Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe

Overview

General Information

Sample name:6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe
Analysis ID:1465716
MD5:e295671d8a71cd7a1ae699a2d47fa176
SHA1:1066c6cb764d5c47e40e87f8511bd2410c0e787f
SHA256:4e7c1a1fe4d6a92b37597aca22fd1701cb11071a225c9cd0673645b120fe77fe
Tags:exe
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic
Yara detected RedLine Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["185.196.9.26:6302"], "Authorization Header": "1d35c3d8e5f5b5bc719234554ae131d3"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
      dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000000.2008894508.0000000000292000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Process Memory Space: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe PID: 3580JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Process Memory Space: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe PID: 3580JoeSecurity_RedLineYara detected RedLine StealerJoe Security

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  0.0.6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe.290000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    Timestamp:07/02/24-00:31:56.181866
                    SID:2043234
                    Source Port:6302
                    Destination Port:49704
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:07/02/24-00:32:03.217448
                    SID:2043231
                    Source Port:49704
                    Destination Port:6302
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:07/02/24-00:31:55.903421
                    SID:2046045
                    Source Port:49704
                    Destination Port:6302
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:07/02/24-00:32:01.504238
                    SID:2046056
                    Source Port:6302
                    Destination Port:49704
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeMalware Configuration Extractor: RedLine {"C2 url": ["185.196.9.26:6302"], "Authorization Header": "1d35c3d8e5f5b5bc719234554ae131d3"}
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeJoe Sandbox ML: detected
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.5:49704 -> 185.196.9.26:6302
                    Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.5:49704 -> 185.196.9.26:6302
                    Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 185.196.9.26:6302 -> 192.168.2.5:49704
                    Source: TrafficSnort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 185.196.9.26:6302 -> 192.168.2.5:49704
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: 185.196.9.26:6302
                    Source: global trafficTCP traffic: 192.168.2.5:49704 -> 185.196.9.26:6302
                    Source: Joe Sandbox ViewASN Name: SIMPLECARRIERCH SIMPLECARRIERCH
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002A84000.00000004.00000800.00020000.00000000.sdmp, 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002AC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002AC8000.00000004.00000800.00020000.00000000.sdmp, 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002AC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3ResponseD
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeString found in binary or memory: https://api.ip.sb/ip
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeCode function: 0_2_00D0DC740_2_00D0DC74
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000000.2008918933.00000000002D4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameLeve.exe8 vs 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2106555671.00000000009FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002944000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefirefox.exe0 vs 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002944000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $eq,\\StringFileInfo\\000004B0\\OriginalFilename vs 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002944000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamechrome.exe< vs 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002944000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $eq,\\StringFileInfo\\040904B0\\OriginalFilename vs 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002944000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002944000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXED vs 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002944000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $eq,\\StringFileInfo\\080904B0\\OriginalFilename vs 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002944000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsedge.exe> vs 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeBinary or memory string: OriginalFilenameLeve.exe8 vs 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/1@0/1
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeFile created: C:\Users\user\AppData\Local\SystemCacheJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeMutant created: NULL
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32Jump to behavior
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeStatic PE information: 0x939FA7C9 [Thu Jun 25 16:05:29 2048 UTC]
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeMemory allocated: C40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeMemory allocated: 2630000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeMemory allocated: C40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeWindow / User API: threadDelayed 585Jump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeWindow / User API: threadDelayed 1746Jump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe TID: 5016Thread sleep time: -11990383647911201s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe TID: 6980Thread sleep count: 585 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe TID: 6980Thread sleep count: 1746 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe TID: 4124Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000027D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000027D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000027D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2110516737.0000000003799000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2110516737.0000000003799000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2110516737.0000000003799000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2110516737.0000000003799000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000027D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000027D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2110516737.0000000003799000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000027D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000027D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2110516737.0000000003799000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2110516737.0000000003799000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2110516737.0000000003799000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2110516737.0000000003799000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000027D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2110516737.0000000003799000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2110516737.0000000003799000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000027D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000027D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2110516737.0000000003799000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000027D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2110516737.0000000003799000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2110516737.0000000003799000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000027D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2110516737.0000000003799000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000027D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000027D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2110516737.0000000003799000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000027D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000027D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000027D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2110516737.0000000003799000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2110516737.0000000003799000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000027D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2110516737.0000000003799000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2110516737.0000000003799000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2110516737.0000000003799000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2110516737.0000000003799000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2110516737.0000000003799000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2106555671.0000000000AC9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000027D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2110516737.0000000003799000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2110516737.0000000003799000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000027D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2110516737.0000000003799000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2110516737.0000000003799000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000027D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2110516737.0000000003799000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000027D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2110516737.0000000003799000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2110516737.0000000003799000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000027D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000027D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000027D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000027D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000027D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000027D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000027D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000027D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2110516737.0000000003799000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000027D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeQueries volume information: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2114088628.000000000591C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe.290000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.2008894508.0000000000292000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe PID: 3580, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Tries to steal Crypto Currency Wallets
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                    Source: C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                    Source: Yara matchFile source: 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe PID: 3580, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe.290000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.2008894508.0000000000292000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe PID: 3580, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Masquerading                    		1
                    OS Credential Dumping                    		231
                    Security Software Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                    Virtualization/Sandbox Evasion                    		Security Account Manager241
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Timestomp                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets113
                    System Information Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://tempuri.org/0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    https://api.ip.sb/ip0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns0%URL Reputationsafe
                    http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/08/addressing/fault0%URL Reputationsafe
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id21Response0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id2Response0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha10%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id23ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id12Response0%Avira URL Cloudsafe
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2005/02/sc/sct0%Avira URL Cloudsafe
                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id80%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id50%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id90%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id70%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id40%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id60%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id19Response0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%Avira URL Cloudsafe
                    http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/fault0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id15Response0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted0%Avira URL Cloudsafe
                    http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id6Response0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id200%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id210%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id1ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id9Response0%Avira URL Cloudsafe
                    http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA10%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id220%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/04/sc0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id230%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id240%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id24Response0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id1Response0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA10%Avira URL Cloudsafe
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id100%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id110%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id16Response0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/04/trust0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id120%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id130%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id140%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id160%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id170%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id150%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id180%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id5Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id190%Avira URL Cloudsafe
                    185.196.9.26:63020%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id10Response0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/Renew0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id8Response0%Avira URL Cloudsafe
                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.00%Avira URL Cloudsafe
                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT0%Avira URL Cloudsafe
                    http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA10%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2006/02/addressingidentity0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id3ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id23Response0%Avira URL Cloudsafe
                    http://tempuri.org/D0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/06/addressingex0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wscoor0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    185.196.9.26:6302true
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/sc/sct6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id23ResponseD6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002AC8000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id12Response6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id2Response6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha16d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id21Response6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id96d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id86d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id56d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id46d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id76d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id66d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id19Response6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/fault6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id15Response6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id6Response6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.ip.sb/ip6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exefalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/sc6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id1ResponseD6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id9Response6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id206d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id216d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id226d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA16d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id236d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002A84000.00000004.00000800.00020000.00000000.sdmp, 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA16d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id246d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id24Response6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id1Response6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/08/addressing6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/trust6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id106d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id116d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id126d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id16Response6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id136d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id146d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id156d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id166d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id176d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id186d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id5Response6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id196d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id10Response6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/Renew6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id8Response6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.06d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2006/02/addressingidentity6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/soap/envelope/6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA16d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id3ResponseD6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002AC8000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id23Response6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/D6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/06/addressingex6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wscoor6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/08/addressing/fault6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe, 00000000.00000002.2107506270.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    185.196.9.26
                    		unknownSwitzerland
                    		42624SIMPLECARRIERCHtrue

