Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1482539
MD5:a9a37926c6d3ab63e00b12760fae1e73
SHA1:944d6044e111bbad742d06852c3ed2945dc9e051
SHA256:27955c80c620c31df686ccd2a92bce1d07e97c16fda6bd141812e9b0bdd7b06b
Tags:exe
Infos:

Detection

RedLine
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected RedLine Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Installs new ROOT certificates
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops certificate files (DER)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 3956 cmdline: "C:\Users\user\Desktop\file.exe" MD5: A9A37926C6D3AB63E00B12760FAE1E73)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["185.215.113.67:40960"], "Bot Id": "25072023", "Authorization Header": "ddfd60e2a31e5ba38817ce280e48c5bb"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
file.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
      dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000005.00000000.1284557443.0000000000102000.00000002.00000001.01000000.00000004.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000005.00000002.1537465544.00000000027A3000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Process Memory Space: file.exe PID: 3956JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Process Memory Space: file.exe PID: 3956JoeSecurity_RedLineYara detected RedLine StealerJoe Security

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  5.0.file.exe.100000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    No Snort rule has matched

                    Suricata Signatures

                    Timestamp:2024-07-26T01:04:41.369324+0200
                    SID:2043231
                    Source Port:49703
                    Destination Port:40960
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T01:04:40.469456+0200
                    SID:2043231
                    Source Port:49703
                    Destination Port:40960
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T01:04:44.633276+0200
                    SID:2043231
                    Source Port:49703
                    Destination Port:40960
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T01:04:46.543269+0200
                    SID:2043231
                    Source Port:49703
                    Destination Port:40960
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T01:04:43.619800+0200
                    SID:2043231
                    Source Port:49703
                    Destination Port:40960
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T01:04:41.083135+0200
                    SID:2043231
                    Source Port:49703
                    Destination Port:40960
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T01:04:44.974829+0200
                    SID:2043231
                    Source Port:49703
                    Destination Port:40960
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T01:04:43.139769+0200
                    SID:2043231
                    Source Port:49703
                    Destination Port:40960
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T01:04:51.050265+0200
                    SID:2022930
                    Source Port:443
                    Destination Port:49704
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T01:05:29.373404+0200
                    SID:2022930
                    Source Port:443
                    Destination Port:49710
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T01:04:40.215517+0200
                    SID:2043231
                    Source Port:49703
                    Destination Port:40960
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T01:04:34.607725+0200
                    SID:2043234
                    Source Port:40960
                    Destination Port:49703
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T01:04:40.746049+0200
                    SID:2043231
                    Source Port:49703
                    Destination Port:40960
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T01:04:46.794068+0200
                    SID:2043231
                    Source Port:49703
                    Destination Port:40960
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T01:04:42.641660+0200
                    SID:2043231
                    Source Port:49703
                    Destination Port:40960
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T01:04:42.092703+0200
                    SID:2043231
                    Source Port:49703
                    Destination Port:40960
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T01:04:44.376979+0200
                    SID:2043231
                    Source Port:49703
                    Destination Port:40960
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T01:04:47.090174+0200
                    SID:2043231
                    Source Port:49703
                    Destination Port:40960
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T01:04:42.889746+0200
                    SID:2043231
                    Source Port:49703
                    Destination Port:40960
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T01:04:47.382492+0200
                    SID:2043231
                    Source Port:49703
                    Destination Port:40960
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T01:04:34.357258+0200
                    SID:2046045
                    Source Port:49703
                    Destination Port:40960
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T01:04:45.344635+0200
                    SID:2043231
                    Source Port:49703
                    Destination Port:40960
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T01:04:39.656148+0200
                    SID:2043231
                    Source Port:49703
                    Destination Port:40960
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T01:04:43.871833+0200
                    SID:2043231
                    Source Port:49703
                    Destination Port:40960
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T01:04:42.389735+0200
                    SID:2043231
                    Source Port:49703
                    Destination Port:40960
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T01:04:39.912452+0200
                    SID:2046056
                    Source Port:40960
                    Destination Port:49703
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T01:04:45.351191+0200
                    SID:2043231
                    Source Port:49703
                    Destination Port:40960
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T01:04:44.126664+0200
                    SID:2043231
                    Source Port:49703
                    Destination Port:40960
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: file.exeMalware Configuration Extractor: RedLine {"C2 url": ["185.215.113.67:40960"], "Bot Id": "25072023", "Authorization Header": "ddfd60e2a31e5ba38817ce280e48c5bb"}
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 07220538h5_2_07220040
                    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h5_2_0722F9F0
                    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 0722F85Dh5_2_0722F483
                    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 0722F85Dh5_2_0722F490

