4432DB9EE77A1DFBDE8A58300
                              Function 00007FF65F2E1970 Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID: SwitchThread
                              • String ID:
                              • API String ID: 115865932-0
                              • Opcode ID: 95544bbce4b90e12acf5c392e48b6c2ca22bac221c7c535adcad6349c9bd3327
                              • Instruction ID: 184facda3bbce8931e8877c766c1c30136f2460e3366e0b64b2d9403a90deb38
                              • Opcode Fuzzy Hash: 95544bbce4b90e12acf5c392e48b6c2ca22bac221c7c535adcad6349c9bd3327
                              • Instruction Fuzzy Hash: 984185B2B0964785EB648EB6D24067D73A0EB05B98F6C813AC74EDE789DE3CE440C700
                              Function 00007FF65F2ACD10 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                              Download Yara Rule
                              APIs
                              • WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF65F2A3541), ref: 00007FF65F2ACD44
                              • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF65F2A3541), ref: 00007FF65F2ACD4E
                              • CoWaitForMultipleHandles.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF65F2A3541), ref: 00007FF65F2ACD6D
                              • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF65F2A3541), ref: 00007FF65F2ACD81
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID: ErrorLastMultipleWait$HandlesObjects
                              • String ID:
                              • API String ID: 2817213684-0
                              • Opcode ID: 71cbba1b383cf0b7fb516053fcd2ddd0c29d4ad2df29a1dc53a75a309a826a29
                              • Instruction ID: f24e571fd34e65a469df40c50d8e9d32dfdc0fe2900363b3cadc9db78275cc8b
                              • Opcode Fuzzy Hash: 71cbba1b383cf0b7fb516053fcd2ddd0c29d4ad2df29a1dc53a75a309a826a29
                              • Instruction Fuzzy Hash: 5711C276B0CA55C2D7289B9AB51012AB7A1FB84B80F1C0139FADDD7B99CF7CE4408B40
                              Function 00007FF65F30BA10 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                              • String ID:
                              • API String ID: 2933794660-0
                              • Opcode ID: 78dc8e12354e733f786b704134a88d0c69524484bd1249ff473f58f1b1045164
                              • Instruction ID: b8cf75a7c3e86874758eca647d68b2a348af3b6dfe424b4eaeeb80497839566a
                              • Opcode Fuzzy Hash: 78dc8e12354e733f786b704134a88d0c69524484bd1249ff473f58f1b1045164
                              • Instruction Fuzzy Hash: F9113C22B14F068AEB00DF60EC542B933A4FB59758F480E31EA6D967A5EF7CD5988340
                              Function 00007FF65F30CF30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF65F30C243), ref: 00007FF65F30CF80
                              • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF65F30C243), ref: 00007FF65F30CFC1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID: ExceptionFileHeaderRaise
                              • String ID: csm
                              • API String ID: 2573137834-1018135373
                              • Opcode ID: 2158b8275b8e927ea860eb8b48a04596ff7d9b9df4afa64fc7c7d762c6f39301
                              • Instruction ID: c919d33e1d5d742f689e5cbc1608fee284cbb0da2d066c4074f85aea4157329f
                              • Opcode Fuzzy Hash: 2158b8275b8e927ea860eb8b48a04596ff7d9b9df4afa64fc7c7d762c6f39301
                              • Instruction Fuzzy Hash: C9112832A18B8182EB218B15E44026AB7E5FB88B94F584231EECD5BB69DF7CD551CB40
                              Function 00007FF65F2AE4E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37stringCOMMON
                              Download Yara Rule
                              APIs
                              • _stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,HeapVerify,00007FF65F2ADD43,?,?,?,00007FF65F2B4107,?,?,?,?,00007FF65F2AD115), ref: 00007FF65F2AE51B
                              • strtoull.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,HeapVerify,00007FF65F2ADD43,?,?,?,00007FF65F2B4107,?,?,?,?,00007FF65F2AD115), ref: 00007FF65F2AE558
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID: _stricmpstrtoull
                              • String ID: HeapVerify
                              • API String ID: 4031153986-2674988305
                              • Opcode ID: 7c2d8afe691a5ee2b53f1849f6005c7252510a015ecc9786c3c7096a8c5378b9
                              • Instruction ID: 480356edee1137f8dd2602aec1c8f9d876f24042ddb99d35633e1fccaf03554e
                              • Opcode Fuzzy Hash: 7c2d8afe691a5ee2b53f1849f6005c7252510a015ecc9786c3c7096a8c5378b9
                              • Instruction Fuzzy Hash: 5001D475A09A428AE7109F12F9900B9B3E0FB44790F5C9035DA9DA3B09DF7CE483C740
                              Function 00007FF65F2C5A70 Relevance: 5.1, APIs: 4, Instructions: 59COMMON
                              Download Yara Rule
                              APIs
                              • EnterCriticalSection.KERNEL32(?,?,00000080,00007FF65F2C5BEF,?,?,?,00007FF65F2D33BB), ref: 00007FF65F2C5ABD
                              • LeaveCriticalSection.KERNEL32(?,?,00000080,00007FF65F2C5BEF,?,?,?,00007FF65F2D33BB), ref: 00007FF65F2C5B12
                              • EnterCriticalSection.KERNEL32(?,?,00000080,00007FF65F2C5BEF,?,?,?,00007FF65F2D33BB), ref: 00007FF65F2C5B2F
                              • LeaveCriticalSection.KERNEL32(?,?,00000080,00007FF65F2C5BEF,?,?,?,00007FF65F2D33BB), ref: 00007FF65F2C5B4C
                              Memory Dump Source