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1465716
                    Start date and time:2024-07-02 00:31:06 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 2m 39s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:2
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@1/1@0/1
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 16
                    • Number of non-executed functions: 1
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Stop behavior analysis, all processes terminated

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe
                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                    • VT rate limit hit for: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    18:32:00API Interceptor13x Sleep call for process: 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    185.196.9.26StrangeOstrumV2.exeGet hashmaliciousRedLineBrowse
                      BqDa1EBEUK.exeGet hashmaliciousRedLineBrowse
                        software.exeGet hashmaliciousRedLineBrowse

                          Domains

                          No context

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          SIMPLECARRIERCHStrangeOstrumV2.exeGet hashmaliciousRedLineBrowse
                          • 185.196.9.26
                          BqDa1EBEUK.exeGet hashmaliciousRedLineBrowse
                          • 185.196.9.26
                          Jr7B1jZMaT.exeGet hashmaliciousNovaSentinelBrowse
                          • 185.196.9.89
                          software.exeGet hashmaliciousRedLineBrowse
                          • 185.196.9.26
                          rIlzbkxg.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                          • 185.196.9.150
                          AaSwePhLEn.exeGet hashmaliciousRHADAMANTHYSBrowse
                          • 185.196.9.57
                          rlytKovocev.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                          • 185.196.11.12
                          rrTqdiabb.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                          • 185.196.11.12
                          mFduH8XG1f.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                          • 185.196.9.150
                          8uy7ZljOoi.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                          • 185.196.11.12