                    Networking

                    barindex
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: 185.215.113.67:40960
                    Source: global trafficTCP traffic: 192.168.2.11:49703 -> 185.215.113.67:40960
                    Source: Joe Sandbox ViewIP Address: 185.215.113.67 185.215.113.67
                    Source: Joe Sandbox ViewIP Address: 185.215.113.67 185.215.113.67
                    Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                    Source: file.exe, 00000005.00000002.1536654966.000000000077E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://purl.oen
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9&
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                    Source: file.exe, 00000005.00000002.1537465544.00000000024EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                    Source: file.exe, 00000005.00000002.1537465544.000000000255C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                    Source: file.exe, 00000005.00000002.1537465544.00000000024EF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000005.00000002.1537465544.0000000002734000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                    Source: file.exe, 00000005.00000002.1537465544.00000000024EF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000005.00000002.1537465544.00000000027A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                    Source: file.exe, 00000005.00000002.1537465544.00000000024EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                    Source: file.exe, 00000005.00000002.1537465544.00000000024EF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000005.00000002.1537465544.00000000027A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                    Source: file.exe, 00000005.00000002.1537465544.00000000024EF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000005.00000002.1537465544.00000000027A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000005.00000002.1537465544.00000000024E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                    Source: file.exe, 00000005.00000002.1537465544.00000000024EF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000005.00000002.1537465544.000000000278C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                    Source: file.exe, 00000005.00000002.1537465544.00000000024EF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000005.00000002.1537465544.000000000278C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                    Source: file.exe, 00000005.00000002.1537465544.00000000024EF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000005.00000002.1537465544.000000000278C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                    Source: file.exe, 00000005.00000002.1537465544.00000000024EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                    Source: file.exe, 00000005.00000002.1537465544.000000000255C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                    Source: file.exe, 00000005.00000002.1537465544.000000000255C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                    Source: file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                    Source: file.exe, 00000005.00000002.1537465544.00000000024EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                    Source: file.exe, 00000005.00000002.1537465544.0000000002788000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000005.00000002.1537465544.00000000024EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                    Source: file.exe, 00000005.00000002.1537465544.00000000024EF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000005.00000002.1537465544.00000000027A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000005.00000002.1537465544.00000000027A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                    Source: file.exe, 00000005.00000002.1537465544.00000000024EF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000005.00000002.1537465544.00000000027A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                    Source: file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                    Source: file.exe, 00000005.00000002.1537465544.00000000024EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                    Source: file.exeString found in binary or memory: https://api.ip.sb/ip
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp49EB.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp49EC.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\file.exeCode function: 5_2_048DDC745_2_048DDC74
                    Source: C:\Users\user\Desktop\file.exeCode function: 5_2_05D467D85_2_05D467D8
                    Source: C:\Users\user\Desktop\file.exeCode function: 5_2_05D4A3E85_2_05D4A3E8
                    Source: C:\Users\user\Desktop\file.exeCode function: 5_2_05D4A3D85_2_05D4A3D8
                    Source: C:\Users\user\Desktop\file.exeCode function: 5_2_05D46FF85_2_05D46FF8
                    Source: C:\Users\user\Desktop\file.exeCode function: 5_2_05D46FE85_2_05D46FE8
                    Source: C:\Users\user\Desktop\file.exeCode function: 5_2_0722B3805_2_0722B380
                    Source: C:\Users\user\Desktop\file.exeCode function: 5_2_072200405_2_07220040
                    Source: C:\Users\user\Desktop\file.exeCode function: 5_2_0722EF785_2_0722EF78
                    Source: C:\Users\user\Desktop\file.exeCode function: 5_2_07222D185_2_07222D18
                    Source: C:\Users\user\Desktop\file.exeCode function: 5_2_07221BD05_2_07221BD0
                    Source: C:\Users\user\Desktop\file.exeCode function: 5_2_07227A285_2_07227A28
                    Source: C:\Users\user\Desktop\file.exeCode function: 5_2_0722F9F05_2_0722F9F0
                    Source: C:\Users\user\Desktop\file.exeCode function: 5_2_0722B8285_2_0722B828
                    Source: C:\Users\user\Desktop\file.exeCode function: 5_2_0722F4835_2_0722F483
                    Source: C:\Users\user\Desktop\file.exeCode function: 5_2_0722F4905_2_0722F490
                    Source: C:\Users\user\Desktop\file.exeCode function: 5_2_0722F9E05_2_0722F9E0
                    Source: file.exe, 00000005.00000002.1536758228.00000000007AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
                    Source: file.exe, 00000005.00000002.1537465544.00000000024EF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs file.exe
                    Source: file.exe, 00000005.00000000.1284583506.0000000000146000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenameBaling.exe8 vs file.exe
                    Source: file.exeBinary or memory string: OriginalFilenameBaling.exe8 vs file.exe
                    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: classification engineClassification label: mal96.troj.spyw.evad.winEXE@1/5@0/1
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp49EB.tmpJump to behavior
                    Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\file.exeFile read: C:\Program Files (x86)\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: esdsip.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
                    Source: Google Chrome.lnk.5.drLNK file: ..\..\..\Program Files\Google\Chrome\Application\chrome.exe
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: file.exeStatic PE information: 0xBD051842 [Sun Jun 29 00:35:14 2070 UTC]
                    Source: C:\Users\user\Desktop\file.exeCode function: 5_2_05D31DAF push FFFFFF8Bh; retf 5_2_05D31DB1
                    Source: C:\Users\user\Desktop\file.exeCode function: 5_2_05D4C710 push es; ret 5_2_05D4C720
                    Source: C:\Users\user\Desktop\file.exeCode function: 5_2_05D4E060 push es; ret 5_2_05D4E070
                    Source: C:\Users\user\Desktop\file.exeCode function: 5_2_05D4ECF2 push eax; ret 5_2_05D4ED01
                    Source: C:\Users\user\Desktop\file.exeCode function: 5_2_0722B28C push FFFFFF8Bh; iretd 5_2_0722B28E
                    Source: C:\Users\user\Desktop\file.exeCode function: 5_2_0722B2E0 push FFFFFF8Bh; iretd 5_2_0722B2E2