                              • Source File: 00000000.00000002.1894119609.00007FF65F2A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65F2A0000, based on PE: true
                              • Associated: 00000000.00000002.1894090588.00007FF65F2A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894325462.00007FF65F3EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894422722.00007FF65F438000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894595822.00007FF65F4ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1894735412.00007FF65F4F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff65f2a0000_RFQ 10046335 PO 4502042346 PR 11148099 411128.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterLeave
                              • String ID:
                              • API String ID: 3168844106-0
                              • Opcode ID: 9c10fe2d41da5fcf24ebd0dc57c9b975ec7e9fa6664dec3526ce990308116dda
                              • Instruction ID: a21d3ac6775afe2ebdad8dc5dc93291d2136ed8aa8ba202ab87857fac8a104b0
                              • Opcode Fuzzy Hash: 9c10fe2d41da5fcf24ebd0dc57c9b975ec7e9fa6664dec3526ce990308116dda
                              • Instruction Fuzzy Hash: 3221B271A08A4792EB04CF51EA512B923A4EF157E4F8C0235DE6CA77DACF2CE0568701

                              Execution Graph

                              Execution Coverage:7.1%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:44
                              Total number of Limit Nodes:4
                              execution_graph 25873 b3d0b8 25874 b3d0fe 25873->25874 25878 b3d289 25874->25878 25881 b3d298 25874->25881 25875 b3d1eb 25879 b3d2c6 25878->25879 25884 b3c9a0 25878->25884 25879->25875 25882 b3c9a0 DuplicateHandle 25881->25882 25883 b3d2c6 25882->25883 25883->25875 25885 b3d300 DuplicateHandle 25884->25885 25886 b3d396 25885->25886 25886->25879 25887 b3ad38 25890 b3ae30 25887->25890 25888 b3ad47 25891 b3ae41 25890->25891 25892 b3ae64 25890->25892 25891->25892 25898 b3b0b8 25891->25898 25902 b3b0c8 25891->25902 25892->25888 25893 b3ae5c 25893->25892 25894 b3b068 GetModuleHandleW 25893->25894 25895 b3b095 25894->25895 25895->25888 25899 b3b0dc 25898->25899 25900 b3b101 25899->25900 25906 b3a870 25899->25906 25900->25893 25903 b3b0dc 25902->25903 25904 b3b101 25903->25904 25905 b3a870 LoadLibraryExW 25903->25905 25904->25893 25905->25904 25907 b3b2a8 LoadLibraryExW 25906->25907 25909 b3b321 25907->25909 25909->25900 25910 b34668 25911 b34684 25910->25911 25912 b34696 25911->25912 25914 b347a0 25911->25914 25915 b347c5 25914->25915 25919 b348a1 25915->25919 25923 b348b0 25915->25923 25921 b348b0 25919->25921 25920 b349b4 25920->25920 25921->25920 25927 b34248 25921->25927 25925 b348d7 25923->25925 25924 b349b4 25924->25924 25925->25924 25926 b34248 CreateActCtxA 25925->25926 25926->25924 25928 b35940 CreateActCtxA 25927->25928 25930 b35a03 25928->25930 25930->25930

                              Executed Functions

                              Function 054396C8 Relevance: 1.1, Instructions: 1063COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.2002751296.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_5430000_jsc.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b9371356085fb1c6830d542efa933368b7b393df141400b5dd912edd8eb86f76
                              • Instruction ID: 444ccf614b74a4fd882f6aebd1822f205469c598a32590a44e5367300b92c2f1
                              • Opcode Fuzzy Hash: b9371356085fb1c6830d542efa933368b7b393df141400b5dd912edd8eb86f76
                              • Instruction Fuzzy Hash: 48927D75A002059FDB14DF65C895BAEBBB2FF88310F148969E50A9B7A1DF70EC41CB90
                              Function 05437660 Relevance: .7, Instructions: 749COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 803 5437660-543769c 805 54376a5-54376b0 803->805 806 543769e-54376a0 803->806 809 5437fd1-5438081 805->809 810 54376b6-54376c7 805->810 807 5437fc7-5437fce 806->807 848 5438088-5438146 809->848 813 54376da 810->813 814 54376c9-54376d8 810->814 816 54376dc-543770d 813->816 814->816 822 543772b-5437756 816->822 823 543770f-5437723 call 5436590 816->823 828 5437774-543777f 822->828 829 5437758-543776c call 5436590 822->829 823->822 1028 5437781 call 5438bc0 828->1028 1029 5437781 call 5438bd0 828->1029 829->828 833 5437787-5437796 837 54379ed-54379f7 833->837 838 543779c-54377c2 833->838 839 5437a15-5437a80 837->839 840 54379f9-5437a0d call 5436590 837->840 851 54379db-54379e7 838->851 852 54377c8-54377d5 838->852 877 5437a88-5437a92 839->877 840->839 869 543814d-5438204 848->869 851->837 851->838 852->848 859 54377db-54377df 852->859 860 54377f3-54377f9 859->860 861 54377e1-54377ed 859->861 864 54377fb-5437807 860->864 865 543780d-5437858 860->865 861->860 861->869 864->865 872 543820b-54382c2 864->872 890 54378d1-54378d5 865->890 891 543785a-543787c 865->891 869->872 927 54382c9-5438473 872->927 881 5437aa5-5437b0a call 5435558 877->881 882 5437a94-5437a9d 877->882 925 5437b1c-5437b28 881->925 926 5437b0c-5437b16 881->926 882->881 895 54378d7-54378f9 890->895 896 543794e-5437986 890->896 917 54378a5-54378c2 891->917 918 543787e-54378a3 891->918 921 5437922-543793f 895->921 922 54378fb-5437920 895->922 951 5437988-54379ad 896->951 952 54379af-54379cc 896->952 958 54378ca-54378cc 917->958 918->958 974 5437947-5437949 921->974 922->974 928 5437be9-5437c32 call 5435558 925->928 929 5437b2e-5437b37 925->929 926->925 926->927 934 543847a-5438498 927->934 997 5437c34-5437c5a 928->997 998 5437c5c-5437c78 928->998 929->934 935 5437b3d-5437b43 929->935 960 54384a2-54384a4 934->960 961 543849d call 5435420 934->961 942 5437b45-5437b4b 935->942 943 5437b5b-5437b8e 935->943 948 5437b4f-5437b59 942->948 949 5437b4d 942->949 966 5437b90-5437ba4 call 5436590 943->966 967 5437bac-5437be3 943->967 948->943 949->943 993 54379d4-54379d6 951->993 952->993 958->807 970 54384a6-54384a8 960->970 971 54384a9-54384b8 960->971 961->960 966->967 967->928 967->929 985 54384c5-54384c9 971->985 986 54384ba-54384c4 971->986 974->807 993->807 997->998 1002 5437c86 998->1002 1003 5437c7a 998->1003 1002->807 1003->1002 1028->833 1029->833
