Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ SY103 2nd order 2024.exe

Overview

General Information

Sample name:RFQ SY103 2nd order 2024.exe
Analysis ID:1466686
MD5:52a63eb1af96bcccba7e8faf1280ecd1
SHA1:618eeb2a27bbd791a1546285a77fac4b252aa06a
SHA256:215f60a1a446cc7dedc8bea601806fab901769340cff8d02a991d8ca9bf0782b
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected RedLine Stealer
Yara detected UAC Bypass using CMSTP
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • RFQ SY103 2nd order 2024.exe (PID: 7296 cmdline: "C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exe" MD5: 52A63EB1AF96BCCCBA7E8FAF1280ECD1)
    • conhost.exe (PID: 7304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AddInProcess32.exe (PID: 7380 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
    • jsc.exe (PID: 7404 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9)
    • jsc.exe (PID: 7412 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9)
    • WerFault.exe (PID: 7492 cmdline: C:\Windows\system32\WerFault.exe -u -p 7296 -s 1032 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["178.23.190.118:1912"], "Bot Id": "foz", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.1763001067.00000209538BA000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        00000003.00000002.1725634665.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000002.1764969860.000002096394A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                Click to see the 7 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.RFQ SY103 2nd order 2024.exe.209638b2d70.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.2.RFQ SY103 2nd order 2024.exe.209639a63a8.3.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    3.2.jsc.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      0.2.RFQ SY103 2nd order 2024.exe.209638b2d70.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                        0.2.RFQ SY103 2nd order 2024.exe.209639a63a8.3.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                          Sigma Signatures

                          No Sigma rule has matched

                          Snort Signatures

                          Timestamp:07/03/24-09:26:54.237167
                          SID:2043234
                          Source Port:1912
                          Destination Port:49730
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:07/03/24-09:26:54.055105
                          SID:2046045
                          Source Port:49730
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:07/03/24-09:26:59.486185
                          SID:2046056
                          Source Port:1912
                          Destination Port:49730
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:07/03/24-09:27:01.472345
                          SID:2043231
                          Source Port:49730
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Found malware configuration
                          Source: 0.2.RFQ SY103 2nd order 2024.exe.209639a63a8.3.raw.unpackMalware Configuration Extractor: RedLine {"C2 url": ["178.23.190.118:1912"], "Bot Id": "foz", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
                          Multi AV Scanner detection for submitted file
                          Source: RFQ SY103 2nd order 2024.exeReversingLabs: Detection: 23%
                          Source: RFQ SY103 2nd order 2024.exeVirustotal: Detection: 27%Perma Link
                          AI detected suspicious sample
                          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

                          Exploits

                          barindex
                          Yara detected UAC Bypass using CMSTP
                          Source: Yara matchFile source: 00000000.00000002.1763001067.00000209538BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: RFQ SY103 2nd order 2024.exe PID: 7296, type: MEMORYSTR
                          Source: RFQ SY103 2nd order 2024.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER1F3C.tmp.dmp.7.dr
                          Source: Binary string: System.Windows.Forms.pdb source: WER1F3C.tmp.dmp.7.dr
                          Source: Binary string: mscorlib.pdb source: WER1F3C.tmp.dmp.7.dr
                          Source: Binary string: System.ni.pdbRSDS source: WER1F3C.tmp.dmp.7.dr
                          Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER1F3C.tmp.dmp.7.dr
                          Source: Binary string: System.Drawing.pdb source: WER1F3C.tmp.dmp.7.dr
                          Source: Binary string: System.Windows.Forms.ni.pdb source: WER1F3C.tmp.dmp.7.dr
                          Source: Binary string: System.Drawing.pdbx source: WER1F3C.tmp.dmp.7.dr
                          Source: Binary string: mscorlib.ni.pdb source: WER1F3C.tmp.dmp.7.dr
                          Source: Binary string: System.Drawing.ni.pdb source: WER1F3C.tmp.dmp.7.dr
                          Source: Binary string: System.Core.pdb source: WER1F3C.tmp.dmp.7.dr
                          Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER1F3C.tmp.dmp.7.dr
                          Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER1F3C.tmp.dmp.7.dr
                          Source: Binary string: System.Drawing.ni.pdbRSDS source: WER1F3C.tmp.dmp.7.dr
                          Source: Binary string: System.ni.pdb source: WER1F3C.tmp.dmp.7.dr
                          Source: Binary string: System.pdb source: WER1F3C.tmp.dmp.7.dr
                          Source: Binary string: System.Core.ni.pdbRSDS source: WER1F3C.tmp.dmp.7.dr
                          Source: Binary string: System.Core.ni.pdb source: WER1F3C.tmp.dmp.7.dr
                          Source: Binary string: Microsoft.VisualBasic.pdb source: WER1F3C.tmp.dmp.7.dr

                          Networking

                          barindex
                          Snort IDS alert for network traffic
                          Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.4:49730 -> 178.23.190.118:1912
                          Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.4:49730 -> 178.23.190.118:1912
                          Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 178.23.190.118:1912 -> 192.168.2.4:49730
                          Source: TrafficSnort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 178.23.190.118:1912 -> 192.168.2.4:49730
                          C2 URLs / IPs found in malware configuration
                          Source: Malware configuration extractorURLs: 178.23.190.118:1912
                          Source: global trafficTCP traffic: 192.168.2.4:49730 -> 178.23.190.118:1912
                          Source: Joe Sandbox ViewASN Name: LYNERO-ASDK LYNERO-ASDK
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002F04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002F04000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002F04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3ResponseD
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                          Source: Amcache.hve.7.drString found in binary or memory: http://upx.sf.net
                          Source: RFQ SY103 2nd order 2024.exe, 00000000.00000002.1764969860.000002096394A000.00000004.00000800.00020000.00000000.sdmp, RFQ SY103 2nd order 2024.exe, 00000000.00000002.1764969860.00000209637C8000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000003.00000002.1725634665.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip

                          System Summary

                          barindex
                          Initial sample is a PE file and has a suspicious name
                          Source: initial sampleStatic PE information: Filename: RFQ SY103 2nd order 2024.exe
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeCode function: 0_2_00007FFD9B8A43EC0_2_00007FFD9B8A43EC
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeCode function: 0_2_00007FFD9B8AC2810_2_00007FFD9B8AC281
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeCode function: 0_2_00007FFD9B8A18000_2_00007FFD9B8A1800
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeCode function: 0_2_00007FFD9B8B47590_2_00007FFD9B8B4759
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeCode function: 0_2_00007FFD9B8ABDF90_2_00007FFD9B8ABDF9
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeCode function: 0_2_00007FFD9B8AEE090_2_00007FFD9B8AEE09
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeCode function: 0_2_00007FFD9B8A94E00_2_00007FFD9B8A94E0
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeCode function: 0_2_00007FFD9B8A94D80_2_00007FFD9B8A94D8
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeCode function: 0_2_00007FFD9B8B07AA0_2_00007FFD9B8B07AA
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeCode function: 0_2_00007FFD9B8A14F80_2_00007FFD9B8A14F8
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeCode function: 0_2_00007FFD9B9800500_2_00007FFD9B980050
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 3_2_0112DC743_2_0112DC74
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7296 -s 1032
                          Source: RFQ SY103 2nd order 2024.exeStatic PE information: No import functions for PE file found
                          Source: RFQ SY103 2nd order 2024.exe, 00000000.00000000.1617300258.0000020951902000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameOjanohawupelabo2 vs RFQ SY103 2nd order 2024.exe
                          Source: RFQ SY103 2nd order 2024.exe, 00000000.00000002.1764969860.00000209638F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs RFQ SY103 2nd order 2024.exe
                          Source: RFQ SY103 2nd order 2024.exe, 00000000.00000002.1764969860.00000209638F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEkisahagowazi6 vs RFQ SY103 2nd order 2024.exe
                          Source: RFQ SY103 2nd order 2024.exe, 00000000.00000002.1764969860.000002096394A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEkisahagowazi6 vs RFQ SY103 2nd order 2024.exe
                          Source: RFQ SY103 2nd order 2024.exe, 00000000.00000002.1764969860.000002096394A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs RFQ SY103 2nd order 2024.exe
                          Source: RFQ SY103 2nd order 2024.exe, 00000000.00000002.1762706745.0000020953430000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameEkisahagowazi6 vs RFQ SY103 2nd order 2024.exe
                          Source: RFQ SY103 2nd order 2024.exeBinary or memory string: OriginalFilenameOjanohawupelabo2 vs RFQ SY103 2nd order 2024.exe
                          Source: RFQ SY103 2nd order 2024.exe, ----------------.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                          Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@9/6@0/1
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile created: C:\Users\user\AppData\Local\SystemCacheJump to behavior
                          Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7296
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMutant created: NULL
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7304:120:WilError_03
                          Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\510e5758-a5a4-45d0-ab9c-1d0bbb74bb04Jump to behavior
                          Source: RFQ SY103 2nd order 2024.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: RFQ SY103 2nd order 2024.exeStatic file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: RFQ SY103 2nd order 2024.exeReversingLabs: Detection: 23%
                          Source: RFQ SY103 2nd order 2024.exeVirustotal: Detection: 27%
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeFile read: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeJump to behavior
                          Source: unknownProcess created: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exe "C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exe"
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7296 -s 1032
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: dwrite.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: rstrtmgr.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: windowscodecs.dllJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                          Source: RFQ SY103 2nd order 2024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                          Source: RFQ SY103 2nd order 2024.exeStatic file information: File size 2714665 > 1048576
                          Source: RFQ SY103 2nd order 2024.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Source: RFQ SY103 2nd order 2024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                          Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER1F3C.tmp.dmp.7.dr
                          Source: Binary string: System.Windows.Forms.pdb source: WER1F3C.tmp.dmp.7.dr
                          Source: Binary string: mscorlib.pdb source: WER1F3C.tmp.dmp.7.dr
                          Source: Binary string: System.ni.pdbRSDS source: WER1F3C.tmp.dmp.7.dr
                          Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER1F3C.tmp.dmp.7.dr
                          Source: Binary string: System.Drawing.pdb source: WER1F3C.tmp.dmp.7.dr
                          Source: Binary string: System.Windows.Forms.ni.pdb source: WER1F3C.tmp.dmp.7.dr
                          Source: Binary string: System.Drawing.pdbx source: WER1F3C.tmp.dmp.7.dr
                          Source: Binary string: mscorlib.ni.pdb source: WER1F3C.tmp.dmp.7.dr
                          Source: Binary string: System.Drawing.ni.pdb source: WER1F3C.tmp.dmp.7.dr
                          Source: Binary string: System.Core.pdb source: WER1F3C.tmp.dmp.7.dr
                          Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER1F3C.tmp.dmp.7.dr
                          Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER1F3C.tmp.dmp.7.dr
                          Source: Binary string: System.Drawing.ni.pdbRSDS source: WER1F3C.tmp.dmp.7.dr
                          Source: Binary string: System.ni.pdb source: WER1F3C.tmp.dmp.7.dr
                          Source: Binary string: System.pdb source: WER1F3C.tmp.dmp.7.dr
                          Source: Binary string: System.Core.ni.pdbRSDS source: WER1F3C.tmp.dmp.7.dr
                          Source: Binary string: System.Core.ni.pdb source: WER1F3C.tmp.dmp.7.dr
                          Source: Binary string: Microsoft.VisualBasic.pdb source: WER1F3C.tmp.dmp.7.dr
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeCode function: 0_2_00007FFD9B8A59E2 push esi; retn 0008h0_2_00007FFD9B8A59E3
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeCode function: 0_2_00007FFD9B8A81A2 push ebx; ret 0_2_00007FFD9B8A816A
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeCode function: 0_2_00007FFD9B8A8123 push ebx; ret 0_2_00007FFD9B8A816A
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeCode function: 0_2_00007FFD9B8A58DA pushad ; ret 0_2_00007FFD9B8A58DB
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeCode function: 0_2_00007FFD9B980050 push esp; retf 4810h0_2_00007FFD9B980312
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                          Malware Analysis System Evasion