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe.log

                          Download File
                          Process:C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):3094
                          Entropy (8bit):5.33145931749415
                          Encrypted:false
                          SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
                          MD5:3FD5C0634443FB2EF2796B9636159CB6
                          SHA1:366DDE94AEFCFFFAB8E03AD8B448E05D7489EB48
                          SHA-256:58307E94C67E2348F5A838DE4FF668983B38B7E9A3B1D61535D3A392814A57D6
                          SHA-512:8535E7C0777C6B0876936D84BDE2BDC59963CF0954D4E50D65808E6E806E8B131DF5DB8FA0E030FAE2702143A7C3A70698A2B9A80519C9E2FFC286A71F0B797C
                          Malicious:true
                          Reputation:high, very likely benign file
                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):5.024207755125805
                          TrID:
                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                          • Win32 Executable (generic) a (10002005/4) 49.78%
                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                          • Win16/32 Executable Delphi generic (2074/23) 0.01%
                          • Generic Win/DOS Executable (2004/3) 0.01%
                          File name:6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe
                          File size:301'056 bytes
                          MD5:e295671d8a71cd7a1ae699a2d47fa176
                          SHA1:1066c6cb764d5c47e40e87f8511bd2410c0e787f
                          SHA256:4e7c1a1fe4d6a92b37597aca22fd1701cb11071a225c9cd0673645b120fe77fe
                          SHA512:90df34f4c6bfa111e368f27fe1733b4540d7e848fd45128e295ee7ad431d1469d3898c88db1ed02fd5fa7b57a49b0b31517473de1cefe3967af0bee744cb4107
                          SSDEEP:3072:AcZqf7D34KpVMQGBOLNNxplzSpECsAbwst1TkxnqpXaAxyDeqiOL2bBOU:AcZqf7DIKOExplzSpKi1TkBuxytL
                          TLSH:A8545B1827E8D901D93F8B79D461D67093B1FC67A456D31B4FC0ACAB3D36B44EA01AB2
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................................@................................

                          File Icon

                          Icon Hash:4d8ea38d85a38e6d

                          Static PE Info

                          General

                          Entrypoint:0x42e8de
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Time Stamp:0x939FA7C9 [Thu Jun 25 16:05:29 2048 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                          Entrypoint Preview

                          Instruction
                          jmp dword ptr [00402000h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x2e8840x57.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x300000x1c9b6.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x4e0000xc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000x2c8e40x2ca00a5680d741e506db927e856457686d5b0False0.46733849789915966data6.140749977826074IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rsrc0x300000x1c9b60x1ca000e3df7ded42c507235021b7195600362False0.23799979530567686data2.614152607384932IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0x4e0000xc0x20031fab53ef6208241739eddf2bc126410False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_ICON0x302200x3d04PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9934058898847631
                          RT_ICON0x33f240x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m0.09013072282030049
                          RT_ICON0x4474c0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m0.13905290505432216
                          RT_ICON0x489740x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m0.17033195020746889
                          RT_ICON0x4af1c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m0.2045028142589118
                          RT_ICON0x4bfc40x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m0.24645390070921985
                          RT_GROUP_ICON0x4c42c0x5adata0.7666666666666667
                          RT_VERSION0x4c4880x342data0.44004796163069543
                          RT_MANIFEST0x4c7cc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                          Imports

                          DLLImport
                          mscoree.dll_CorExeMain

                          Network Behavior

                          Snort IDS Alerts

                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                          07/02/24-00:31:56.181866TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response630249704185.196.9.26192.168.2.5
                          07/02/24-00:32:03.217448TCP2043231ET TROJAN Redline Stealer TCP CnC Activity497046302192.168.2.5185.196.9.26
                          07/02/24-00:31:55.903421TCP2046045ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)497046302192.168.2.5185.196.9.26
                          07/02/24-00:32:01.504238TCP2046056ET TROJAN Redline Stealer/MetaStealer Family Activity (Response)630249704185.196.9.26192.168.2.5