                              Memory Dump Source
                              • Source File: 00000004.00000002.2002751296.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_5430000_jsc.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: def7711e8c91359d56ec59581aaaf8c7a3212a9d141bfbf2711c087e7df6f25d
                              • Instruction ID: 3c7e5fd752396f49c1bbf3938dfcdaa7ceff362e277377094ff3865ef120d155
                              • Opcode Fuzzy Hash: def7711e8c91359d56ec59581aaaf8c7a3212a9d141bfbf2711c087e7df6f25d
                              • Instruction Fuzzy Hash: 5962CE74A002148FDB54DF64D899BAEBBB6FF88301F1085A9E54A9B3A5DF309D81CF50
                              Function 0543B170 Relevance: .3, Instructions: 339COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.2002751296.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_5430000_jsc.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f7f8f253015c3cc146a47d287e5f90ad4eb051dda1b6ae4426761ed19a98360c
                              • Instruction ID: 4fe734c787ce6d89f97b79b659073ea0ba025e87b6f4393daf25f160f7a1338b
                              • Opcode Fuzzy Hash: f7f8f253015c3cc146a47d287e5f90ad4eb051dda1b6ae4426761ed19a98360c
                              • Instruction Fuzzy Hash: 3BD13A34B002059FDB18DF69D585AAEBBF2FF88310B548569E90ADB365DB30ED42CB50
                              Function 00B3AE30 Relevance: 1.7, APIs: 1, Instructions: 205COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 316 b3ae30-b3ae3f 317 b3ae41-b3ae4e call b39838 316->317 318 b3ae6b-b3ae6f 316->318 325 b3ae50 317->325 326 b3ae64 317->326 320 b3ae83-b3aec4 318->320 321 b3ae71-b3ae7b 318->321 327 b3aed1-b3aedf 320->327 328 b3aec6-b3aece 320->328 321->320 375 b3ae56 call b3b0b8 325->375 376 b3ae56 call b3b0c8 325->376 326->318 329 b3af03-b3af05 327->329 330 b3aee1-b3aee6 327->330 328->327 335 b3af08-b3af0f 329->335 332 b3aef1 330->332 333 b3aee8-b3aeef call b3a814 330->333 331 b3ae5c-b3ae5e 331->326 334 b3afa0-b3afb7 331->334 337 b3aef3-b3af01 332->337 333->337 349 b3afb9-b3b018 334->349 338 b3af11-b3af19 335->338 339 b3af1c-b3af23 335->339 337->335 338->339 340 b3af30-b3af39 call b3a824 339->340 341 b3af25-b3af2d 339->341 347 b3af46-b3af4b 340->347 348 b3af3b-b3af43 340->348 341->340 350 b3af69-b3af76 347->350 351 b3af4d-b3af54 347->351 348->347 367 b3b01a-b3b01c 349->367 356 b3af99-b3af9f 350->356 357 b3af78-b3af96 350->357 351->350 352 b3af56-b3af66 call b3a834 call b3a844 351->352 352->350 357->356 368 b3b048-b3b060 367->368 369 b3b01e-b3b046 367->369 370 b3b062-b3b065 368->370 371 b3b068-b3b093 GetModuleHandleW 368->371 369->368 370->371 372 b3b095-b3b09b 371->372 373 b3b09c-b3b0b0 371->373 372->373 375->331 376->331
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00B3B086
                              Memory Dump Source
                              • Source File: 00000004.00000002.1995960854.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_b30000_jsc.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: 108baf7beb2d731c04b5677abdfed8e2024c21d1b225ca6d4e12c825e6d0b93b
                              • Instruction ID: ba3517d9913dcb991b3c3ae504f6b1069efc9ec99f0255d5246490facfee344e
                              • Opcode Fuzzy Hash: 108baf7beb2d731c04b5677abdfed8e2024c21d1b225ca6d4e12c825e6d0b93b
                              • Instruction Fuzzy Hash: 318168B0A00B058FDB24DF69D04179ABBF1FF88304F20896ED48AD7A51D775E849CB91
                              Function 00B35935 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 377 b35935-b3593c 378 b35944-b35a01 CreateActCtxA 377->378 380 b35a03-b35a09 378->380 381 b35a0a-b35a64 378->381 380->381 388 b35a73-b35a77 381->388 389 b35a66-b35a69 381->389 390 b35a79-b35a85 388->390 391 b35a88 388->391 389->388 390->391 392 b35a89 391->392 392->392
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 00B359F1
                              Memory Dump Source
                              • Source File: 00000004.00000002.1995960854.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_b30000_jsc.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: 1bb84c1a615c9b2fbefc5a2242539f3b52819962ff5cedce97d5554a93a21b76
                              • Instruction ID: d0be10cd2cb4d5679e16ae6a02c64f6a6af9aad2ce7ebe1d2d462017d9763344
                              • Opcode Fuzzy Hash: 1bb84c1a615c9b2fbefc5a2242539f3b52819962ff5cedce97d5554a93a21b76
                              • Instruction Fuzzy Hash: C641D1B0D00719CEDB24CFAAC984B9DBBF6FF49304F2481AAD408AB251DB756945CF90
                              Function 00B34248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 394 b34248-b35a01 CreateActCtxA 397 b35a03-b35a09 394->397 398 b35a0a-b35a64 394->398 397->398 405 b35a73-b35a77 398->405 406 b35a66-b35a69 398->406 407 b35a79-b35a85 405->407 408 b35a88 405->408 406->405 407->408 409 b35a89 408->409 409->409
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 00B359F1
                              Memory Dump Source
                              • Source File: 00000004.00000002.1995960854.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_b30000_jsc.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: b5aab47827c91ad99612484109bfb81784e3731d3a0192615f1ed7284f54206b