                          barindex
                          Yara detected AntiVM3
                          Source: Yara matchFile source: Process Memory Space: RFQ SY103 2nd order 2024.exe PID: 7296, type: MEMORYSTR
                          Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                          Source: RFQ SY103 2nd order 2024.exe, 00000000.00000002.1763001067.00000209538BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                          Source: RFQ SY103 2nd order 2024.exe, 00000000.00000002.1763001067.00000209538BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeMemory allocated: 20951C30000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeMemory allocated: 2096B520000 memory reserve | memory write watchJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: 1120000 memory reserve | memory write watchJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: 2DD0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: 2C40000 memory reserve | memory write watchJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWindow / User API: threadDelayed 817Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWindow / User API: threadDelayed 2039Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7728Thread sleep time: -11068046444225724s >= -30000sJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7440Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: Amcache.hve.7.drBinary or memory string: VMware
                          Source: Amcache.hve.7.drBinary or memory string: VMware Virtual USB Mouse
                          Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin
                          Source: Amcache.hve.7.drBinary or memory string: VMware, Inc.
                          Source: RFQ SY103 2nd order 2024.exe, 00000000.00000002.1763001067.00000209538BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                          Source: Amcache.hve.7.drBinary or memory string: VMware20,1hbin@
                          Source: Amcache.hve.7.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                          Source: Amcache.hve.7.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                          Source: Amcache.hve.7.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                          Source: Amcache.hve.7.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                          Source: RFQ SY103 2nd order 2024.exe, 00000000.00000002.1763001067.00000209538BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                          Source: RFQ SY103 2nd order 2024.exe, 00000000.00000002.1763001067.00000209538BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
                          Source: Amcache.hve.7.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                          Source: RFQ SY103 2nd order 2024.exe, 00000000.00000002.1763001067.00000209538BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                          Source: RFQ SY103 2nd order 2024.exe, 00000000.00000002.1763001067.00000209538BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                          Source: Amcache.hve.7.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                          Source: Amcache.hve.7.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                          Source: jsc.exe, 00000003.00000002.1731043654.0000000005FC2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                          Source: Amcache.hve.7.drBinary or memory string: vmci.sys
                          Source: Amcache.hve.7.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                          Source: RFQ SY103 2nd order 2024.exe, 00000000.00000002.1763001067.00000209538BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
                          Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin`
                          Source: RFQ SY103 2nd order 2024.exe, 00000000.00000002.1763001067.00000209538BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                          Source: Amcache.hve.7.drBinary or memory string: \driver\vmci,\driver\pci
                          Source: RFQ SY103 2nd order 2024.exe, 00000000.00000002.1763001067.00000209538BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
                          Source: RFQ SY103 2nd order 2024.exe, 00000000.00000002.1763001067.00000209538BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                          Source: Amcache.hve.7.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                          Source: Amcache.hve.7.drBinary or memory string: VMware20,1
                          Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Generation Counter
                          Source: Amcache.hve.7.drBinary or memory string: NECVMWar VMware SATA CD00
                          Source: Amcache.hve.7.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                          Source: Amcache.hve.7.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                          Source: Amcache.hve.7.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                          Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                          Source: Amcache.hve.7.drBinary or memory string: VMware PCI VMCI Bus Device
                          Source: RFQ SY103 2nd order 2024.exe, 00000000.00000002.1763001067.00000209538BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
                          Source: RFQ SY103 2nd order 2024.exe, 00000000.00000002.1763001067.00000209538BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
                          Source: Amcache.hve.7.drBinary or memory string: VMware VMCI Bus Device
                          Source: Amcache.hve.7.drBinary or memory string: VMware Virtual RAM
                          Source: Amcache.hve.7.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                          Source: Amcache.hve.7.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information queried: ProcessInformationJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeMemory allocated: page read and write | page guardJump to behavior

                          HIPS / PFW / Operating System Protection Evasion

                          barindex
                          .NET source code references suspicious native API functions
                          Source: RFQ SY103 2nd order 2024.exe, ----------------.csReference to suspicious API methods: GetProcAddress(_EE0C_EC70_EE8C_0E65_0E6F_EC86_EE7C_0EA6_EC96, _08FD_EE61_EE25_0E69_EE01_EE4D_0657_EC96_EE5C_EEEF_EE97_EEC1_0E83_EE64)
                          Source: RFQ SY103 2nd order 2024.exe, ----------------.csReference to suspicious API methods: VirtualProtect(procAddress, (uint)_EE63_EC84_EEE9_EED3_EE86_EE77_0604_EE1B.Length, 64u, out var _08FB_EE71_08D9_0607_EE52_EEDA_0EB4_0607_EE10_08DA_EC80_EEAA_EE7B_08FB)
                          Source: RFQ SY103 2nd order 2024.exe, ----------------.csReference to suspicious API methods: LoadLibrary(_061F_EEB9_EE43_EE61_08FE_08C8_EEA0_EC93_08EE(_EC92_EE85_08DA_EE70_EEDF_0E66_0653_EE6A_EEF1_EEF3_EEEB_EE8B_EE4D_EC89_0E80_EE13_EEDE_0E7F_EC84._EECA_ECB9_EEB3_EE0C_EE58_EED9))
                          Allocates memory in foreign processes
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000 protect: page execute and read and writeJump to behavior
                          Injects a PE file into a foreign processes
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000 value starts with: 4D5AJump to behavior
                          Writes to foreign memory regions
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000Jump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 402000Jump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 432000Jump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 450000Jump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: B22008Jump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeQueries volume information: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exe VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                          Source: Amcache.hve.7.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                          Source: Amcache.hve.7.drBinary or memory string: msmpeng.exe
                          Source: Amcache.hve.7.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                          Source: Amcache.hve.7.drBinary or memory string: MsMpEng.exe
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                          Stealing of Sensitive Information

                          barindex
                          Yara detected RedLine Stealer
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Source: Yara matchFile source: 0.2.RFQ SY103 2nd order 2024.exe.209638b2d70.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.RFQ SY103 2nd order 2024.exe.209639a63a8.3.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 3.2.jsc.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.RFQ SY103 2nd order 2024.exe.209638b2d70.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.RFQ SY103 2nd order 2024.exe.209639a63a8.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000003.00000002.1725634665.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1764969860.000002096394A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1764969860.00000209637C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: RFQ SY103 2nd order 2024.exe PID: 7296, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 7404, type: MEMORYSTR
                          Found many strings related to Crypto-Wallets (likely being stolen)
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectrumE#
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002F04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $^q1C:\Users\user\AppData\Roaming\Electrum\wallets\*
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002EF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty
                          Source: jsc.exe, 00000003.00000002.1731043654.0000000005FED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002F04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\walletsLR^qp
                          Source: jsc.exe, 00000003.00000002.1731043654.0000000005FED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002F04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $^q%appdata%`,^qdC:\Users\user\AppData\Roaming`,^qdC:\Users\user\AppData\Roaming\Binance
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: EthereumE#
                          Source: jsc.exe, 00000003.00000002.1727587721.0000000002F04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $^q&%localappdata%\Coinomi\Coinomi\walletsLR^q
                          Source: jsc.exe, 00000003.00000002.1731043654.0000000005FED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                          Source: RFQ SY103 2nd order 2024.exe, 00000000.00000002.1764969860.00000209638F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SQLCOLUMNENCRYPTIONKEYSTOREPROVIDERAFBF7A19
                          Tries to harvest and steal browser information (history, passwords, etc)
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                          Tries to steal Crypto Currency Wallets
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                          Source: Yara matchFile source: 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000003.00000002.1727587721.0000000002F04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 7404, type: MEMORYSTR

                          Remote Access Functionality

                          barindex
                          Yara detected RedLine Stealer
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Source: Yara matchFile source: 0.2.RFQ SY103 2nd order 2024.exe.209638b2d70.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.RFQ SY103 2nd order 2024.exe.209639a63a8.3.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 3.2.jsc.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.RFQ SY103 2nd order 2024.exe.209638b2d70.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.RFQ SY103 2nd order 2024.exe.209639a63a8.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000003.00000002.1725634665.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1764969860.000002096394A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1764969860.00000209637C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: RFQ SY103 2nd order 2024.exe PID: 7296, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 7404, type: MEMORYSTR

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                          Windows Management Instrumentation                          		1
                          DLL Side-Loading                          		311
                          Process Injection                          		1
                          Masquerading                          		1
                          OS Credential Dumping                          		341
                          Security Software Discovery                          		Remote Services11
                          Archive Collected Data                          		1
                          Encrypted Channel                          		Exfiltration Over Other Network MediumAbuse Accessibility Features
                          CredentialsDomainsDefault Accounts1
                          Native API                          		Boot or Logon Initialization Scripts1
                          DLL Side-Loading                          		1
                          Disable or Modify Tools                          		LSASS Memory1
                          Process Discovery                          		Remote Desktop Protocol3
                          Data from Local System                          		1
                          Non-Standard Port                          		Exfiltration Over BluetoothNetwork Denial of Service
                          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)251
                          Virtualization/Sandbox Evasion                          		Security Account Manager251
                          Virtualization/Sandbox Evasion                          		SMB/Windows Admin SharesData from Network Shared Drive1
                          Application Layer Protocol                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook311
                          Process Injection                          		NTDS1
                          Application Window Discovery                          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                          Deobfuscate/Decode Files or Information                          		LSA Secrets113
                          System Information Discovery                          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                          Obfuscated Files or Information                          		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                          DLL Side-Loading                          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          RFQ SY103 2nd order 2024.exe24%ReversingLabsWin64.Trojan.Generic
                          RFQ SY103 2nd order 2024.exe27%VirustotalBrowse