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jul 2, 2024 00:31:54.891957998 CEST497046302192.168.2.5185.196.9.26
                          Jul 2, 2024 00:31:54.902854919 CEST630249704185.196.9.26192.168.2.5
                          Jul 2, 2024 00:31:54.903017998 CEST497046302192.168.2.5185.196.9.26
                          Jul 2, 2024 00:31:54.911516905 CEST497046302192.168.2.5185.196.9.26
                          Jul 2, 2024 00:31:54.918508053 CEST630249704185.196.9.26192.168.2.5
                          Jul 2, 2024 00:31:55.720822096 CEST630249704185.196.9.26192.168.2.5
                          Jul 2, 2024 00:31:55.766060114 CEST497046302192.168.2.5185.196.9.26
                          Jul 2, 2024 00:31:55.903420925 CEST497046302192.168.2.5185.196.9.26
                          Jul 2, 2024 00:31:55.911556959 CEST630249704185.196.9.26192.168.2.5
                          Jul 2, 2024 00:31:56.181865931 CEST630249704185.196.9.26192.168.2.5
                          Jul 2, 2024 00:31:56.234790087 CEST497046302192.168.2.5185.196.9.26
                          Jul 2, 2024 00:32:01.223002911 CEST497046302192.168.2.5185.196.9.26
                          Jul 2, 2024 00:32:01.229321957 CEST630249704185.196.9.26192.168.2.5
                          Jul 2, 2024 00:32:01.504237890 CEST630249704185.196.9.26192.168.2.5
                          Jul 2, 2024 00:32:01.504261971 CEST630249704185.196.9.26192.168.2.5
                          Jul 2, 2024 00:32:01.504281998 CEST630249704185.196.9.26192.168.2.5
                          Jul 2, 2024 00:32:01.504357100 CEST630249704185.196.9.26192.168.2.5
                          Jul 2, 2024 00:32:01.504369974 CEST630249704185.196.9.26192.168.2.5
                          Jul 2, 2024 00:32:01.504394054 CEST497046302192.168.2.5185.196.9.26
                          Jul 2, 2024 00:32:01.504432917 CEST497046302192.168.2.5185.196.9.26
                          Jul 2, 2024 00:32:02.748816013 CEST497046302192.168.2.5185.196.9.26
                          Jul 2, 2024 00:32:02.756043911 CEST630249704185.196.9.26192.168.2.5
                          Jul 2, 2024 00:32:02.756067991 CEST630249704185.196.9.26192.168.2.5
                          Jul 2, 2024 00:32:02.756078005 CEST630249704185.196.9.26192.168.2.5
                          Jul 2, 2024 00:32:02.756082058 CEST630249704185.196.9.26192.168.2.5
                          Jul 2, 2024 00:32:02.756108999 CEST630249704185.196.9.26192.168.2.5
                          Jul 2, 2024 00:32:02.756165981 CEST497046302192.168.2.5185.196.9.26
                          Jul 2, 2024 00:32:02.756197929 CEST497046302192.168.2.5185.196.9.26
                          Jul 2, 2024 00:32:02.758389950 CEST630249704185.196.9.26192.168.2.5
                          Jul 2, 2024 00:32:02.758435011 CEST630249704185.196.9.26192.168.2.5
                          Jul 2, 2024 00:32:02.758445978 CEST630249704185.196.9.26192.168.2.5
                          Jul 2, 2024 00:32:02.758456945 CEST630249704185.196.9.26192.168.2.5
                          Jul 2, 2024 00:32:02.758469105 CEST497046302192.168.2.5185.196.9.26
                          Jul 2, 2024 00:32:02.759965897 CEST630249704185.196.9.26192.168.2.5
                          Jul 2, 2024 00:32:02.762639046 CEST630249704185.196.9.26192.168.2.5
                          Jul 2, 2024 00:32:02.762676001 CEST630249704185.196.9.26192.168.2.5
                          Jul 2, 2024 00:32:02.762686014 CEST630249704185.196.9.26192.168.2.5
                          Jul 2, 2024 00:32:02.762695074 CEST630249704185.196.9.26192.168.2.5
                          Jul 2, 2024 00:32:02.762706041 CEST630249704185.196.9.26192.168.2.5
                          Jul 2, 2024 00:32:02.764899969 CEST630249704185.196.9.26192.168.2.5
                          Jul 2, 2024 00:32:02.764957905 CEST630249704185.196.9.26192.168.2.5
                          Jul 2, 2024 00:32:02.767201900 CEST630249704185.196.9.26192.168.2.5
                          Jul 2, 2024 00:32:02.767323017 CEST630249704185.196.9.26192.168.2.5
                          Jul 2, 2024 00:32:03.216505051 CEST630249704185.196.9.26192.168.2.5
                          Jul 2, 2024 00:32:03.217447996 CEST497046302192.168.2.5185.196.9.26
                          Jul 2, 2024 00:32:03.223840952 CEST630249704185.196.9.26192.168.2.5
                          Jul 2, 2024 00:32:03.495081902 CEST630249704185.196.9.26192.168.2.5
                          Jul 2, 2024 00:32:03.526227951 CEST497046302192.168.2.5185.196.9.26