                              • Instruction ID: cbda5a3d9d892d6bd99cee9e56b38486a8f1fdc17f171d022ca2def31a3a5d17
                              • Opcode Fuzzy Hash: b5aab47827c91ad99612484109bfb81784e3731d3a0192615f1ed7284f54206b
                              • Instruction Fuzzy Hash: 3641C1B0D00619CBDB24CFAAC984B9EBBF6FF48304F60816AD408AB251DB756945CF90
                              Function 00B3C9A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 411 b3c9a0-b3d394 DuplicateHandle 413 b3d396-b3d39c 411->413 414 b3d39d-b3d3ba 411->414 413->414
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00B3D2C6,?,?,?,?,?), ref: 00B3D387
                              Memory Dump Source
                              • Source File: 00000004.00000002.1995960854.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_b30000_jsc.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 97fbadc124cc3daf620667a4969950a8b1ca1b3348fab8f25e5fbe11ceea97df
                              • Instruction ID: 7e3dc105d4b1f4f827ae7927ecfcfeea845d32605f9e1210341e181efaca4122
                              • Opcode Fuzzy Hash: 97fbadc124cc3daf620667a4969950a8b1ca1b3348fab8f25e5fbe11ceea97df
                              • Instruction Fuzzy Hash: A021E6B5900348DFDB10CF9AD984AEEBBF5EB48310F24845AE914A7310D378A954CFA5
                              Function 00B3D2F9 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 417 b3d2f9-b3d394 DuplicateHandle 418 b3d396-b3d39c 417->418 419 b3d39d-b3d3ba 417->419 418->419
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00B3D2C6,?,?,?,?,?), ref: 00B3D387
                              Memory Dump Source
                              • Source File: 00000004.00000002.1995960854.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_b30000_jsc.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 096e5dff38a586e2ee750b463ee3a4949674678b21a45ed06a7eb81b798f811c
                              • Instruction ID: c64aa4cd2b31c4b17c562a79d8cec31db1723ac472d06cf9671dd633a037113f
                              • Opcode Fuzzy Hash: 096e5dff38a586e2ee750b463ee3a4949674678b21a45ed06a7eb81b798f811c
                              • Instruction Fuzzy Hash: 7E21E4B5900249DFDB10CFA9E580ADEBBF5EB48314F24805AE918E3350C378A954CF65
                              Function 00B3A870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 422 b3a870-b3b2e8 424 b3b2f0-b3b31f LoadLibraryExW 422->424 425 b3b2ea-b3b2ed 422->425 426 b3b321-b3b327 424->426 427 b3b328-b3b345 424->427 425->424 426->427
                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B3B101,00000800,00000000,00000000), ref: 00B3B312
                              Memory Dump Source
                              • Source File: 00000004.00000002.1995960854.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_b30000_jsc.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 085ed60f7adb7c3661d4225dd3904170c4d853ca034137f2dad9c9b243749b11
                              • Instruction ID: 78d6e540123c3401819c3774a5733c601ced310448026595c25503fcb056565a
                              • Opcode Fuzzy Hash: 085ed60f7adb7c3661d4225dd3904170c4d853ca034137f2dad9c9b243749b11
                              • Instruction Fuzzy Hash: F41117B6D003499FDB10CF9AC444ADEFBF4EB48314F20845AD515A7200C375A544CFA5
                              Function 00B3B2A0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 430 b3b2a0-b3b2e8 431 b3b2f0-b3b31f LoadLibraryExW 430->431 432 b3b2ea-b3b2ed 430->432 433 b3b321-b3b327 431->433 434 b3b328-b3b345 431->434 432->431 433->434
                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B3B101,00000800,00000000,00000000), ref: 00B3B312
                              Memory Dump Source
                              • Source File: 00000004.00000002.1995960854.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_b30000_jsc.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 30d219c04427347180b61fc5780f4d173dc501ae2296c36d314638de88599670
                              • Instruction ID: 93b4c463a129f5b7735e669f66ff46773666dacd5e33e38e6f9707843f9c0d76
                              • Opcode Fuzzy Hash: 30d219c04427347180b61fc5780f4d173dc501ae2296c36d314638de88599670
                              • Instruction Fuzzy Hash: A611D3B69002498FDB10CF9AD444ADEFBF4EB98310F14845AD569A7200C379A545CFA5
                              Function 00B3B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 437 b3b020-b3b060 438 b3b062-b3b065 437->438 439 b3b068-b3b093 GetModuleHandleW 437->439 438->439 440 b3b095-b3b09b 439->440 441 b3b09c-b3b0b0 439->441 440->441
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00B3B086
                              Memory Dump Source
                              • Source File: 00000004.00000002.1995960854.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_b30000_jsc.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: 7ba923b4aae9a320b3de7c7cc2e3cf7317f9ab3997d3f920a4b628c14e67f703
                              • Instruction ID: b5d37879d2ce0aac733e27a6a28773f90b6e8bab0f14e4764347d8c671152843
                              • Opcode Fuzzy Hash: 7ba923b4aae9a320b3de7c7cc2e3cf7317f9ab3997d3f920a4b628c14e67f703
                              • Instruction Fuzzy Hash: 4F11CDB6C003498ECB24CF9AD444A9EFBF4EB88324F24845AD529A7610D379A545CFA1