                          Dropped Files

                          No Antivirus matches

                          Unpacked PE Files

                          No Antivirus matches

                          Domains

                          No Antivirus matches

                          URLs

                          SourceDetectionScannerLabelLink
                          http://tempuri.org/0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                          https://api.ip.sb/ip0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0%URL Reputationsafe
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2005/02/sc/sct0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns0%URL Reputationsafe
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id23ResponseD0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/08/addressing/fault0%URL Reputationsafe
                          http://tempuri.org/Entity/Id12Response0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id2Response0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha10%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id21Response0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id23ResponseD1%VirustotalBrowse
                          http://tempuri.org/Entity/Id2Response2%VirustotalBrowse
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary0%VirustotalBrowse
                          http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk0%VirustotalBrowse
                          http://tempuri.org/Entity/Id12Response2%VirustotalBrowse
                          http://schemas.xmlsoap.org/ws/2005/02/sc/sct0%VirustotalBrowse
                          http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id21Response4%VirustotalBrowse
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%VirustotalBrowse
                          http://tempuri.org/Entity/Id90%Avira URL Cloudsafe
                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id80%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id50%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha10%VirustotalBrowse
                          http://tempuri.org/Entity/Id40%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id51%VirustotalBrowse
                          http://tempuri.org/Entity/Id70%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap0%VirustotalBrowse
                          http://tempuri.org/Entity/Id60%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id93%VirustotalBrowse
                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID0%VirustotalBrowse
                          http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id19Response0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id71%VirustotalBrowse
                          http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret0%VirustotalBrowse
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id81%VirustotalBrowse
                          http://tempuri.org/Entity/Id19Response2%VirustotalBrowse
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare0%VirustotalBrowse
                          http://tempuri.org/Entity/Id61%VirustotalBrowse
                          http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license0%VirustotalBrowse
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted0%VirustotalBrowse
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/fault0%VirustotalBrowse
                          http://tempuri.org/Entity/Id15Response2%VirustotalBrowse
                          http://tempuri.org/Entity/Id41%VirustotalBrowse
                          http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey0%VirustotalBrowse
                          http://schemas.xmlsoap.org/ws/2004/10/wsat0%VirustotalBrowse
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/fault0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat0%Avira URL Cloudsafe
                          http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id15Response0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id6Response0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/04/sc0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id1ResponseD0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew0%VirustotalBrowse
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id6Response2%VirustotalBrowse
                          http://tempuri.org/Entity/Id9Response0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register0%VirustotalBrowse
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC0%VirustotalBrowse
                          http://schemas.xmlsoap.org/ws/2004/04/sc0%VirustotalBrowse
                          http://tempuri.org/Entity/Id200%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id1ResponseD1%VirustotalBrowse
                          http://tempuri.org/Entity/Id210%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id220%Avira URL Cloudsafe
                          http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA10%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel0%VirustotalBrowse
                          http://tempuri.org/Entity/Id230%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey0%VirustotalBrowse
                          http://tempuri.org/Entity/Id211%VirustotalBrowse
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA10%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id240%Avira URL Cloudsafe
                          http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA10%VirustotalBrowse
                          http://tempuri.org/Entity/Id201%VirustotalBrowse
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id24Response0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id1Response0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id9Response2%VirustotalBrowse
                          http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego0%Avira URL Cloudsafe
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary0%Avira URL Cloudsafe

                          Domains and IPs

                          Contacted Domains

                          No contacted domains info

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Textjsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/sc/sctjsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkjsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id23ResponseDjsc.exe, 00000003.00000002.1727587721.0000000002F04000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryjsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id12Responsejsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 2%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id2Responsejsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 2%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id21Responsejsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 4%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrapjsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id9jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 3%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDjsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id8jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id5jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Preparejsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id4jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id7jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id6jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretjsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id19Responsejsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 2%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licensejsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuejsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Abortedjsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequencejsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/faultjsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsatjsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyjsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id15Responsejsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 2%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namejsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renewjsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/Registerjsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id6Responsejsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 2%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyjsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://api.ip.sb/ipRFQ SY103 2nd order 2024.exe, 00000000.00000002.1764969860.000002096394A000.00000004.00000800.00020000.00000000.sdmp, RFQ SY103 2nd order 2024.exe, 00000000.00000002.1764969860.00000209637C8000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000003.00000002.1725634665.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/scjsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id1ResponseDjsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCjsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Canceljsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id9Responsejsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 2%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id20jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id21jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id22jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id23jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id24jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issuejsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id24Responsejsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id1Responsejsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedjsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyjsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Replayjsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegojsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binaryjsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCjsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyjsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/08/addressingjsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuejsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Completionjsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/trustjsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id10jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id11jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id12jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id16Responsejsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponsejsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Canceljsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id13jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id14jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id15jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id16jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/Noncejsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id17jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id18jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id5Responsejsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id19jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsjsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id10Responsejsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/Renewjsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id8Responsejsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyjsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDjsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTjsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2006/02/addressingidentityjsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/soap/envelope/jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyjsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1jsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trustjsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollbackjsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id3ResponseDjsc.exe, 00000003.00000002.1727587721.0000000002F04000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id23Responsejsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCTjsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Djsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/06/addressingexjsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wscoorjsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/Noncejsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponsejsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/08/addressing/faultjsc.exe, 00000003.00000002.1727587721.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renewjsc.exe, 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          178.23.190.118
                          		unknownunknown
                          		196724LYNERO-ASDKtrue

                          General Information

                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1466686
                          Start date and time:2024-07-03 09:26:05 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 5m 24s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:12
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:RFQ SY103 2nd order 2024.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.expl.evad.winEXE@9/6@0/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 89%
                          • Number of executed functions: 35
                          • Number of non-executed functions: 1
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                          • Excluded IPs from analysis (whitelisted): 52.168.117.173
                          • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                          • Report size getting too big, too many NtSetInformationFile calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          03:26:58API Interceptor16x Sleep call for process: jsc.exe modified
                          03:27:04API Interceptor1x Sleep call for process: WerFault.exe modified

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          LYNERO-ASDKDocument-1975072354.xlsGet hashmaliciousHidden Macro 4.0Browse
                          • 178.23.190.8
                          Document-1975072354.xlsGet hashmaliciousHidden Macro 4.0Browse
                          • 178.23.190.8
                          https://carolinadoggieplayland.getform.com/d1428Get hashmaliciousHTMLPhisherBrowse
                          • 178.23.190.117
                          AA1878F26132481B357627A0EF684FF68763E6E315FCE.exeGet hashmaliciousRedLineBrowse
                          • 178.23.190.74
                          TWdjAGnYuQ.exeGet hashmaliciousRedLineBrowse
                          • 178.23.190.183
                          usfive_20220219-134311.exeGet hashmaliciousLu0BotBrowse
                          • 178.23.190.155
                          FortMod 6.3.exeGet hashmaliciousRedLineBrowse
                          • 178.23.190.213
                          jb0yJdcE3t.exeGet hashmaliciousRaccoonBrowse
                          • 178.23.190.57
                          FortMod 7.1.exeGet hashmaliciousRedLineBrowse
                          • 178.23.190.213
                          cB2vzM1OZc.exeGet hashmaliciousRaccoonBrowse
                          • 178.23.190.57

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RFQ SY103 2nd or_7be5a683b7ce35d984490767b86aac2a29b92f_5fa42fed_c184db70-752d-49d4-972d-f3d88664d989\Report.wer

                          Download File
                          Process:C:\Windows\System32\WerFault.exe
                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):65536
                          Entropy (8bit):1.0541588162792324
                          Encrypted:false
                          SSDEEP:192:Kg9te/sUkv50UnUFaWBey+X2zuiFzZ24lO85Ac3A:Jfe/sU7UnUFamkX2zuiFzY4lO8ec
                          MD5:50643312DAC4C07ACB694D50DB2BE227
                          SHA1:61561F69DE468A0C07348B2649991B42E61457B3
                          SHA-256:E8D30A0ED309D51A6D23C04FEE43ACED916B118747BD72F85C885CB7A7A0B868
                          SHA-512:26EE09AC4CB688D7490ADE6D0BE34A8C2636B5E5D5797ECC549E5F866E7080D6BCE56BF5733041F4D4A9E99DC09917A75B853AE554114C994DDAE034A777EE9D
                          Malicious:false
                          Reputation:low
                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.4.6.5.2.1.1.5.6.2.6.5.7.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.4.6.5.2.1.2.2.9.7.0.3.3.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.1.8.4.d.b.7.0.-.7.5.2.d.-.4.9.d.4.-.9.7.2.d.-.f.3.d.8.8.6.6.4.d.9.8.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.e.8.5.8.8.b.c.-.1.d.7.9.-.4.2.8.0.-.b.9.6.8.-.f.1.2.0.f.8.c.7.6.f.e.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.R.F.Q. .S.Y.1.0.3. .2.n.d. .o.r.d.e.r. .2.0.2.4...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.O.j.a.n.o.h.a.w.u.p.e.l.a.b.o.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.8.0.-.0.0.0.1.-.0.0.1.4.-.1.6.a.1.-.6.b.5.e.1.a.c.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.e.7.d.0.b.a.7.a.a.6.7.8.f.f.8.a.b.3.3.9.9.c.5.0.c.2.7.9.6.a.8.0.0.0.0.0.0.0.0.!.0.0.0.0.6.1.8.e.e.b.2.a.2.7.b.b.d.7.9.1.a.1.5.4.6.2.8.5.a.7.7.f.a.c.4.b.2.5.

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER1F3C.tmp.dmp

                          Download File
                          Process:C:\Windows\System32\WerFault.exe
                          File Type:Mini DuMP crash report, 16 streams, Wed Jul 3 07:26:51 2024, 0x1205a4 type
                          Category:dropped
                          Size (bytes):421539
                          Entropy (8bit):3.408238233878601
                          Encrypted:false
                          SSDEEP:3072:XvNDCcrE0+clWioCFTyFX4qt4T4AbzzcSi8V1CCqeiFz3+vt2Vv:/NDCcrExmoCFTyFlIFbzHpq73QUV
                          MD5:DBE76B3C302A867AFB7870315D58A14B
                          SHA1:DBE062804B3B5BB09573536A978DF837F8117F3D
                          SHA-256:737937BA2476B5A82C2215CD4769C4E235DFB2DB62B0A887D625C0903513F137
                          SHA-512:A6EEA3D62DAED55F2FD6D2C6A20A511F83CDC4C08B74387D3CCC0339CBE1B624B831F4AE4FDB4BF1D5767DAD77784AD67C5E40B30338E1C854B827796509C9AE
                          Malicious:false
                          Reputation:low
                          Preview:MDMP..a..... .......;..f....................................$........................I..|v..........l.......8...........T............(...E...........8...........:..............................................................................eJ......d;......Lw......................T...........9..f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER20E3.tmp.WERInternalMetadata.xml

                          Download File
                          Process:C:\Windows\System32\WerFault.exe
                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):8662
                          Entropy (8bit):3.7134511079202617
                          Encrypted:false
                          SSDEEP:192:R6l7wVeJESra46Y9GZMgmfvG6JSypr089bWUhfKym:R6lXJ5Z6Y8ZMgmfuiSmWqf2
                          MD5:A8182C3812BD6B6D26731B516E9FC78E
                          SHA1:1AB38EA62977339EC9534810E4CF8BC6FEABCB88
                          SHA-256:F7A5449D60E3B0C4D8646E7B2EFDE5139ACFD0C376D807B551A34CEEEDA0733D
                          SHA-512:DD3637C24845A2161BCACE8CBC3E894494945A08F9CA9604D2A8802F94A35EEF30A36729439054AC548948E6397E11F846EC79C2416CACBB00F87D8880F322AF
                          Malicious:false
                          Reputation:low
                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.9.6.<./.P.i.