                    Persistence and Installation Behavior

                    barindex
                    Installs new ROOT certificates
                    Source: C:\Users\user\Desktop\file.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 BlobJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\file.exeMemory allocated: 23A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\file.exeMemory allocated: 23F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\file.exeMemory allocated: 43F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\file.exe TID: 496Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\file.exe TID: 7064Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: file.exe, 00000005.00000002.1539163940.0000000003780000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696503903~
                    Source: file.exe, 00000005.00000002.1539163940.0000000003780000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696503903
                    Source: file.exe, 00000005.00000002.1539163940.00000000034F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696503903
                    Source: file.exe, 00000005.00000002.1539163940.0000000003780000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696503903o
                    Source: file.exe, 00000005.00000002.1539163940.0000000003780000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696503903z
                    Source: file.exe, 00000005.00000002.1539163940.0000000003780000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696503903}
                    Source: file.exe, 00000005.00000002.1539163940.0000000003780000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696503903h
                    Source: file.exe, 00000005.00000002.1539163940.00000000034F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696503903x
                    Source: file.exe, 00000005.00000002.1539163940.0000000003780000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696503903]
                    Source: file.exe, 00000005.00000002.1539163940.00000000034F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696503903u
                    Source: file.exe, 00000005.00000002.1539163940.0000000003780000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696503903|UE
                    Source: file.exe, 00000005.00000002.1539163940.00000000034F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696503903}
                    Source: file.exe, 00000005.00000002.1539163940.0000000003780000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696503903
                    Source: file.exe, 00000005.00000002.1539163940.0000000003780000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696503903t
                    Source: file.exe, 00000005.00000002.1539163940.00000000034F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696503903n
                    Source: file.exe, 00000005.00000002.1539163940.0000000003780000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696503903
                    Source: file.exe, 00000005.00000002.1539163940.00000000034F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696503903
                    Source: file.exe, 00000005.00000002.1539163940.00000000034F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696503903z
                    Source: file.exe, 00000005.00000002.1539163940.0000000003780000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696503903n
                    Source: file.exe, 00000005.00000002.1539163940.0000000003780000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696503903p
                    Source: file.exe, 00000005.00000002.1539163940.0000000003780000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696503903s
                    Source: file.exe, 00000005.00000002.1539163940.00000000034F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696503903p
                    Source: file.exe, 00000005.00000002.1539163940.00000000034F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696503903~
                    Source: file.exe, 00000005.00000002.1539163940.00000000034F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696503903
                    Source: file.exe, 00000005.00000002.1539163940.0000000003780000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696503903d
                    Source: file.exe, 00000005.00000002.1539163940.00000000034F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696503903
                    Source: file.exe, 00000005.00000002.1539163940.00000000034F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696503903o
                    Source: file.exe, 00000005.00000002.1539163940.0000000003780000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696503903j
                    Source: file.exe, 00000005.00000002.1539163940.0000000003780000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696503903f
                    Source: file.exe, 00000005.00000002.1539163940.0000000003780000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696503903
                    Source: file.exe, 00000005.00000002.1539163940.00000000034F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696503903t
                    Source: file.exe, 00000005.00000002.1539163940.00000000034F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696503903t
                    Source: file.exe, 00000005.00000002.1546112643.0000000006165000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~~
                    Source: file.exe, 00000005.00000002.1539163940.00000000034F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696503903s