                              Function 05436D88 Relevance: .4, Instructions: 406COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1030 5436d88-5436d91 1031 5436d93-5436d95 1030->1031 1032 5436da2 1030->1032 1031->1032 1033 5436d97-5436da0 1031->1033 1034 5436da7-5436da9 1032->1034 1033->1034 1035 5436db2-5436dbc 1034->1035 1036 5436dab-5436db1 1034->1036 1037 5436dc7-5436e32 1035->1037 1038 5436dbe-5436dc4 1035->1038 1045 5436e34-5436e36 1037->1045 1046 5436e38 1037->1046 1038->1037 1047 5436e3d-5436e4f 1045->1047 1046->1047 1049 5436ee5-5436eee 1047->1049 1050 5436e55-5436e71 1047->1050 1051 5436ef0-5436ef6 1049->1051 1052 5436ef8-5436f81 1049->1052 1056 5436e73 1050->1056 1057 5436edb-5436ee2 1050->1057 1051->1052 1071 5436f88-5436f91 1052->1071 1058 5436e76-5436e87 1056->1058 1062 5436e89-5436ea2 call 5435558 1058->1062 1063 5436ea8 1058->1063 1062->1063 1062->1071 1145 5436eaa call 5436e11 1063->1145 1146 5436eaa call 5436d77 1063->1146 1147 5436eaa call 5436d88 1063->1147 1065 5436eb0-5436ebd 1142 5436ebf call 5437650 1065->1142 1143 5436ebf call 5437660 1065->1143 1144 5436ebf call 5437c89 1065->1144 1069 5436ec5-5436ec7 1072 5436ed5-5436ed9 1069->1072 1073 5436ec9-5436ece 1069->1073 1074 5436f93-5436f99 1071->1074 1075 5436f9b-5437059 1071->1075 1072->1057 1072->1058 1073->1072 1074->1075 1094 543705f-5437069 1075->1094 1095 543706b-5437071 1094->1095 1096 54370ad-54370b4 1094->1096 1097 5437243-5437280 1095->1097 1098 5437077-5437091 1095->1098 1103 5437093-54370a2 1098->1103 1104 54370b5-54370c4 1098->1104 1108 54370a8-54370ab 1103->1108 1109 543718d-5437196 1103->1109 1107 54370c6-54370d5 1104->1107 1104->1108 1107->1108 1113 54370d7-54370e0 1107->1113 1108->1095 1108->1096 1110 54371a0-543723c 1109->1110 1111 5437198-543719e 1109->1111 1110->1097 1111->1110 1116 54370e2-54370e8 1113->1116 1117 54370ea-5437186 1113->1117 1116->1117 1117->1109 1142->1069 1143->1069 1144->1069 1145->1065 1146->1065 1147->1065
                              Memory Dump Source
                              • Source File: 00000004.00000002.2002751296.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_5430000_jsc.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6c893d908a7742045cd09bf1a03ed5691b7c41e027df843cbb017665234fc102
                              • Instruction ID: 32e4f2baa7ef2443e7bf5267591e4780a502a87e101957e7f939534bf31a31f8
                              • Opcode Fuzzy Hash: 6c893d908a7742045cd09bf1a03ed5691b7c41e027df843cbb017665234fc102
                              • Instruction Fuzzy Hash: 50E148757002159FDB14DFB8C899A6A7BB6FF89300F1584A9E50ACB3A2DE30ED41CB51
                              Function 05436098 Relevance: .3, Instructions: 347COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.2002751296.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_5430000_jsc.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 246862d7059f1d26bfe207ca840e678387a8064235a200277790a50651984d9d
                              • Instruction ID: e1891e91a2811186d17931b08636337b3bdc67350249f5f29ab706887136abbc
                              • Opcode Fuzzy Hash: 246862d7059f1d26bfe207ca840e678387a8064235a200277790a50651984d9d
                              • Instruction Fuzzy Hash: CCE13D74A00206DFDB14DFA5D995A9EBBB2FF88310F158569E9069B361DB30EC41CF90
                              Function 05437C89 Relevance: .3, Instructions: 295COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.2002751296.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_5430000_jsc.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6be6be1c94b5a639f825d17118f0f491816807988ee2a8d4a686c5a5b53ca787
                              • Instruction ID: 50f36e6e8bc28bae98251ce4fbf1e387f5c31e328046cfc78c91663b3c5756a2
                              • Opcode Fuzzy Hash: 6be6be1c94b5a639f825d17118f0f491816807988ee2a8d4a686c5a5b53ca787
                              • Instruction Fuzzy Hash: EED1F974A00219CFDB15DF64D859BAD7BB2FB88301F1084A9E90AAB3A5DF319D81CF50
                              Function 0543E4E0 Relevance: .2, Instructions: 206COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.2002751296.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_5430000_jsc.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2fd20d755a5d0634d5e5e88e3a79e05461c8dfa37738952084c52cee60df40f0
                              • Instruction ID: 2cd4f3596e7e8882bffe153fbc7cfad7c874f6bb462877f593e09d5265bf026a
                              • Opcode Fuzzy Hash: 2fd20d755a5d0634d5e5e88e3a79e05461c8dfa37738952084c52cee60df40f0
                              • Instruction Fuzzy Hash: 02714C34B012449FEB55DB69C459AAE7BF6BF8D310F1884A9E806DB3A1DE34DC41CB50
                              Function 0543B15F Relevance: .2, Instructions: 193COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.2002751296.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_5430000_jsc.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 90f37a11857a7cd65f54578a276f9b8b598dbd02a3a9fe2ef53537d8aeff168d
                              • Instruction ID: 23977d49cb237cecd09bfd7d0f6bceb7e9aa90317cb9e7e4b42dd91d74663430
                              • Opcode Fuzzy Hash: 90f37a11857a7cd65f54578a276f9b8b598dbd02a3a9fe2ef53537d8aeff168d
                              • Instruction Fuzzy Hash: CB717E34A012059FDB18DF78D585AAEBBF2FF88300B64846AE905DB361DB30ED42DB51
                              Function 0543D120 Relevance: .2, Instructions: 168COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.2002751296.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_5430000_jsc.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dc6f661921c37c2de5f86c46cc8cf90630c1a61bab00dd1adbbbd6741bbe5756
                              • Instruction ID: b01ba4286441e6b419b51b3efbce3c2ac3b56df85fc1552efa9d136b77d810f2
                              • Opcode Fuzzy Hash: dc6f661921c37c2de5f86c46cc8cf90630c1a61bab00dd1adbbbd6741bbe5756
                              • Instruction Fuzzy Hash: 65511571E042569FDB08DB78D8957EA7FB2EF85350F08C4AAD4499B262EE30D806C791