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER2103.tmp.xml

                          Download File
                          Process:C:\Windows\System32\WerFault.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):4837
                          Entropy (8bit):4.5281267093194
                          Encrypted:false
                          SSDEEP:48:cvIwWl8zsYiJg771I9VCWpW8VYjcRYm8M4JDavEAFEyq85PNttcB08p0id:uIjfNI7KD7VqfJDavUwNTcB080id
                          MD5:F97A5CC93DD76AFABD9FFE673548C9CD
                          SHA1:4BC37368FAF4FA1139D50DADBFC7D1FB827CC376
                          SHA-256:443B3D7CD607C49E5120FC7CD310A5248B221263AA008B1275741BDA98A14AAF
                          SHA-512:73006237256F4AF38354BCA0EA7252514B3F8C6AEDE2064B9E67648061CC3BC0A267103D5AC9087F6D489FA3257845B37F56A3824054BD9B75DE54F2A58D299F
                          Malicious:false
                          Reputation:low
                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="394469" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jsc.exe.log

                          Download File
                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):3094
                          Entropy (8bit):5.33145931749415
                          Encrypted:false
                          SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
                          MD5:3FD5C0634443FB2EF2796B9636159CB6
                          SHA1:366DDE94AEFCFFFAB8E03AD8B448E05D7489EB48
                          SHA-256:58307E94C67E2348F5A838DE4FF668983B38B7E9A3B1D61535D3A392814A57D6
                          SHA-512:8535E7C0777C6B0876936D84BDE2BDC59963CF0954D4E50D65808E6E806E8B131DF5DB8FA0E030FAE2702143A7C3A70698A2B9A80519C9E2FFC286A71F0B797C
                          Malicious:false
                          Reputation:high, very likely benign file
                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                          C:\Windows\appcompat\Programs\Amcache.hve

                          Download File
                          Process:C:\Windows\System32\WerFault.exe
                          File Type:MS Windows registry file, NT/2000 or above
                          Category:dropped
                          Size (bytes):1835008
                          Entropy (8bit):4.46613402744351
                          Encrypted:false
                          SSDEEP:6144:bIXfpi67eLPU9skLmb0b4WWSPKaJG8nAgejZMMhA2gX4WABl0uNzdwBCswSb+:8XD94WWlLZMM6YFHh++
                          MD5:BF3A2B3C272F4E1BD47FEA911743BE2B
                          SHA1:2CED844E99D1CFFF45432695F85406D7FB1A86BA
                          SHA-256:30FF72B67884CE1B0B00E9C92964FC2ADF39668638C9309A860F30205B5C5E20
                          SHA-512:AAADC11EB934B74F522BAD5275472D3ECA115D1A4970880602BFF8F05283DB07D5EFBBBFB6EEAE4ECDA66CCEED49D5AAF1D2B62B27DABF2F124573AFF3BD824A
                          Malicious:false
                          Reputation:low
                          Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.f_................................................................................................................................................................................................................................................................................................................................................n.pk........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          Static File Info

                          General

                          File type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):4.827435220157483
                          TrID:
                          • Win64 Executable Console Net Framework (206006/5) 48.58%
                          • Win64 Executable Console (202006/5) 47.64%
                          • Win64 Executable (generic) (12005/4) 2.83%
                          • Generic Win/DOS Executable (2004/3) 0.47%
                          • DOS Executable Generic (2002/1) 0.47%
                          File name:RFQ SY103 2nd order 2024.exe
                          File size:2'714'665 bytes
                          MD5:52a63eb1af96bcccba7e8faf1280ecd1
                          SHA1:618eeb2a27bbd791a1546285a77fac4b252aa06a
                          SHA256:215f60a1a446cc7dedc8bea601806fab901769340cff8d02a991d8ca9bf0782b
                          SHA512:9a4ded726e1243acd98b39e51cfe7d3a924e26fbf373375b6a52b168c0859b9917fa8910ff52bbd654dafccd8b90a186c935ca3dc870bb7da0482f8088e01bd2
                          SSDEEP:12288:SaXAJWnx2uDQxVxdXjXX1yeCla5mPxL4vRGjuAGOeAo7h4wIL:XAJyPDcvzXX1yeqhIvTAXL
                          TLSH:CCC51281BA874D87FD2A517AE4F131F452FCACA730F2869FDF941C52A02A67C6485272
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....X.f.........."...0.................. ....@...... ....................................`................................

                          File Icon

                          Icon Hash:90cececece8e8eb0

                          Static PE Info

                          General

                          Entrypoint:0x400000
                          Entrypoint Section:
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows cui
                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Time Stamp:0x66845801 [Tue Jul 2 19:41:53 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:

                          Entrypoint Preview

                          Instruction
                          dec ebp
                          pop edx
                          nop
                          add byte ptr [ebx], al
                          add byte ptr [eax], al
                          add byte ptr [eax+eax], al
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xa0000xa2c.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x9f480x1c.text
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000x7fe20x800000f2d9f20c40c9d723dfded7cc885844False0.629486083984375data6.456896207311338IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rsrc0xa0000xa2c0xc00a3fad74c3dbaa312ce806326b2385845False0.2672526041666667data4.441629244072946IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_VERSION0xa0b80x3c4data0.49066390041493774
                          RT_VERSION0xa47c0x3c4dataEnglishUnited States0.491701244813278
                          RT_MANIFEST0xa8400x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                          Possible Origin

                          Language of compilation systemCountry where language is spokenMap
                          EnglishUnited States

                          Network Behavior

                          Snort IDS Alerts

                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                          07/03/24-09:26:54.237167TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response191249730178.23.190.118192.168.2.4
                          07/03/24-09:26:54.055105TCP2046045ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)497301912192.168.2.4178.23.190.118
                          07/03/24-09:26:59.486185TCP2046056ET TROJAN Redline Stealer/MetaStealer Family Activity (Response)191249730178.23.190.118192.168.2.4
                          07/03/24-09:27:01.472345TCP2043231ET TROJAN Redline Stealer TCP CnC Activity497301912192.168.2.4178.23.190.118

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jul 3, 2024 09:26:53.406356096 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:26:53.411222935 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:26:53.411286116 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:26:53.419182062 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:26:53.423953056 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:26:54.024851084 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:26:54.055104971 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:26:54.059932947 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:26:54.237166882 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:26:54.281636953 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:26:59.308906078 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:26:59.313796043 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:26:59.486185074 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:26:59.486207962 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:26:59.486219883 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:26:59.486229897 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:26:59.486242056 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:26:59.486255884 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:26:59.486277103 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:26:59.531632900 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.617952108 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.622948885 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.622993946 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.623008013 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.623059988 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.623063087 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.623091936 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.623117924 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.623120070 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.623146057 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.623173952 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.623276949 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.623318911 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.623330116 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.623347044 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.623368979 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.623378992 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.623393059 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.623423100 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.623461962 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.623506069 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.628199100 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.628227949 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.628254890 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.628276110 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.628293037 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.628307104 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.628312111 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.628353119 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.628355980 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.628388882 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.628422976 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.628433943 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.628623009 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.628674030 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.628714085 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.628761053 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.628765106 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.628809929 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.628823996 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.628866911 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.628885031 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.628937960 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.628988981 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.629019976 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.629041910 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.629064083 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.633678913 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.633738041 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.633800030 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.633852005 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.633908033 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.633971930 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.634181976 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.634241104 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.634572029 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.634601116 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.634629011 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.634644985 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.634658098 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.634710073 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.634736061 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.634782076 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.634809017 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.634835958 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.634946108 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.634974003 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.635024071 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.635052919 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.635102987 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.635129929 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.635160923 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.635188103 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.637649059 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.638727903 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.638756990 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.638776064 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.638808012 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.638829947 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.638856888 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.638876915 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.638905048 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.638932943 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.638947964 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.638974905 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.638978958 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.639005899 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.639024019 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.639031887 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.639050007 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.639076948 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.639082909 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.639108896 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.639134884 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.639134884 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.639157057 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.639163017 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.639205933 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.639231920 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.639280081 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.639307022 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.639334917 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.639377117 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.639429092 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.639456034 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.639482021 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.639508009 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.639538050 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.639647007 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.639728069 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.639755011 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.640016079 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.640064955 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.640091896 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.640185118 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.640213013 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.640260935 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.640288115 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.640336037 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.640362024 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.640388966 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.640922070 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.642642975 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.642673969 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.642693043 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.642745018 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.642771959 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.642819881 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.642849922 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.642877102 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.642904043 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.642952919 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.642980099 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.643007040 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.643033981 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.643084049 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.643110991 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.643137932 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.643165112 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.643192053 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.643240929 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.643268108 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.643295050 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.643321037 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.643349886 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.643398046 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.643424988 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.643451929 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.643477917 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.643543959 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.643744946 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.643771887 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.643799067 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.643827915 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.643852949 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.644402027 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.644570112 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.644598007 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.644625902 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.644675016 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.644701958 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.644748926 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.644776106 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.644828081 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.644855022 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.644903898 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.644931078 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.644958973 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.644984961 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.645032883 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.645060062 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.645087004 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.645112991 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.645159960 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.645186901 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.645215988 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.645242929 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.646064997 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.646092892 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.646141052 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.646167994 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.646272898 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.646331072 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.646380901 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.646446943 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.646568060 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.646694899 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.646743059 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.646770000 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.646832943 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.646882057 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.646929026 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.646955013 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.646986008 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.647036076 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.647062063 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.647089005 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.647115946 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.647142887 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.647169113 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.647196054 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.647222996 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.647248983 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.647275925 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.647362947 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.647391081 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.647438049 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.647465944 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.647492886 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.647541046 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.647567987 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.647594929 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.647622108 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.647670984 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.647699118 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.647725105 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.647752047 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.647778988 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.647805929 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.647833109 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.647881985 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.647912025 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.647938013 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.647964954 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.647989988 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.648017883 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.648045063 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.648071051 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.648097992 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.648293972 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.649712086 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.649768114 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.654939890 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.654968023 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.654994965 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.655020952 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.655071974 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.655098915 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.655126095 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.655153036 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.655157089 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.655201912 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.655215979 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.655232906 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.655260086 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.655286074 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.655333996 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.655360937 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.655388117 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.655414104 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.655462980 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.655489922 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.655517101 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.655541897 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.655591965 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.655620098 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.655647039 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.655694962 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.655723095 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.655750036 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.655776978 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.655802965 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.655829906 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.655857086 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.655883074 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.655909061 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.655958891 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.655987024 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.656013966 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.656040907 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.656068087 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.656095028 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.656121969 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.656147957 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.656174898 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.656202078 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.656228065 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.656254053 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.656280041 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.656306028 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.656332970 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.656358957 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.656385899 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.656410933 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.656438112 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.656464100 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.656522989 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.661458969 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.661487103 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.661513090 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.661561012 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.661587954 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.661614895 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.661642075 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.661657095 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.661693096 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.661716938 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.661720991 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.661747932 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.661776066 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.661823034 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.661853075 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.661880016 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.661906958 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.661933899 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.661961079 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.662010908 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.662036896 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.662065029 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.662091970 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.662118912 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.662143946 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.662169933 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.662224054 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.662251949 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.662278891 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.662306070 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.662332058 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.687876940 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.692904949 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.693152905 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.693209887 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.693209887 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.693259954 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.698272943 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.698324919 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.698353052 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.698380947 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.698407888 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.698514938 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.698542118 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.698589087 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.698617935 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.698666096 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.698693037 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.698743105 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.698769093 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.698795080 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.698821068 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.710812092 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.711013079 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.711102009 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.711102009 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.711152077 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.716073990 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.734761000 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.740098000 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.740227938 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.745136023 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.745263100 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.745290041 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.745342970 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.745369911 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.745397091 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.745424032 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.745450974 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.745476961 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.745527029 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.745554924 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.745580912 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.745606899 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.745635986 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.745662928 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:00.766011000 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:00.771074057 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:01.464647055 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:01.472345114 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:01.477241039 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:01.645505905 CEST191249730178.23.190.118192.168.2.4
                          Jul 3, 2024 09:27:01.687885046 CEST497301912192.168.2.4178.23.190.118
                          Jul 3, 2024 09:27:01.743005037 CEST497301912192.168.2.4178.23.190.118