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          System Behavior

                          General

                          Target ID:0
                          Start time:18:31:52
                          Start date:01/07/2024
                          Path:C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.exe"
                          Imagebase:0x290000
                          File size:301'056 bytes
                          MD5 hash:E295671D8A71CD7A1AE699A2D47FA176
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000000.2008894508.0000000000292000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2107506270.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:8.1%
                            Dynamic/Decrypted Code Coverage:100%
                            Signature Coverage:0%
                            Total number of Nodes:52
                            Total number of Limit Nodes:9
                            execution_graph 14543 d0d300 DuplicateHandle 14544 d0d396 14543->14544 14545 d04668 14546 d04684 14545->14546 14547 d04696 14546->14547 14549 d047a0 14546->14549 14550 d047c5 14549->14550 14554 d048b0 14550->14554 14558 d048a1 14550->14558 14556 d048d7 14554->14556 14555 d049b4 14555->14555 14556->14555 14562 d04248 14556->14562 14559 d048d7 14558->14559 14560 d04248 CreateActCtxA 14559->14560 14561 d049b4 14559->14561 14560->14561 14563 d05940 CreateActCtxA 14562->14563 14565 d05a03 14563->14565 14566 d0d0b8 14567 d0d0fe GetCurrentProcess 14566->14567 14569 d0d150 GetCurrentThread 14567->14569 14570 d0d149 14567->14570 14571 d0d186 14569->14571 14572 d0d18d GetCurrentProcess 14569->14572 14570->14569 14571->14572 14575 d0d1c3 14572->14575 14573 d0d1eb GetCurrentThreadId 14574 d0d21c 14573->14574 14575->14573 14576 d0ad38 14580 d0ae30 14576->14580 14588 d0ae20 14576->14588 14577 d0ad47 14581 d0ae41 14580->14581 14582 d0ae64 14580->14582 14581->14582 14596 d0b0c8 14581->14596 14600 d0b0b8 14581->14600 14582->14577 14583 d0ae5c 14583->14582 14584 d0b068 GetModuleHandleW 14583->14584 14585 d0b095 14584->14585 14585->14577 14589 d0ae41 14588->14589 14590 d0ae64 14588->14590 14589->14590 14594 d0b0c8 LoadLibraryExW 14589->14594 14595 d0b0b8 LoadLibraryExW 14589->14595 14590->14577 14591 d0ae5c 14591->14590 14592 d0b068 GetModuleHandleW 14591->14592 14593 d0b095 14592->14593 14593->14577 14594->14591 14595->14591 14597 d0b0dc 14596->14597 14599 d0b101 14597->14599 14604 d0a870 14597->14604 14599->14583 14601 d0b0dc 14600->14601 14602 d0a870 LoadLibraryExW 14601->14602 14603 d0b101 14601->14603 14602->14603 14603->14583 14605 d0b2a8 LoadLibraryExW 14604->14605 14607 d0b321 14605->14607 14607->14599