                              Function 0543B818 Relevance: .1, Instructions: 146COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.2002751296.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_5430000_jsc.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 358c177661da096140721a1156fa9528415d75430dcfd49f072b1f8ef7da75d2
                              • Instruction ID: ebc28c217a29c78822a2fa4040c8d33468c105b6ab2ba165c649b4a52dc3eedf
                              • Opcode Fuzzy Hash: 358c177661da096140721a1156fa9528415d75430dcfd49f072b1f8ef7da75d2
                              • Instruction Fuzzy Hash: 8B514B76A001059FDB04DF61CC80EEABBBAFF8C350B0181A5EA159B275EB35D912DB50
                              Function 05436459 Relevance: .1, Instructions: 140COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.2002751296.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_5430000_jsc.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f23140ecb337edd6382ead8a828ee5fa3a6af559d3235507e62bdfb9c011b4bd
                              • Instruction ID: 51cacf5bf02269338bc37b9742ae6f940d71b8ca0772c6b29d3d45d0b3eab7e4
                              • Opcode Fuzzy Hash: f23140ecb337edd6382ead8a828ee5fa3a6af559d3235507e62bdfb9c011b4bd
                              • Instruction Fuzzy Hash: 7C51A334A00209DFDB14DFA4D995EAEBBB2FF88310F158559E916AB361CB31E842DF50
                              Function 0543B7CD Relevance: .1, Instructions: 115COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.2002751296.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_5430000_jsc.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a7249d4c2b9609c30863ab7f56ea0afe1ce53fb758f0b1e76650bc51a79f4ce7
                              • Instruction ID: 2f1aaf068d66c077c378066fe31539ab36833a3f7878bfaa8b9a8eed19e2daaa
                              • Opcode Fuzzy Hash: a7249d4c2b9609c30863ab7f56ea0afe1ce53fb758f0b1e76650bc51a79f4ce7
                              • Instruction Fuzzy Hash: EF41B175A00205DFDB04DFB4C885AEEBBB6FF89300F1580AAE905DB265EB31D942CB50
                              Function 0543F878 Relevance: .1, Instructions: 113COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.2002751296.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_5430000_jsc.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 57d3f5094158c3809cdc0de6fc7248883daf32883400d9fa7ec48ecf86f02e83
                              • Instruction ID: fe9ead6ca318d2a419a418453a3fcb41c37e6a0f8e93ed4f3d276b5c09b645cc
                              • Opcode Fuzzy Hash: 57d3f5094158c3809cdc0de6fc7248883daf32883400d9fa7ec48ecf86f02e83
                              • Instruction Fuzzy Hash: 0441C330B003559FEB18AB78942976E7BF2BF89300F1488AAE506D77D1EE349D41CB41
                              Function 0543EB97 Relevance: .1, Instructions: 106COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.2002751296.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_5430000_jsc.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c21e56dc75cde531bcf0e92d9be1ed614b4df9c9a4090338a8ba9f8bba1e3cef
                              • Instruction ID: eaa155ff745b5d0e6be25b8aae0df714ca27e17d13c0e7ee5b1984bd27bc2771
                              • Opcode Fuzzy Hash: c21e56dc75cde531bcf0e92d9be1ed614b4df9c9a4090338a8ba9f8bba1e3cef
                              • Instruction Fuzzy Hash: 6D41E974A10504DFDB44DFA8D959B9DBBB2FF88304F1480A9E506AB3B1DB31AD41CB40
                              Function 0543F6F8 Relevance: .1, Instructions: 99COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.2002751296.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_5430000_jsc.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1203d7e178151907bcfb188e6197b89e3b4482a7ab3857f57aca86a60cab7890
                              • Instruction ID: 83e92cbfcf2265fd2112917afe7c3ad8ad8bdf44a17b5c6a08c12172a5de371c
                              • Opcode Fuzzy Hash: 1203d7e178151907bcfb188e6197b89e3b4482a7ab3857f57aca86a60cab7890
                              • Instruction Fuzzy Hash: 5531D434B04200AFDB549BB8D45ABAE7FE6BF88300F144469E50AD7391DF349982CB91
                              Function 0097D4C4 Relevance: .1, Instructions: 75COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.1995546557.000000000097D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0097D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_97d000_jsc.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3b39f08360ce85555f2fbcb004b926e8e9060b18fcb423d9eefc337ba7b9d66d
                              • Instruction ID: e4ae3bbbaa961c09bc48ae048c358ef6be46781b5b8c153109ad65dc6fdc7a7e
                              • Opcode Fuzzy Hash: 3b39f08360ce85555f2fbcb004b926e8e9060b18fcb423d9eefc337ba7b9d66d
                              • Instruction Fuzzy Hash: AB2121B2504200DFCB05DF14C9C0B26BF79FF88328F24C969E9090A25AC33AD806CAA1
                              Function 05436E11 Relevance: .1, Instructions: 73COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.2002751296.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_5430000_jsc.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: da1c3ab5b563ad7f9eb18b169ac9689ff2299356be2da36d42550de209b127cf
                              • Instruction ID: f84645b89776d9ea2753b043b519b6586b4e80d8dfe53348367ef2362cf9cfa5
                              • Opcode Fuzzy Hash: da1c3ab5b563ad7f9eb18b169ac9689ff2299356be2da36d42550de209b127cf
                              • Instruction Fuzzy Hash: 8D216235700106AFDB10DF64C846AAF7BB6FF88350F1584AAE9169B375DB30D945CB90
                              Function 0098D01C Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.1995590539.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_98d000_jsc.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d43e8d91b6e3f5a5308e0b1efc3c5452339ec918db30658db89801c33b0c71b4