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:03:26:49
                          Start date:03/07/2024
                          Path:C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Users\user\Desktop\RFQ SY103 2nd order 2024.exe"
                          Imagebase:0x20951900000
                          File size:2'714'665 bytes
                          MD5 hash:52A63EB1AF96BCCCBA7E8FAF1280ECD1
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1763001067.00000209538BA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1764969860.000002096394A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1764969860.00000209637C8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:1
                          Start time:03:26:49
                          Start date:03/07/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:2
                          Start time:03:26:50
                          Start date:03/07/2024
                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                          Wow64 process (32bit):
                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                          Imagebase:
                          File size:43'008 bytes
                          MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:moderate
                          Has exited:false

                          General

                          Target ID:3
                          Start time:03:26:51
                          Start date:03/07/2024
                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
                          Imagebase:0x9d0000
                          File size:47'584 bytes
                          MD5 hash:94C8E57A80DFCA2482DEDB87B93D4FD9
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.1725634665.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.1727587721.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1727587721.0000000002F04000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:moderate
                          Has exited:true

                          General

                          Target ID:4
                          Start time:03:26:51
                          Start date:03/07/2024
                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                          Wow64 process (32bit):
                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
                          Imagebase:
                          File size:47'584 bytes
                          MD5 hash:94C8E57A80DFCA2482DEDB87B93D4FD9
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:moderate
                          Has exited:false

                          General

                          Target ID:7
                          Start time:03:26:51
                          Start date:03/07/2024
                          Path:C:\Windows\System32\WerFault.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\WerFault.exe -u -p 7296 -s 1032
                          Imagebase:0x7ff783f00000
                          File size:570'736 bytes
                          MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:11%
                            Dynamic/Decrypted Code Coverage:100%
                            Signature Coverage:0%
                            Total number of Nodes:22
                            Total number of Limit Nodes:1
                            execution_graph 17094 7ffd9b8b84b9 17095 7ffd9b8b84cf VirtualProtect 17094->17095 17097 7ffd9b8b8571 17095->17097 17089 7ffd9b8a87ed 17090 7ffd9b8be350 17089->17090 17091 7ffd9b8be439 17090->17091 17092 7ffd9b8be606 VirtualAllocEx 17090->17092 17093 7ffd9b8be656 17092->17093 17098 7ffd9b8a0921 17099 7ffd9b8a0978 FreeConsole 17098->17099 17101 7ffd9b8a09ce 17099->17101 17102 7ffd9b8a0e51 17103 7ffd9b8a0e6f 17102->17103 17108 7ffd9b8a0630 17103->17108 17105 7ffd9b8a102f 17106 7ffd9b8a0630 VirtualProtect 17105->17106 17107 7ffd9b8a105c 17106->17107 17109 7ffd9b8a3180 17108->17109 17112 7ffd9b8a1d68 17109->17112 17111 7ffd9b8a3196 17111->17105 17113 7ffd9b8a1d71 VirtualProtect 17112->17113 17115 7ffd9b8a34d1 17113->17115 17115->17111

                            Executed Functions

                            Function 00007FFD9B8AEE09 Relevance: 6.7, Strings: 4, Instructions: 1666COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1769247200.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9b8a0000_RFQ SY103 2nd order 2024.jbxd
                            Similarity
                            • API ID:
                            • String ID: BL_H$NL_H$x6Rc$x6Rc
                            • API String ID: 0-2343561832
                            • Opcode ID: cde09c382c7f8c2c3f0812a74e5b820c2879ea5b066ce2673400caef49e7c85b
                            • Instruction ID: 68a5e25a1f7ec2d1814b61d9a123d287f08030ce31f2441fa29822213e66d4ca
                            • Opcode Fuzzy Hash: cde09c382c7f8c2c3f0812a74e5b820c2879ea5b066ce2673400caef49e7c85b
                            • Instruction Fuzzy Hash: 0DB2893070DB494FE369DB28C4A14B5B7E1FF99301B0445BEE48AC72A6DE38E946C781
                            Function 00007FFD9B8A94E0 Relevance: 6.7, Strings: 4, Instructions: 1654COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1769247200.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9b8a0000_RFQ SY103 2nd order 2024.jbxd
                            Similarity
                            • API ID:
                            • String ID: $Rc$-L_L$x6Rc$x6Rc
                            • API String ID: 0-2066889307
                            • Opcode ID: 2762b062a571fdd3913356072d2c85cae6a5cdccf6a18032087916ee3c91d691
                            • Instruction ID: b44a01aba64bfb473713da1fc63ab9de19f03d7e31f5051f00aad93a4cb40b6e
                            • Opcode Fuzzy Hash: 2762b062a571fdd3913356072d2c85cae6a5cdccf6a18032087916ee3c91d691
                            • Instruction Fuzzy Hash: 33C2E931B19A5D8FDBA8EB68D465A7877E1FF59300F1500B9D04ECB2A2DE34AD41CB81
                            Function 00007FFD9B8B07AA Relevance: 2.4, Strings: 1, Instructions: 1107COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1769247200.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9b8a0000_RFQ SY103 2nd order 2024.jbxd
                            Similarity
                            • API ID:
                            • String ID: -L_L
                            • API String ID: 0-1221955707
                            • Opcode ID: 32262c2494f33215c175c432897ca5d6022cad93eefe2bdf93c05b431b17c7a5
                            • Instruction ID: 7fad412ab370747287846739f178c16a4960f8cf0eb7334bca1ac402ac5a10c1
                            • Opcode Fuzzy Hash: 32262c2494f33215c175c432897ca5d6022cad93eefe2bdf93c05b431b17c7a5
                            • Instruction Fuzzy Hash: C972673162DB5E4FE369DB28C4615B577E1FF99300B0145BED48AC72A2DE28E946CBC0
                            Function 00007FFD9B8A94D8 Relevance: 2.2, Strings: 1, Instructions: 919COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1762 7ffd9b8a94d8-7ffd9b8ad6b5 1764 7ffd9b8ad6b7-7ffd9b8ad6f8 1762->1764 1765 7ffd9b8ad6ff-7ffd9b8ad729 1762->1765 1767 7ffd9b8ad6fe 1764->1767 1768 7ffd9b8ad72b-7ffd9b8ad740 1765->1768 1769 7ffd9b8ad742 1765->1769 1767->1765 1770 7ffd9b8ad744-7ffd9b8ad749 1768->1770 1769->1770 1772 7ffd9b8ad846-7ffd9b8ad866 1770->1772 1773 7ffd9b8ad74f-7ffd9b8ad75e 1770->1773 1776 7ffd9b8ad8b7-7ffd9b8ad8c2 1772->1776 1779 7ffd9b8ad768-7ffd9b8ad769 1773->1779 1780 7ffd9b8ad760-7ffd9b8ad766 1773->1780 1777 7ffd9b8ad868-7ffd9b8ad86e 1776->1777 1778 7ffd9b8ad8c4-7ffd9b8ad8d3 1776->1778 1782 7ffd9b8ad874-7ffd9b8ad895 call 7ffd9b8a94b8 1777->1782 1783 7ffd9b8add32-7ffd9b8add4a 1777->1783 1786 7ffd9b8ad8d5-7ffd9b8ad8e7 1778->1786 1787 7ffd9b8ad8e9 1778->1787 1781 7ffd9b8ad76b-7ffd9b8ad78e 1779->1781 1780->1781 1788 7ffd9b8ad7e3-7ffd9b8ad7ee 1781->1788 1797 7ffd9b8ad89a-7ffd9b8ad8b4 1782->1797 1795 7ffd9b8add4c-7ffd9b8add87 call 7ffd9b8a9280 1783->1795 1796 7ffd9b8add94-7ffd9b8addc1 call 7ffd9b8a4af8 1783->1796 1792 7ffd9b8ad8eb-7ffd9b8ad8f0 1786->1792 1787->1792 1793 7ffd9b8ad790-7ffd9b8ad796 1788->1793 1794 7ffd9b8ad7f0-7ffd9b8ad807 1788->1794 1799 7ffd9b8ad8f6-7ffd9b8ad918 call 7ffd9b8a94b8 1792->1799 1800 7ffd9b8ad97c-7ffd9b8ad990 1792->1800 1793->1783 1798 7ffd9b8ad79c-7ffd9b8ad7e0 call 7ffd9b8a94b8 1793->1798 1806 7ffd9b8ad836-7ffd9b8ad841 call 7ffd9b8a9580 1794->1806 1807 7ffd9b8ad809-7ffd9b8ad82f call 7ffd9b8a94b8 1794->1807 1840 7ffd9b8add89-7ffd9b8add92 1795->1840 1841 7ffd9b8addd1-7ffd9b8adddb 1795->1841 1845 7ffd9b8addcc-7ffd9b8addcf 1796->1845 1846 7ffd9b8addc3-7ffd9b8addcb 1796->1846 1797->1776 1798->1788 1829 7ffd9b8ad946-7ffd9b8ad947 1799->1829 1830 7ffd9b8ad91a-7ffd9b8ad944 1799->1830 1804 7ffd9b8ad9e0-7ffd9b8ad9ef 1800->1804 1805 7ffd9b8ad992-7ffd9b8ad998 1800->1805 1824 7ffd9b8ad9fc 1804->1824 1825 7ffd9b8ad9f1-7ffd9b8ad9fa 1804->1825 1813 7ffd9b8ad9b7-7ffd9b8ad9cf 1805->1813 1814 7ffd9b8ad99a-7ffd9b8ad9b5 1805->1814 1806->1800 1807->1806 1822 7ffd9b8ad9d8-7ffd9b8ad9db 1813->1822 1814->1813 1832 7ffd9b8adb88-7ffd9b8adb9d 1822->1832 1835 7ffd9b8ad9fe-7ffd9b8ada03 1824->1835 1825->1835 1838 7ffd9b8ad949-7ffd9b8ad950 1829->1838 1830->1838 1851 7ffd9b8adb9f-7ffd9b8adbdb 1832->1851 1852 7ffd9b8adbdd 1832->1852 1842 7ffd9b8ada09-7ffd9b8ada0c 1835->1842 1843 7ffd9b8add0f-7ffd9b8add10 1835->1843 1838->1800 1853 7ffd9b8ad952-7ffd9b8ad977 call 7ffd9b8a94e0 1838->1853 1840->1796 1847 7ffd9b8adde6-7ffd9b8addf7 1841->1847 1848 7ffd9b8adddd-7ffd9b8adde5 1841->1848 1854 7ffd9b8ada0e-7ffd9b8ada2b call 7ffd9b8a0278 1842->1854 1855 7ffd9b8ada54 1842->1855 1850 7ffd9b8add13-7ffd9b8add22 1843->1850 1845->1841 1846->1845 1856 7ffd9b8addf9-7ffd9b8ade01 1847->1856 1857 7ffd9b8ade02-7ffd9b8ade3d 1847->1857 1848->1847 1881 7ffd9b8add23-7ffd9b8add2b 1850->1881 1861 7ffd9b8adbdf-7ffd9b8adbe4 1851->1861 1852->1861 1853->1800 1879 7ffd9b8adcfe-7ffd9b8add0e 1853->1879 1854->1855 1893 7ffd9b8ada2d-7ffd9b8ada52 1854->1893 1859 7ffd9b8ada56-7ffd9b8ada5b 1855->1859 1856->1857 1874 7ffd9b8ade44-7ffd9b8ade4f 1857->1874 1875 7ffd9b8ade3f call 7ffd9b8ab360 1857->1875 1866 7ffd9b8adb5c-7ffd9b8adb7f 1859->1866 1867 7ffd9b8ada61-7ffd9b8ada6d 1859->1867 1869 7ffd9b8adbe6-7ffd9b8adc3d call 7ffd9b8a4a30 1861->1869 1870 7ffd9b8adc54-7ffd9b8adc68 1861->1870 1887 7ffd9b8adb85-7ffd9b8adb86 1866->1887 1867->1783 1877 7ffd9b8ada73-7ffd9b8ada82 1867->1877 1920 7ffd9b8adc3f-7ffd9b8adc43 1869->1920 1921 7ffd9b8adcae-7ffd9b8adcb4 1869->1921 1872 7ffd9b8adcb7-7ffd9b8adcc3 call 7ffd9b8a7260 1870->1872 1873 7ffd9b8adc6a-7ffd9b8adc95 call 7ffd9b8a4a30 1870->1873 1891 7ffd9b8adcc4-7ffd9b8adcdc 1872->1891 1905 7ffd9b8adc9a-7ffd9b8adca2 1873->1905 1895 7ffd9b8ade61 1874->1895 1896 7ffd9b8ade51-7ffd9b8ade5f 1874->1896 1875->1874 1882 7ffd9b8ada95-7ffd9b8adaa2 call 7ffd9b8a0278 1877->1882 1883 7ffd9b8ada84-7ffd9b8ada93 1877->1883 1881->1783 1906 7ffd9b8adaa8-7ffd9b8adaae 1882->1906 1883->1906 1887->1832 1891->1783 1894 7ffd9b8adcde-7ffd9b8adcee 1891->1894 1893->1859 1901 7ffd9b8adcf0-7ffd9b8adcfb 1894->1901 1904 7ffd9b8ade63-7ffd9b8ade68 1895->1904 1896->1904 1901->1879 1908 7ffd9b8ade6a-7ffd9b8ade78 call 7ffd9b8a1f48 1904->1908 1909 7ffd9b8ade7f-7ffd9b8ade87 call 7ffd9b8a4a48 1904->1909 1905->1850 1910 7ffd9b8adca4-7ffd9b8adca7 1905->1910 1911 7ffd9b8adab0-7ffd9b8adadd 1906->1911 1912 7ffd9b8adae3-7ffd9b8adae8 1906->1912 1923 7ffd9b8ade7d 1908->1923 1925 7ffd9b8ade8c-7ffd9b8ade93 1909->1925 1910->1881 1918 7ffd9b8adca9 1910->1918 1911->1912 1912->1783 1916 7ffd9b8adaee-7ffd9b8adb0e 1912->1916 1928 7ffd9b8adb10-7ffd9b8adb21 1916->1928 1929 7ffd9b8adb22-7ffd9b8adb52 call 7ffd9b8a95c0 1916->1929 1918->1901 1924 7ffd9b8adcab 1918->1924 1920->1891 1927 7ffd9b8adc45-7ffd9b8adc4f 1920->1927 1921->1872 1923->1925 1924->1921 1928->1929 1933 7ffd9b8adb57-7ffd9b8adb5a 1929->1933 1933->1832
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1769247200.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9b8a0000_RFQ SY103 2nd order 2024.jbxd
                            Similarity
                            • API ID:
                            • String ID: HW_L
                            • API String ID: 0-1415502811
                            • Opcode ID: 4903d728348f5f61067c8b607eaad745448a018a1468291dc46444fa18518113
                            • Instruction ID: 093fcb417e7854f861968a02a0032059bf31303526373bdb9f6825199141e36a
                            • Opcode Fuzzy Hash: 4903d728348f5f61067c8b607eaad745448a018a1468291dc46444fa18518113
                            • Instruction Fuzzy Hash: 8052C330B0DA0D8FDB68EB68D465A7977E1FF59300B1501BEE44EC72A2DE24ED428791
                            Function 00007FFD9B980050 Relevance: 2.1, Instructions: 2133COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1769715977.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9b980000_RFQ SY103 2nd order 2024.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 89f084b69afa8f692dc11eea5e91623c2945a6ea96fd4517dc8fc9a72d7ecfc5
                            • Instruction ID: e78791e6e6f019bcac611f7e6cdc97c5006c8aef892421df6ad18d2e4344cf91
                            • Opcode Fuzzy Hash: 89f084b69afa8f692dc11eea5e91623c2945a6ea96fd4517dc8fc9a72d7ecfc5
                            • Instruction Fuzzy Hash: 89E24B7191FBC95FEB66CB6888655A47FE0FF56700F0A01FED089CB0A3DA286946C741
                            Function 00007FFD9B8A43EC Relevance: 1.7, Strings: 1, Instructions: 469COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1769247200.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9b8a0000_RFQ SY103 2nd order 2024.jbxd
                            Similarity
                            • API ID:
                            • String ID: fish
                            • API String ID: 0-1064584243
                            • Opcode ID: 86bb3f72c4df4581bf8e30246415264d92b4ab5d0939f7642d7bc2d66f0b2f6b
                            • Instruction ID: 26f2bb3633e96134bb25154cb2c0841f549c8d59d26aaa643349e2b42f0ae5ec
                            • Opcode Fuzzy Hash: 86bb3f72c4df4581bf8e30246415264d92b4ab5d0939f7642d7bc2d66f0b2f6b
                            • Instruction Fuzzy Hash: FED15C30B1DA4E4FE75CAB6898655B573E1FF9A310B05417EE48BC31E3ED28A8428791
                            Function 00007FFD9B8AC281 Relevance: 1.4, Instructions: 1440COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1769247200.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9b8a0000_RFQ SY103 2nd order 2024.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f632513cc554ab00b5e924b841be1d67a3b064fac839239b2dbdcc3f4b5b17e4
                            • Instruction ID: 2697eeaac4e3ff8802aafe026ff57caad2ae467ca84fb7fc336b4b8f029de8c6
                            • Opcode Fuzzy Hash: f632513cc554ab00b5e924b841be1d67a3b064fac839239b2dbdcc3f4b5b17e4
                            • Instruction Fuzzy Hash: B9A2363060DB4E4FE759DB28C8A44A5B7E1FF89301B1545BED08AC72B6DE38E946CB50
                            Function 00007FFD9B8ABDF9 Relevance: .5, Instructions: 527COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1769247200.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9b8a0000_RFQ SY103 2nd order 2024.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 973487f683204178a7a0b20f12600cb78bf2d09ef04a0a0221ad17c220504f2e
                            • Instruction ID: a84714b4dcae7ac976b63ec2027a50825e54e556b03ac17d900f55b1caa534d6
                            • Opcode Fuzzy Hash: 973487f683204178a7a0b20f12600cb78bf2d09ef04a0a0221ad17c220504f2e
                            • Instruction Fuzzy Hash: 27F19F3160EB8A4FE32DCB6888A55B577D2FF99301F05467ED4CAC72B1DD28A502CB91
                            Function 00007FFD9B8A1800 Relevance: .4, Instructions: 373COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1769247200.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9b8a0000_RFQ SY103 2nd order 2024.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 307acf5d7d8d0d9eb732f8ee39fe7856a9fd698d22da954c703488d394ad8f72
                            • Instruction ID: dfc32982fbdb9963cdf5c15fc9d4c04306e792ec0ae52cb359c7e0d291fa2265
                            • Opcode Fuzzy Hash: 307acf5d7d8d0d9eb732f8ee39fe7856a9fd698d22da954c703488d394ad8f72
                            • Instruction Fuzzy Hash: 92B10330B1D54E4FE768ABAC94A16B977D2EF8D340F1501BAD00FC72E6DD28AD42C251
                            Function 00007FFD9B8B4759 Relevance: .2, Instructions: 185COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1769247200.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9b8a0000_RFQ SY103 2nd order 2024.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ac81050aad6ab73da498018f065922e7381cf445300313bade238d2601520e3b
                            • Instruction ID: e0373435e91b1024e98ab4c6465e1d8e8c3f57b45c48378a177a01a5ef202c14
                            • Opcode Fuzzy Hash: ac81050aad6ab73da498018f065922e7381cf445300313bade238d2601520e3b
                            • Instruction Fuzzy Hash: 82515C32A0E7994FD31D9A7898660753BE1DB8732070982BFD4C7CB1E7E924A807C794
                            Function 00007FFD9B8A87ED Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 389COMMON
                            Download Yara Rule