                            Executed Functions

                            Function 00D0D0A8 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 294 d0d0a8-d0d147 GetCurrentProcess 299 d0d150-d0d184 GetCurrentThread 294->299 300 d0d149-d0d14f 294->300 301 d0d186-d0d18c 299->301 302 d0d18d-d0d1c1 GetCurrentProcess 299->302 300->299 301->302 304 d0d1c3-d0d1c9 302->304 305 d0d1ca-d0d1e5 call d0d289 302->305 304->305 307 d0d1eb-d0d21a GetCurrentThreadId 305->307 309 d0d223-d0d285 307->309 310 d0d21c-d0d222 307->310 310->309
                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 00D0D136
                            • GetCurrentThread.KERNEL32 ref: 00D0D173
                            • GetCurrentProcess.KERNEL32 ref: 00D0D1B0
                            • GetCurrentThreadId.KERNEL32 ref: 00D0D209
                            Memory Dump Source
                            • Source File: 00000000.00000002.2107082115.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d00000_6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.jbxd
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID:
                            • API String ID: 2063062207-0
                            • Opcode ID: 2e01fb482f17478cee6a9f9b566fbab00b9329e99eba1e07f090981e5c30d96e
                            • Instruction ID: 5291cacf8702b0a89bda97a5f7abbc2e03654ee00e5a035304fcca73c8d51fe1
                            • Opcode Fuzzy Hash: 2e01fb482f17478cee6a9f9b566fbab00b9329e99eba1e07f090981e5c30d96e
                            • Instruction Fuzzy Hash: 47518AB0900349CFDB14DFA9D94879EBBF1EF88314F24805EE509A7390DB74A944CB66
                            Function 00D0D0B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 317 d0d0b8-d0d147 GetCurrentProcess 321 d0d150-d0d184 GetCurrentThread 317->321 322 d0d149-d0d14f 317->322 323 d0d186-d0d18c 321->323 324 d0d18d-d0d1c1 GetCurrentProcess 321->324 322->321 323->324 326 d0d1c3-d0d1c9 324->326 327 d0d1ca-d0d1e5 call d0d289 324->327 326->327 329 d0d1eb-d0d21a GetCurrentThreadId 327->329 331 d0d223-d0d285 329->331 332 d0d21c-d0d222 329->332 332->331
                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 00D0D136
                            • GetCurrentThread.KERNEL32 ref: 00D0D173
                            • GetCurrentProcess.KERNEL32 ref: 00D0D1B0
                            • GetCurrentThreadId.KERNEL32 ref: 00D0D209
                            Memory Dump Source
                            • Source File: 00000000.00000002.2107082115.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d00000_6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.jbxd
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID:
                            • API String ID: 2063062207-0
                            • Opcode ID: 4e9e92528f31dbc265172f5a11cd1ee4669f96a35fcc8c735f18dfb838a7dfe8
                            • Instruction ID: 0341568a82c048d973885434ac2d88f5728680ed729521122a5d1cbc38b4fbb5
                            • Opcode Fuzzy Hash: 4e9e92528f31dbc265172f5a11cd1ee4669f96a35fcc8c735f18dfb838a7dfe8
                            • Instruction Fuzzy Hash: F65159B0900709CFDB14DFA9D948B9EBBF1EF48310F24845AE519A7390DB74A944CB66
                            Function 00D0AE30 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 361 d0ae30-d0ae3f 362 d0ae41-d0ae4e call d09838 361->362 363 d0ae6b-d0ae6f 361->363 369 d0ae50 362->369 370 d0ae64 362->370 365 d0ae71-d0ae7b 363->365 366 d0ae83-d0aec4 363->366 365->366 372 d0aed1-d0aedf 366->372 373 d0aec6-d0aece 366->373 418 d0ae56 call d0b0c8 369->418 419 d0ae56 call d0b0b8 369->419 370->363 374 d0aee1-d0aee6 372->374 375 d0af03-d0af05 372->375 373->372 377 d0aef1 374->377 378 d0aee8-d0aeef call d0a814 374->378 380 d0af08-d0af0f 375->380 376 d0ae5c-d0ae5e 376->370 379 d0afa0-d0afb7 376->379 382 d0aef3-d0af01 377->382 378->382 394 d0afb9-d0b018 379->394 383 d0af11-d0af19 380->383 384 d0af1c-d0af23 380->384 382->380 383->384 387 d0af30-d0af39 call d0a824 384->387 388 d0af25-d0af2d 384->388 392 d0af46-d0af4b 387->392 393 d0af3b-d0af43 387->393 388->387 395 d0af69-d0af76 392->395 396 d0af4d-d0af54 392->396 393->392 412 d0b01a-d0b060 394->412 403 d0af78-d0af96 395->403 404 d0af99-d0af9f 395->404 396->395 397 d0af56-d0af66 call d0a834 call d0a844 396->397 397->395 403->404 413 d0b062-d0b065 412->413 414 d0b068-d0b093 GetModuleHandleW 412->414 413->414 415 d0b095-d0b09b 414->415 416 d0b09c-d0b0b0 414->416 415->416 418->376 419->376
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00D0B086
                            Memory Dump Source
                            • Source File: 00000000.00000002.2107082115.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d00000_6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: 4402c42e3abc73391bc23ad359654a71a0a0ac6636b08fc834d4e9fc65717527
                            • Instruction ID: 2fb44ed00e7fee0fab39064d47cc77d1e6191f0f580f857f3537cb47486894f6
                            • Opcode Fuzzy Hash: 4402c42e3abc73391bc23ad359654a71a0a0ac6636b08fc834d4e9fc65717527
                            • Instruction Fuzzy Hash: 637147B0A00B058FD724DF69D44575ABBF5FF88300F04892EE48ADBA81D775E946CBA1
                            Function 00D05935 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 420 d05935-d05a01 CreateActCtxA 422 d05a03-d05a09 420->422 423 d05a0a-d05a64 420->423 422->423 430 d05a73-d05a77 423->430 431 d05a66-d05a69 423->431 432 d05a88 430->432 433 d05a79-d05a85 430->433 431->430 435 d05a89 432->435 433->432 435->435
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 00D059F1
                            Memory Dump Source
                            • Source File: 00000000.00000002.2107082115.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d00000_6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: b4316b7b74647d0fe5287ba7f6f2141692ac4daf8acedda3bfb372057dd30713