                              • Instruction ID: b91ac453d84e45a800b9c52255caa552517301a46e698205373e5da8f7f066e8
                              • Opcode Fuzzy Hash: d43e8d91b6e3f5a5308e0b1efc3c5452339ec918db30658db89801c33b0c71b4
                              • Instruction Fuzzy Hash: 762122B1604200EFDB14EF14D9C0B26BB69FB84314F20C96DE80A4B386C33AD807CB61
                              Function 05438BC0 Relevance: .1, Instructions: 63COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.2002751296.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_5430000_jsc.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 898beb1823cdd1112dc457c01e8a76419946dacd681ca367e4ef0905ff5a9e43
                              • Instruction ID: 6fcaac37a92e22fc609d58e3fab0653da6ddf32a37b20d32a377e938bde25e11
                              • Opcode Fuzzy Hash: 898beb1823cdd1112dc457c01e8a76419946dacd681ca367e4ef0905ff5a9e43
                              • Instruction Fuzzy Hash: 422181316001068FCB04EB79D986AAABBB6FF84200B148459E54D9B376DB30AD42CB51
                              Function 0098D006 Relevance: .1, Instructions: 62COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.1995590539.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_98d000_jsc.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 089817e4a97c556e25e59088938445a80019e051a2419788a41527d54ab63f3a
                              • Instruction ID: d3ff6561d9e78684d6a8d0118e9ba32b0490668cbc64388af27b49fa519ee3af
                              • Opcode Fuzzy Hash: 089817e4a97c556e25e59088938445a80019e051a2419788a41527d54ab63f3a
                              • Instruction Fuzzy Hash: F6218E755093808FDB12DF24D990B15BF71EB46314F28C5EAD8498B6A7C33AD80ACB62
                              Function 05438BD0 Relevance: .1, Instructions: 58COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.2002751296.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_5430000_jsc.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 948648a90814f3effaf210682e3b7bce25d01b5633bae00c012729f915034aa6
                              • Instruction ID: d55c195d4de32fd44075ae85a6ff111dd7cea49793b5d5553157142a71d99db7
                              • Opcode Fuzzy Hash: 948648a90814f3effaf210682e3b7bce25d01b5633bae00c012729f915034aa6
                              • Instruction Fuzzy Hash: 40114C317001068FCB04EB69DA85AAEBBB6FF84200B14C569E50D9B375DB30ED45CB61
                              Function 0097D4BF Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.1995546557.000000000097D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0097D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_97d000_jsc.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                              • Instruction ID: 42dc77970e22c5f5ef5483b3f161ef4192a4519163e8df824be886229a62a4b8
                              • Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                              • Instruction Fuzzy Hash: 3A11E676504280CFDB16CF14D5C4B16BF72FF94328F24C6A9E8494B65AC33AD85ACBA1
                              Function 0543E428 Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.2002751296.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_5430000_jsc.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 868362de849174bbd042704ab7607dac8e81ecb29c6ea7846a1e659789e10afc
                              • Instruction ID: 3891065fbc1cc054cbed4a7a55d4f7374bd5d8adf86bbfabc15cf6344bc3e378
                              • Opcode Fuzzy Hash: 868362de849174bbd042704ab7607dac8e81ecb29c6ea7846a1e659789e10afc
                              • Instruction Fuzzy Hash: FF117330B00208EFEB149BB8D41ABAD7FF6AF89301F5044A6E905D7391DE319D418B91
                              Function 0543E838 Relevance: .1, Instructions: 55COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.2002751296.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_5430000_jsc.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 78cda499c33701979805db47466e64d9c66bad9fddda73ab8f38f6978af61be7
                              • Instruction ID: f2601f1aee7c4c602fed4ab4750bf6561b5668aa2da25716f40ead9f437ec938
                              • Opcode Fuzzy Hash: 78cda499c33701979805db47466e64d9c66bad9fddda73ab8f38f6978af61be7
                              • Instruction Fuzzy Hash: 97118271E042288BDF19DB69D4165DEBBF5BF8D710F00856AD442B72A0DF70A948CBA0
                              Function 0543E828 Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.2002751296.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_5430000_jsc.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 645240e831a89975902739d1bcfec7d04b5c6524048ec66c3b25a3e9f4f4b833
                              • Instruction ID: 8df06efa3b826bfeebc9b7280d59627b5f7332dec0715053022747317d7815cb
                              • Opcode Fuzzy Hash: 645240e831a89975902739d1bcfec7d04b5c6524048ec66c3b25a3e9f4f4b833
                              • Instruction Fuzzy Hash: 0F119075E042188BDB19CB68C9066DEBBF5BF4D300F04856AD442B72A0DB74A988CBA0
                              Function 0097DA81 Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.1995546557.000000000097D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0097D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_97d000_jsc.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c789e594b3cb02e965475de3dd051ad52a26cb049a008355ad7848db05877300
                              • Instruction ID: 64664d708383ea0d4a0b227808df10e5708ad703464832856c9c00bfd1a8a5f7
                              • Opcode Fuzzy Hash: c789e594b3cb02e965475de3dd051ad52a26cb049a008355ad7848db05877300