                            Control-flow Graph

                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1769247200.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9b8a0000_RFQ SY103 2nd order 2024.jbxd
                            Similarity
                            • API ID:
                            • String ID: AK_L
                            • API String ID: 0-1013632581
                            • Opcode ID: 5274aecb0320b1874d75dd0640ec07c25dc371b40da983159906d8133abd4042
                            • Instruction ID: 665868c5730a7b9f4317fcf1f23a0c13b6993ca2ec9272b154e32998738612cd
                            • Opcode Fuzzy Hash: 5274aecb0320b1874d75dd0640ec07c25dc371b40da983159906d8133abd4042
                            • Instruction Fuzzy Hash: E4B14632B0DA594FE76CDB6C98565B4B7D1FF98311F10067EE089C32A6ED64A8428BC1
                            Function 00007FFD9B8A33EA Relevance: 1.6, APIs: 1, Instructions: 140memoryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.1769247200.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9b8a0000_RFQ SY103 2nd order 2024.jbxd
                            Similarity
                            • API ID: ProtectVirtual
                            • String ID:
                            • API String ID: 544645111-0
                            • Opcode ID: 8a5b27c52da5b7666745ba61fd97a5b5f6e3d821cd5d75fb2341a28ec5da2d31
                            • Instruction ID: b1ed8c45b792080a2fa222493bb0fb325ea437365eeec1d8504c3054ec98c3a1
                            • Opcode Fuzzy Hash: 8a5b27c52da5b7666745ba61fd97a5b5f6e3d821cd5d75fb2341a28ec5da2d31
                            • Instruction Fuzzy Hash: EA412730A0DB884FDB1ADBA898466F97FF1EF56321F0442AFD049C35E2CB646856C791
                            Function 00007FFD9B8A1D4D Relevance: 1.6, APIs: 1, Instructions: 129memoryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.1769247200.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9b8a0000_RFQ SY103 2nd order 2024.jbxd
                            Similarity
                            • API ID: ProtectVirtual
                            • String ID:
                            • API String ID: 544645111-0
                            • Opcode ID: f6462851260b5753a6d730c1a24451e8a72d5f4893a088a51ae44fbaf22cc999
                            • Instruction ID: 2ffb010ebbd6226426c8af101847e550c0187d3b8ee4756d10f5434dd4494969
                            • Opcode Fuzzy Hash: f6462851260b5753a6d730c1a24451e8a72d5f4893a088a51ae44fbaf22cc999
                            • Instruction Fuzzy Hash: 35314A31A0DB4C8FDB19DBAC98556F87BE0EF66321F04426FE04AC31A3DB606856C791
                            Function 00007FFD9B8A1D68 Relevance: 1.6, APIs: 1, Instructions: 120memoryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.1769247200.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9b8a0000_RFQ SY103 2nd order 2024.jbxd
                            Similarity
                            • API ID: ProtectVirtual
                            • String ID:
                            • API String ID: 544645111-0
                            • Opcode ID: b3af74bcb500b457844bdd126040e70dbd88b811ab9ee1eedc316eba3bd2a1e1
                            • Instruction ID: daf410ef000b53751efd39c8076ab18a6612d4009b5929f939787cbc693a634d
                            • Opcode Fuzzy Hash: b3af74bcb500b457844bdd126040e70dbd88b811ab9ee1eedc316eba3bd2a1e1
                            • Instruction Fuzzy Hash: 0A310831A0DA4C8FDB18DF9898456F97BF1EB69311F00426FD04AC36A2DB706856C791
                            Function 00007FFD9B8B84B9 Relevance: 1.6, APIs: 1, Instructions: 118memoryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.1769247200.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9b8a0000_RFQ SY103 2nd order 2024.jbxd
                            Similarity
                            • API ID: ProtectVirtual
                            • String ID:
                            • API String ID: 544645111-0
                            • Opcode ID: da6b3892d0cbbea923c9cf0655485afa58055e1fb8238ab84fbaa5af67a7a6e6
                            • Instruction ID: f7246017e8dae48d68c725421d1fbbdbd06455ba7d361fc5ae390df7394f6f87
                            • Opcode Fuzzy Hash: da6b3892d0cbbea923c9cf0655485afa58055e1fb8238ab84fbaa5af67a7a6e6
                            • Instruction Fuzzy Hash: CF31B431A0CB5C8FDB18DFA8984A6F97BF1EF99321F04426FD049C3192DB646856CB91
                            Function 00007FFD9B8A0921 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.1769247200.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9b8a0000_RFQ SY103 2nd order 2024.jbxd
                            Similarity
                            • API ID: ConsoleFree
                            • String ID:
                            • API String ID: 771614528-0
                            • Opcode ID: f16cf471a4b2898be54b3b3e04cce0fc67701934e648359ea175b4a78f88b5f9
                            • Instruction ID: 0b2b2e2b3c8b292711450f6519da30f565639a041b33c69fe522ae4b5fda76ba
                            • Opcode Fuzzy Hash: f16cf471a4b2898be54b3b3e04cce0fc67701934e648359ea175b4a78f88b5f9
                            • Instruction Fuzzy Hash: EC31613150C7488FDB19DF98D885BEABBF0EF56320F0442AED099C3552D768A546CB51
                            Function 00007FFD9B9810C9 Relevance: .2, Instructions: 150COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1769715977.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9b980000_RFQ SY103 2nd order 2024.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7f3c028cf7df453a505114ebd12de17dcac21baddf86e8b5d98a405787f529d3
                            • Instruction ID: 3ab6e9fadee084a4b61e022665e6c79153320b61f3680f82ef3f9729c0686f25
                            • Opcode Fuzzy Hash: 7f3c028cf7df453a505114ebd12de17dcac21baddf86e8b5d98a405787f529d3
                            • Instruction Fuzzy Hash: F2414831A0EA8D5FDB56DF68C8645E87FF0FF59304B0A01EBD44ACB1A2DA34A945C780