                            • Instruction ID: aa4f0cb89e1fc7c709f7e5c8e8af915752b17f304c67d852c424ff2b52271d8d
                            • Opcode Fuzzy Hash: b4316b7b74647d0fe5287ba7f6f2141692ac4daf8acedda3bfb372057dd30713
                            • Instruction Fuzzy Hash: 5541EFB0D00719CFDB24CFA9C884B8EBBB5FF49304F24815AD408AB255DB75694ACFA0
                            Function 00D04248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 436 d04248-d05a01 CreateActCtxA 439 d05a03-d05a09 436->439 440 d05a0a-d05a64 436->440 439->440 447 d05a73-d05a77 440->447 448 d05a66-d05a69 440->448 449 d05a88 447->449 450 d05a79-d05a85 447->450 448->447 452 d05a89 449->452 450->449 452->452
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 00D059F1
                            Memory Dump Source
                            • Source File: 00000000.00000002.2107082115.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d00000_6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: c6e58f10c84ddf27fdd70f6eacd9e2dfd7b4d0d2cafe4d208bfe00aa17110605
                            • Instruction ID: c45d37760121d232a3f381d0b94fa0e9904cfc57358cadcb54fdfe609ad760a7
                            • Opcode Fuzzy Hash: c6e58f10c84ddf27fdd70f6eacd9e2dfd7b4d0d2cafe4d208bfe00aa17110605
                            • Instruction Fuzzy Hash: C841D0B0D00719CBDB24CFA9C884B9EBBF5FF49304F24815AD508AB255DB75694ACFA0
                            Function 00D0D2F9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 453 d0d2f9-d0d2fe 454 d0d300-d0d394 DuplicateHandle 453->454 455 d0d396-d0d39c 454->455 456 d0d39d-d0d3ba 454->456 455->456
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D0D387
                            Memory Dump Source
                            • Source File: 00000000.00000002.2107082115.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d00000_6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: 99110b44d50039d998b2af583c0b832f76d86a963e3f37f077d83059d17b4b23
                            • Instruction ID: 5ff8380538c66af4d1dcc5834f36f703d058e44206cce902a3ec9a3845250965
                            • Opcode Fuzzy Hash: 99110b44d50039d998b2af583c0b832f76d86a963e3f37f077d83059d17b4b23
                            • Instruction Fuzzy Hash: 2A21E4B59003099FDB10CFAAD984ADEFBF9FB48324F14801AE918A3350C374A950DFA1
                            Function 00D0D300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 459 d0d300-d0d394 DuplicateHandle 460 d0d396-d0d39c 459->460 461 d0d39d-d0d3ba 459->461 460->461
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D0D387
                            Memory Dump Source
                            • Source File: 00000000.00000002.2107082115.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d00000_6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: 48510e67f6981419745fc48e38db8093e89b75b22f8a47125da8e40a9db78a4f
                            • Instruction ID: 0b9334e4c5a6994088444bc8c6993088289cbedd73c980f1e6a48b0c9c8ea4d3
                            • Opcode Fuzzy Hash: 48510e67f6981419745fc48e38db8093e89b75b22f8a47125da8e40a9db78a4f
                            • Instruction Fuzzy Hash: 6121E2B59003089FDB10CFAAD984ADEFBF9FB48320F14801AE918A3350C374A950DFA1
                            Function 00D0A870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 464 d0a870-d0b2e8 466 d0b2f0-d0b31f LoadLibraryExW 464->466 467 d0b2ea-d0b2ed 464->467 468 d0b321-d0b327 466->468 469 d0b328-d0b345 466->469 467->466 468->469
                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00D0B101,00000800,00000000,00000000), ref: 00D0B312
                            Memory Dump Source
                            • Source File: 00000000.00000002.2107082115.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d00000_6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: 05165c1f0da88c734ece4b02100291f474659daf5197bc3ff8a28a2965c3b3f3
                            • Instruction ID: f9d465abcaba389815c3b03e6d62183bc6042ddb7c0e23a95b77004774877c77
                            • Opcode Fuzzy Hash: 05165c1f0da88c734ece4b02100291f474659daf5197bc3ff8a28a2965c3b3f3
                            • Instruction Fuzzy Hash: 8A11D6B69043499FDB10CF9AC444B9EFBF4EB48320F14842AD559A7241C375A945CFA5
                            Function 00D0B2A0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 472 d0b2a0-d0b2e8 473 d0b2f0-d0b31f LoadLibraryExW 472->473 474 d0b2ea-d0b2ed 472->474 475 d0b321-d0b327 473->475 476 d0b328-d0b345 473->476 474->473 475->476
                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00D0B101,00000800,00000000,00000000), ref: 00D0B312
                            Memory Dump Source
                            • Source File: 00000000.00000002.2107082115.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d00000_6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: 8a1a642b00d9f3c9bff66fdb2265217cd5fc25ee400cf41dc5d0ec1fd7253add
                            • Instruction ID: 509e8550b71373bc7a194ebef487d0fee874389cbe14518a317380e2e812fc80
                            • Opcode Fuzzy Hash: 8a1a642b00d9f3c9bff66fdb2265217cd5fc25ee400cf41dc5d0ec1fd7253add
                            • Instruction Fuzzy Hash: C51114B68042498FCB14CFAAC444BDEFBF4EB89320F14842AD959A7251C375A545CFA0
                            Function 00D0B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 479 d0b020-d0b060 480 d0b062-d0b065 479->480 481 d0b068-d0b093 GetModuleHandleW 479->481 480->481 482 d0b095-d0b09b 481->482 483 d0b09c-d0b0b0 481->483 482->483
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00D0B086
                            Memory Dump Source