                              • Instruction Fuzzy Hash: 4101F27200E3409AE7188A29C9C0B67BFBCFF41324F18C86AED0D5A282D7789C40C6B1
                              Function 0543D690 Relevance: .0, Instructions: 44COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.2002751296.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_5430000_jsc.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fc9d61f3d2b6f9e046605fe31a0531fd6221ef57be1e7c2e0ec08fa65bd9a378
                              • Instruction ID: f16028e67a3d6275cbcb65971f33267e62fb100d0cd349209a60466d3aa2ed0e
                              • Opcode Fuzzy Hash: fc9d61f3d2b6f9e046605fe31a0531fd6221ef57be1e7c2e0ec08fa65bd9a378
                              • Instruction Fuzzy Hash: 4601F2357002049BCB299B68E88ABBF3FAAEBC0711F044568F5079B381DE309806CB91
                              Function 0543D6A0 Relevance: .0, Instructions: 40COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.2002751296.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_5430000_jsc.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a086b982b145dd30185d62882f1add1d56cb1987019c743b47cec9112cab435e
                              • Instruction ID: 12354b278ea5b816ab2c94c267202ad97e43f92740a9a3f97293deaada609d50
                              • Opcode Fuzzy Hash: a086b982b145dd30185d62882f1add1d56cb1987019c743b47cec9112cab435e
                              • Instruction Fuzzy Hash: 47F028357002009BCB189B65F84ABBF7BABEBC4750F048568F5078B380DF709805CB90
                              Function 0543D720 Relevance: .0, Instructions: 38COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.2002751296.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_5430000_jsc.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9ec8b2cf5c016854b04e91ec09935906f8ca7dd9b317c90e9c06a163110da5d7
                              • Instruction ID: 00a146a74c7081bcea7ff206ad1e67a325c35151e6b59e574df3a53f785dfeee
                              • Opcode Fuzzy Hash: 9ec8b2cf5c016854b04e91ec09935906f8ca7dd9b317c90e9c06a163110da5d7
                              • Instruction Fuzzy Hash: 6CF09035B542149BE718A6A8A85F7FA3A5AA748740F1400AAF64ACB2D1CF645C418BD0
                              Function 0097DA80 Relevance: .0, Instructions: 36COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.1995546557.000000000097D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0097D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_97d000_jsc.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 472c47569b7ff42195e2d9b467c16cd822b11f281ee47887aba234ee8ce0183e
                              • Instruction ID: b54aae7676ab9f36c2ef01cef7520c0654ade1d8c8a10c076ed7b40039344270
                              • Opcode Fuzzy Hash: 472c47569b7ff42195e2d9b467c16cd822b11f281ee47887aba234ee8ce0183e
                              • Instruction Fuzzy Hash: A0F062724093449EE7148A19D9C4B67FFACEF51734F18C45AED0C5A286D3799C44CA71
                              Function 0543F868 Relevance: .0, Instructions: 36COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.2002751296.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_5430000_jsc.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4ca694902f49bfc6f8ae3aa0b5b03f9b98b3062581519fb47a306a69a8bd63b6
                              • Instruction ID: 194c02c2fa7047cd590921cefb4691d4148ae03c228382856ff1c095241628a6
                              • Opcode Fuzzy Hash: 4ca694902f49bfc6f8ae3aa0b5b03f9b98b3062581519fb47a306a69a8bd63b6
                              • Instruction Fuzzy Hash: 9CF02835A04104FBDB1C8B58E412BE6BFB1FF49215F44849ED99E43A54C721B496CB80
                              Function 05437650 Relevance: .0, Instructions: 32COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.2002751296.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_5430000_jsc.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2bd66d827d706e9a12ca234a0fdccb204476353a31dcfb2685a75fa6b5894001
                              • Instruction ID: b9cdd4a1444efa9cbd251f5c108699c03ef0878ddef94d9ad93fb3b3a7cd6d21
                              • Opcode Fuzzy Hash: 2bd66d827d706e9a12ca234a0fdccb204476353a31dcfb2685a75fa6b5894001
                              • Instruction Fuzzy Hash: 48F02EB2A041599FDB11CE69EC657DABF79EB88350F0004BBE545E3340DA705954CB60
                              Function 0543F6E8 Relevance: .0, Instructions: 26COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.2002751296.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_5430000_jsc.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e0906eb550df0934b4f365ca090353c7f22f0d76db1245f173245d165c7c03b0
                              • Instruction ID: 8d48663641accd4d06d4890221ca06bdd40bb403b55b5d4ab0a6bc6a4714af1c
                              • Opcode Fuzzy Hash: e0906eb550df0934b4f365ca090353c7f22f0d76db1245f173245d165c7c03b0
                              • Instruction Fuzzy Hash: DFF0AB3120C2414FD7464B68E58DB9A3FB9AF00711B0510AFF087DBAB2EF209885CB41
                              Function 0543D8B2 Relevance: .0, Instructions: 14COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.2002751296.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_5430000_jsc.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c7f9d234414e16aa6925a5136aa009355e3b305a973cd99868d01e3c78098b91
                              • Instruction ID: c9ad77d50af54473c5a767e9526ac7e7445192e0bf7dfd6d861d32c25b4c3f60
                              • Opcode Fuzzy Hash: c7f9d234414e16aa6925a5136aa009355e3b305a973cd99868d01e3c78098b91
                              • Instruction Fuzzy Hash: 8DD0A778F142448BD759933C489A7663AB67789189FC400D6C6A783366DF24FD03DB61