                            Non-executed Functions

                            Function 00007FFD9B8A14F8 Relevance: .5, Instructions: 457COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1769247200.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9b8a0000_RFQ SY103 2nd order 2024.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: da79ac742dadd015afe35fe729c607334b191c5c3549d819400010a6d219743c
                            • Instruction ID: 97ca235c975d4ef9c39853891bb3a5a3156b58d98d7fc052b3be8499dc415550
                            • Opcode Fuzzy Hash: da79ac742dadd015afe35fe729c607334b191c5c3549d819400010a6d219743c
                            • Instruction Fuzzy Hash: ABD17931B1EA4A4FE379DFA89861571B7D0EF55310B1542BED09AC31E7EA24F9438390

                            Execution Graph

                            Execution Coverage:7.7%
                            Dynamic/Decrypted Code Coverage:100%
                            Signature Coverage:0%
                            Total number of Nodes:52
                            Total number of Limit Nodes:9
                            execution_graph 15261 112d300 DuplicateHandle 15262 112d396 15261->15262 15263 112ad38 15267 112ae30 15263->15267 15275 112ae20 15263->15275 15264 112ad47 15268 112ae41 15267->15268 15269 112ae64 15267->15269 15268->15269 15283 112b0b8 15268->15283 15287 112b0c8 15268->15287 15269->15264 15270 112ae5c 15270->15269 15271 112b068 GetModuleHandleW 15270->15271 15272 112b095 15271->15272 15272->15264 15276 112ae41 15275->15276 15277 112ae64 15275->15277 15276->15277 15281 112b0b8 LoadLibraryExW 15276->15281 15282 112b0c8 LoadLibraryExW 15276->15282 15277->15264 15278 112ae5c 15278->15277 15279 112b068 GetModuleHandleW 15278->15279 15280 112b095 15279->15280 15280->15264 15281->15278 15282->15278 15285 112b0c8 15283->15285 15284 112b101 15284->15270 15285->15284 15291 112a870 15285->15291 15288 112b0dc 15287->15288 15289 112b101 15288->15289 15290 112a870 LoadLibraryExW 15288->15290 15289->15270 15290->15289 15292 112b2a8 LoadLibraryExW 15291->15292 15294 112b321 15292->15294 15294->15284 15295 112d0b8 15296 112d0fe GetCurrentProcess 15295->15296 15298 112d150 GetCurrentThread 15296->15298 15299 112d149 15296->15299 15300 112d186 15298->15300 15301 112d18d GetCurrentProcess 15298->15301 15299->15298 15300->15301 15302 112d1c3 15301->15302 15303 112d1eb GetCurrentThreadId 15302->15303 15304 112d21c 15303->15304 15305 1124668 15306 1124684 15305->15306 15307 1124696 15306->15307 15309 11247a0 15306->15309 15310 11247c5 15309->15310 15314 11248b0 15310->15314 15318 11248a1 15310->15318 15315 11248d7 15314->15315 15317 11249b4 15315->15317 15322 1124248 15315->15322 15320 11248b0 15318->15320 15319 11249b4 15319->15319 15320->15319 15321 1124248 CreateActCtxA 15320->15321 15321->15319 15323 1125940 CreateActCtxA 15322->15323 15325 1125a03 15323->15325