                            • Source File: 00000000.00000002.2107082115.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d00000_6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: 5805ab97db8c6cae7b6a4e5b3c323ce150668dc60968d3e2a38297faf17c3ccc
                            • Instruction ID: 67412b379c3c4b0450569cfd1442a41cb209d9759d6e96f7adc51a11b2c10b3a
                            • Opcode Fuzzy Hash: 5805ab97db8c6cae7b6a4e5b3c323ce150668dc60968d3e2a38297faf17c3ccc
                            • Instruction Fuzzy Hash: A011DFB6C047498FDB20DF9AC844B9EFBF4EB89320F14841AD569A7250C375AA45CFA1
                            Function 0088D774 Relevance: .1, Instructions: 77COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2105948271.000000000088D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0088D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_88d000_6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5561bcfa9491c7cb142657c24e427026939b47988d645edcd756a9a5eac480c5
                            • Instruction ID: eaabed8223952e5b70053616e3ab5de754fe5871f025cb3c14738142c6dcde73
                            • Opcode Fuzzy Hash: 5561bcfa9491c7cb142657c24e427026939b47988d645edcd756a9a5eac480c5
                            • Instruction Fuzzy Hash: 3B210872504344DFCB15EF54D9C0F26BF65FB88314F24C979E9098A286C33AD816CBA1
                            Function 0088D1FC Relevance: .1, Instructions: 76COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2105948271.000000000088D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0088D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_88d000_6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: eef159bbe1fc5e03fa5c91da05a7a8b8773c31df8d814f6689c681cd1e52ca6c
                            • Instruction ID: 36af90794f0f6efe233321e677e8c4c48c0b6489bfc213bc22f48ec361dc8c0c
                            • Opcode Fuzzy Hash: eef159bbe1fc5e03fa5c91da05a7a8b8773c31df8d814f6689c681cd1e52ca6c
                            • Instruction Fuzzy Hash: A521D372504344DFDB06EF54D9C4B26BF65FB88324F24C569ED098B286C33AE816CBA1
                            Function 008AD01C Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2106152293.00000000008AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008AD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_8ad000_6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1791a8db722bbd8fd933bd88971382c35f93841323f4a86e40f98fdbd51de297
                            • Instruction ID: d898b643d5f599fc416075e98b756e021ea563d5b161d0de56f266a4edce9cb8
                            • Opcode Fuzzy Hash: 1791a8db722bbd8fd933bd88971382c35f93841323f4a86e40f98fdbd51de297
                            • Instruction Fuzzy Hash: 22212271604704DFEB15DF24D980B26BB65FB89324F20C96DD80ACBA86C33AD807CA61
                            Function 008AD006 Relevance: .1, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2106152293.00000000008AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008AD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_8ad000_6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 45c3e94312c4c821c793996fe7cd3dfd1e5d9e6314f5019ef8db8162fb6303b2
                            • Instruction ID: 66abd8b0f373b5d61162272d2433c59f0fff7c381cae376f864d720781eda2f5
                            • Opcode Fuzzy Hash: 45c3e94312c4c821c793996fe7cd3dfd1e5d9e6314f5019ef8db8162fb6303b2
                            • Instruction Fuzzy Hash: A9214F755087809FDB02CF24D994711BF71FB46314F28C5EAD8498F6A7C33A985ACB62
                            Function 0088D76F Relevance: .1, Instructions: 58COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2105948271.000000000088D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0088D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_88d000_6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f3b49ebb3647464524db950c25b84bc30cf7f483e8b35816b047356ddc5e1881
                            • Instruction ID: 1fe9c1b57c8aa05089e4f8e8477f3ae232a45dfceddf9e542aa54777617c6fd7
                            • Opcode Fuzzy Hash: f3b49ebb3647464524db950c25b84bc30cf7f483e8b35816b047356ddc5e1881
                            • Instruction Fuzzy Hash: 9E21AF76504280DFCB16DF14D9C4B16BF72FB98324F24C6A9D9494B256C33AD826CB91
                            Function 0088D1F7 Relevance: .1, Instructions: 57COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2105948271.000000000088D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0088D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_88d000_6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9b7ddd7a086731bdfc3d36347521231777b7f6d018e947c39a7212cc8184ef59
                            • Instruction ID: a1e3c677c15e61e5002876336476e28d3a55bb7f439114e452751292440a0b27
                            • Opcode Fuzzy Hash: 9b7ddd7a086731bdfc3d36347521231777b7f6d018e947c39a7212cc8184ef59
                            • Instruction Fuzzy Hash: 1921CD76404244CFCB06DF00D9C4B16BF62FB84310F24C2A9DC084B296C33AE82ACBA1

                            Non-executed Functions

                            Function 00D0DC74 Relevance: .3, Instructions: 264COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2107082115.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d00000_6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e_dump.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f6228cfe1dc7f14922784ba3769db9ee246f76f05bf43c8a05df1ac0c39e3e41
                            • Instruction ID: 55c539654b9dfc41bf4c8fe8c1e59578c6a6e185352f2a3f5a2bb395d4f6b8b8
                            • Opcode Fuzzy Hash: f6228cfe1dc7f14922784ba3769db9ee246f76f05bf43c8a05df1ac0c39e3e41
                            • Instruction Fuzzy Hash: EAA15D32E00215CFCF15DFB5C84069EB7B2FF88300B25457AE909AB2A5DB71E955CBA0