                            Executed Functions

                            Function 0112D0A8 Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 294 112d0a8-112d147 GetCurrentProcess 298 112d150-112d184 GetCurrentThread 294->298 299 112d149-112d14f 294->299 300 112d186-112d18c 298->300 301 112d18d-112d1c1 GetCurrentProcess 298->301 299->298 300->301 302 112d1c3-112d1c9 301->302 303 112d1ca-112d1e5 call 112d289 301->303 302->303 307 112d1eb-112d21a GetCurrentThreadId 303->307 308 112d223-112d285 307->308 309 112d21c-112d222 307->309 309->308
                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 0112D136
                            • GetCurrentThread.KERNEL32 ref: 0112D173
                            • GetCurrentProcess.KERNEL32 ref: 0112D1B0
                            • GetCurrentThreadId.KERNEL32 ref: 0112D209
                            Memory Dump Source
                            • Source File: 00000003.00000002.1726592287.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1120000_jsc.jbxd
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID:
                            • API String ID: 2063062207-0
                            • Opcode ID: 961c6bbbaf72e0ba82dd0f8078cf9bc45068772f4a5c2a5f6db47a10aa78c04c
                            • Instruction ID: 4e199c713028b2e447f75fa89d0ff1006b29b8f59d397fccc7f8bb397fb2b6ac
                            • Opcode Fuzzy Hash: 961c6bbbaf72e0ba82dd0f8078cf9bc45068772f4a5c2a5f6db47a10aa78c04c
                            • Instruction Fuzzy Hash: 675135B0D012498FDB48DFA9D548BDEBBF1EF48314F208459E459AB3A0DB349984CF65
                            Function 0112D0B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 316 112d0b8-112d147 GetCurrentProcess 320 112d150-112d184 GetCurrentThread 316->320 321 112d149-112d14f 316->321 322 112d186-112d18c 320->322 323 112d18d-112d1c1 GetCurrentProcess 320->323 321->320 322->323 324 112d1c3-112d1c9 323->324 325 112d1ca-112d1e5 call 112d289 323->325 324->325 329 112d1eb-112d21a GetCurrentThreadId 325->329 330 112d223-112d285 329->330 331 112d21c-112d222 329->331 331->330
                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 0112D136
                            • GetCurrentThread.KERNEL32 ref: 0112D173
                            • GetCurrentProcess.KERNEL32 ref: 0112D1B0
                            • GetCurrentThreadId.KERNEL32 ref: 0112D209
                            Memory Dump Source
                            • Source File: 00000003.00000002.1726592287.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1120000_jsc.jbxd
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID:
                            • API String ID: 2063062207-0
                            • Opcode ID: 91e430cd934cd0bb91ab242ff5deb7dc0accc4866a9e9e5fb93ea7bd6eaf924c
                            • Instruction ID: cb86cdb76ccf62be31d4f138e8dc5d1390c3ce5bccb1cf07cd1a18498f88b273
                            • Opcode Fuzzy Hash: 91e430cd934cd0bb91ab242ff5deb7dc0accc4866a9e9e5fb93ea7bd6eaf924c
                            • Instruction Fuzzy Hash: 9F5135B09012498FDB18DFAAD548BDEBBF1EF48314F20C459E459A73A0DB349984CF65
                            Function 0112AE30 Relevance: 1.7, APIs: 1, Instructions: 206COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 361 112ae30-112ae3f 362 112ae41-112ae4e call 1129838 361->362 363 112ae6b-112ae6f 361->363 368 112ae50 362->368 369 112ae64 362->369 365 112ae83-112aec4 363->365 366 112ae71-112ae7b 363->366 372 112aed1-112aedf 365->372 373 112aec6-112aece 365->373 366->365 420 112ae56 call 112b0b8 368->420 421 112ae56 call 112b0c8 368->421 369->363 374 112af03-112af05 372->374 375 112aee1-112aee6 372->375 373->372 380 112af08-112af0f 374->380 377 112aef1 375->377 378 112aee8-112aeef call 112a814 375->378 376 112ae5c-112ae5e 376->369 379 112afa0-112afb7 376->379 382 112aef3-112af01 377->382 378->382 394 112afb9-112b018 379->394 383 112af11-112af19 380->383 384 112af1c-112af23 380->384 382->380 383->384 386 112af30-112af39 call 112a824 384->386 387 112af25-112af2d 384->387 392 112af46-112af4b 386->392 393 112af3b-112af43 386->393 387->386 395 112af69-112af76 392->395 396 112af4d-112af54 392->396 393->392 412 112b01a-112b01c 394->412 403 112af78-112af96 395->403 404 112af99-112af9f 395->404 396->395 397 112af56-112af66 call 112a834 call 112a844 396->397 397->395 403->404 413 112b048-112b060 412->413 414 112b01e-112b046 412->414 415 112b062-112b065 413->415 416 112b068-112b093 GetModuleHandleW 413->416 414->413 415->416 417 112b095-112b09b 416->417 418 112b09c-112b0b0 416->418 417->418 420->376 421->376
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0112B086
                            Memory Dump Source
                            • Source File: 00000003.00000002.1726592287.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1120000_jsc.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: ad555849d34a6f90bdbb5af665ea860a6070e76ffe1a1d1435676e73fe7b5c23
                            • Instruction ID: d6218fc3b9f23810248a5d402436a7fe72dade483da51da1cd0a7219954e04cb
                            • Opcode Fuzzy Hash: ad555849d34a6f90bdbb5af665ea860a6070e76ffe1a1d1435676e73fe7b5c23
                            • Instruction Fuzzy Hash: E58147B0A00B158FD728DF29E14079ABBF1FF48304F10892ED586DBA50D779E85ACB95
                            Function 01125935 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 422 1125935-112593c 423 1125944-1125a01 CreateActCtxA 422->423 425 1125a03-1125a09 423->425 426 1125a0a-1125a64 423->426 425->426 433 1125a73-1125a77 426->433 434 1125a66-1125a69 426->434 435 1125a88 433->435 436 1125a79-1125a85 433->436 434->433 438 1125a89 435->438 436->435 438->438
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 011259F1
                            Memory Dump Source
                            • Source File: 00000003.00000002.1726592287.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1120000_jsc.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: 49cd4716e320028a73f589e8fb7e1728a5a70b6c990b42ad118e142d9e4f7ee0
                            • Instruction ID: f0e9a4999750d44070757577840ac495e3349bc2f890a2be5f4ae4f7e29bcc58
                            • Opcode Fuzzy Hash: 49cd4716e320028a73f589e8fb7e1728a5a70b6c990b42ad118e142d9e4f7ee0
                            • Instruction Fuzzy Hash: C041F2B0C00729CFDB24CFAAC884BDDBBB5BF48304F24805AD408AB254DB755989CF90
                            Function 01124248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 439 1124248-1125a01 CreateActCtxA 442 1125a03-1125a09 439->442 443 1125a0a-1125a64 439->443 442->443 450 1125a73-1125a77 443->450 451 1125a66-1125a69 443->451 452 1125a88 450->452 453 1125a79-1125a85 450->453 451->450 455 1125a89 452->455 453->452 455->455
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 011259F1
                            Memory Dump Source
                            • Source File: 00000003.00000002.1726592287.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1120000_jsc.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: 4e85fd8257bee8e2c790dcb62bf121bc7052fe43840f4f427b6f50131d5f81fe
                            • Instruction ID: 6249bec9eafd6fc027702712adbf3692ee6a56393ea241cc1a87d1d316a5aff3
                            • Opcode Fuzzy Hash: 4e85fd8257bee8e2c790dcb62bf121bc7052fe43840f4f427b6f50131d5f81fe
                            • Instruction Fuzzy Hash: 4F41E1B0D00729CADB28CFAAC884BDDBBB6FF45304F24805AD408AB255DB756945CF90
                            Function 0112D300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 456 112d300-112d394 DuplicateHandle 457 112d396-112d39c 456->457 458 112d39d-112d3ba 456->458 457->458
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0112D387
                            Memory Dump Source
                            • Source File: 00000003.00000002.1726592287.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1120000_jsc.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: 3440bd9a89e482817ec8f42a558ed930f72892bc82fa09d3a39a95d20c506321
                            • Instruction ID: c697087ad2c6ed8204261e5d02936f48dc478c3293dd7bbc26c8ec6f7113d4e6
                            • Opcode Fuzzy Hash: 3440bd9a89e482817ec8f42a558ed930f72892bc82fa09d3a39a95d20c506321
                            • Instruction Fuzzy Hash: F621E2B5900218DFDB10CFAAD984ADEBFF8FB48320F14801AE918A7350C374A954CFA4
                            Function 0112D2F9 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 461 112d2f9-112d394 DuplicateHandle 462 112d396-112d39c 461->462 463 112d39d-112d3ba 461->463 462->463
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0112D387
                            Memory Dump Source
                            • Source File: 00000003.00000002.1726592287.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1120000_jsc.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: e3099bbf31816ad6d50efd2847c78050a4c1428361dc4be3f46a80035fcd8b11
                            • Instruction ID: 9a8c469ec73a08ac8a27b1d79c462894247ebc836dd173249473cd89f844615c
                            • Opcode Fuzzy Hash: e3099bbf31816ad6d50efd2847c78050a4c1428361dc4be3f46a80035fcd8b11
                            • Instruction Fuzzy Hash: 8D21E4B5D00218DFDB10CFAAD585AEEBBF4FB48324F14841AE958A7250C378A954CFA4
                            Function 0112A870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 466 112a870-112b2e8 468 112b2f0-112b31f LoadLibraryExW 466->468 469 112b2ea-112b2ed 466->469 470 112b321-112b327 468->470 471 112b328-112b345 468->471 469->468 470->471
                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0112B101,00000800,00000000,00000000), ref: 0112B312
                            Memory Dump Source
                            • Source File: 00000003.00000002.1726592287.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1120000_jsc.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: 91f57f86f9efab77c1f7250121ef1b3b08eb340cc2e71d1e4c4b1d9d793da927
                            • Instruction ID: ff9e712a6785fa4a2d8c290857b75971054fa1d16eb8463b902d8f7e38fd35dc
                            • Opcode Fuzzy Hash: 91f57f86f9efab77c1f7250121ef1b3b08eb340cc2e71d1e4c4b1d9d793da927
                            • Instruction Fuzzy Hash: D01112B6D043598FDB14CF9AD444AEEFBF4EB48320F10842AE919A7310C375A954CFA9
                            Function 0112B2A0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 474 112b2a0-112b2e8 475 112b2f0-112b31f LoadLibraryExW 474->475 476 112b2ea-112b2ed 474->476 477 112b321-112b327 475->477 478 112b328-112b345 475->478 476->475 477->478
                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0112B101,00000800,00000000,00000000), ref: 0112B312
                            Memory Dump Source
                            • Source File: 00000003.00000002.1726592287.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1120000_jsc.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: 64ffcb4dae835698701bec3344dc257f794a5b5d40b11f1923a2302180236e16
                            • Instruction ID: b6c31a8daaf1058d6a1794a0c9ab1728a924530cfd1f3c7bc01af0da716dad0e
                            • Opcode Fuzzy Hash: 64ffcb4dae835698701bec3344dc257f794a5b5d40b11f1923a2302180236e16
                            • Instruction Fuzzy Hash: 5F1112B69042598FDB14CF9AC444ADEFFF4EB48320F14842AD969A7210C375A545CFA4
                            Function 0112B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 481 112b020-112b060 482 112b062-112b065 481->482 483 112b068-112b093 GetModuleHandleW 481->483 482->483 484 112b095-112b09b 483->484 485 112b09c-112b0b0 483->485 484->485
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0112B086
                            Memory Dump Source
                            • Source File: 00000003.00000002.1726592287.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_1120000_jsc.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: 3c5a7df94f3caa88044791460492a95d17e0b8f6acaf5b78402d913b47c40f1d
                            • Instruction ID: 51345c4cf3365fd9859cd65271bc5533573b6c9508b7f4777424a909b3f790c9
                            • Opcode Fuzzy Hash: 3c5a7df94f3caa88044791460492a95d17e0b8f6acaf5b78402d913b47c40f1d
                            • Instruction Fuzzy Hash: 391110B5C00359CFDB24CF9AC444ADEFBF4AB88324F10842AD468B7210C379A545CFA9
                            Function 010BD654 Relevance: .1, Instructions: 77COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1726237757.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_10bd000_jsc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fdbe05fd93b24da44817bf469a1462a95cf1a51be1fc4200078d84a682d42798
                            • Instruction ID: 5aa32e786009a172c2e3836246fd1d2bd2409889f71cb0aea344de633c230f81
                            • Opcode Fuzzy Hash: fdbe05fd93b24da44817bf469a1462a95cf1a51be1fc4200078d84a682d42798
                            • Instruction Fuzzy Hash: 2B210675540240DFCB05DF54D9C4BAAFFA5FB88318F24C6A9E9890B256C336D416CBA1
                            Function 010BD3D8 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1726237757.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_10bd000_jsc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ad7851bbe3d9fc21ef57732ca4f0429501f7e453bbe637349b8bb288cb429856
                            • Instruction ID: 9b28818389f43c8d9e51c186d69589621ffdbe53a0fc994fd6c7da8ac93d4370
                            • Opcode Fuzzy Hash: ad7851bbe3d9fc21ef57732ca4f0429501f7e453bbe637349b8bb288cb429856
                            • Instruction Fuzzy Hash: 5C214871500200DFDB05DF48C9C0B9AFFA5FB84318F20C5A9E9490B256C73AE446C7A1
                            Function 010CD01C Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1726299054.00000000010CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_10cd000_jsc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ccfff496c2fd2d59e1056d58d19f8d75be1a14d223bfffe1ffd66d8f8ddcf0b3
                            • Instruction ID: 48a538a30b3d43ed41920839f9f4c171d21a275ca964aee91d0eae593d4f9e72
                            • Opcode Fuzzy Hash: ccfff496c2fd2d59e1056d58d19f8d75be1a14d223bfffe1ffd66d8f8ddcf0b3
                            • Instruction Fuzzy Hash: 2D210071604200DFCB15DF98D984B2ABBA5EB84B14F30C5BDE98A4B256C33AD447CBA1
                            Function 010CD006 Relevance: .1, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1726299054.00000000010CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_10cd000_jsc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4142cc12e9d7e50139fd5abbe81a4d497d385cc556a12dba391739ad1f5f66bf
                            • Instruction ID: 8ffdac30e10e75307bd13f033a9a1e93c8bd15f1656f3c3fbf4cb70b061cdb56
                            • Opcode Fuzzy Hash: 4142cc12e9d7e50139fd5abbe81a4d497d385cc556a12dba391739ad1f5f66bf
                            • Instruction Fuzzy Hash: 352195755083809FCB03CF58D994715BFB1EB46314F24C5EAD8898F2A7C33A9806CBA2
                            Function 010BD64F Relevance: .1, Instructions: 58COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1726237757.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_10bd000_jsc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c7c8d58dc0dea2b6e01ffeb94055e7b182a7219ccea2c20f3472bf21e95a7b9d
                            • Instruction ID: 067373be2606693e63e44b37ea80bf5cf484ed15668506f71fb0080b9802b039
                            • Opcode Fuzzy Hash: c7c8d58dc0dea2b6e01ffeb94055e7b182a7219ccea2c20f3472bf21e95a7b9d
                            • Instruction Fuzzy Hash: D621CD76404280DFCB06CF44D9C4B96BFB2FB88318F24C2A9D9880A256C33AD426CB91
                            Function 010BD3D3 Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1726237757.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_10bd000_jsc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                            • Instruction ID: 17ad2b4331c8054568e1761c09e32ee005b400d371109a2da8734567394db718
                            • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                            • Instruction Fuzzy Hash: 1C11DF72404240CFDB02CF44D5C4B96FFB1FB94328F24C6A9D9490B256C33AE45ACBA2
                            Function 010BDA1D Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1726237757.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_10bd000_jsc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 66222ec88845a6d653b725109a97d6a61fd6041d163dbf4b29afdbd2659b418e
                            • Instruction ID: a3d00ba653e877c801de88c6f7fb9e06c675d6b0c6ffc6f7b2a2c55a34ea555f
                            • Opcode Fuzzy Hash: 66222ec88845a6d653b725109a97d6a61fd6041d163dbf4b29afdbd2659b418e
                            • Instruction Fuzzy Hash: B0012B7100D3009AE7118A59CDC47A7FFD8EF41328F08C469ED880F286C279D840C7B1
                            Function 010BDA1C Relevance: .0, Instructions: 36COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.1726237757.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_10bd000_jsc.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e7ac2e3cd150f588b8fc1711c87b7b969aba4a41d75a0de8b6aabc20c6c74260
                            • Instruction ID: 9b77ff4b398febb96f5d5829ca43b5796aba6bd001601c9a893f07055c4c40e8
                            • Opcode Fuzzy Hash: e7ac2e3cd150f588b8fc1711c87b7b969aba4a41d75a0de8b6aabc20c6c74260
                            • Instruction Fuzzy Hash: 9DF06271409344AEE7118A1AC8C4BA2FFE8EB41628F18C55AED484E286C2799844DBB1