                    Source: file.exe, 00000005.00000002.1539163940.00000000034F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696503903x
                    Source: file.exe, 00000005.00000002.1539163940.00000000034F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696503903f
                    Source: file.exe, 00000005.00000002.1539163940.00000000034F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696503903
                    Source: file.exe, 00000005.00000002.1539163940.0000000003780000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696503903^
                    Source: file.exe, 00000005.00000002.1539163940.0000000003780000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696503903x
                    Source: file.exe, 00000005.00000002.1539163940.0000000003780000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696503903x
                    Source: file.exe, 00000005.00000002.1539163940.00000000034F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696503903x
                    Source: file.exe, 00000005.00000002.1539163940.0000000003780000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696503903
                    Source: file.exe, 00000005.00000002.1539163940.0000000003780000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696503903
                    Source: file.exe, 00000005.00000002.1539163940.00000000034F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696503903h
                    Source: file.exe, 00000005.00000002.1539163940.0000000003780000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696503903u
                    Source: file.exe, 00000005.00000002.1539163940.0000000003780000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696503903
                    Source: file.exe, 00000005.00000002.1539163940.00000000034F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696503903
                    Source: file.exe, 00000005.00000002.1539163940.0000000003780000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696503903
                    Source: file.exe, 00000005.00000002.1539163940.00000000034F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696503903|UE
                    Source: file.exe, 00000005.00000002.1539163940.00000000034F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696503903^
                    Source: file.exe, 00000005.00000002.1539163940.0000000003780000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696503903}
                    Source: file.exe, 00000005.00000002.1539163940.0000000003780000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696503903x
                    Source: file.exe, 00000005.00000002.1539163940.00000000034F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696503903]
                    Source: file.exe, 00000005.00000002.1539163940.00000000034F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696503903
                    Source: file.exe, 00000005.00000002.1539163940.00000000034F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696503903
                    Source: file.exe, 00000005.00000002.1539163940.00000000034F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696503903
                    Source: file.exe, 00000005.00000002.1539163940.0000000003780000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696503903
                    Source: file.exe, 00000005.00000002.1539163940.00000000034F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696503903d
                    Source: file.exe, 00000005.00000002.1539163940.0000000003780000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696503903t
                    Source: file.exe, 00000005.00000002.1539163940.0000000003780000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696503903
                    Source: file.exe, 00000005.00000002.1539163940.00000000034F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696503903j
                    Source: file.exe, 00000005.00000002.1539163940.00000000034F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696503903}
                    Source: file.exe, 00000005.00000002.1539163940.00000000034F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696503903
                    Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: file.exe, 00000005.00000002.1536758228.00000000007D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: file.exe, type: SAMPLE
                    Source: Yara matchFile source: 5.0.file.exe.100000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000000.1284557443.0000000000102000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 3956, type: MEMORYSTR
                    Found many strings related to Crypto-Wallets (likely being stolen)
                    Source: file.exe, 00000005.00000002.1537465544.00000000027A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Electrum\walletsLR_qD9
                    Source: file.exe, 00000005.00000002.1537465544.00000000027A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $_q1C:\Users\user\AppData\Roaming\Electrum\wallets\*
                    Source: file.exe, 00000005.00000002.1537465544.00000000027A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $_q-cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty
                    Source: file.exe, 00000005.00000002.1537465544.00000000027A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.walletLR_q
                    Source: file.exe, 00000005.00000002.1537465544.00000000027A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\walletsLR_q\D
                    Source: file.exe, 00000005.00000002.1537465544.00000000027A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.walletLR_q
                    Source: file.exe, 00000005.00000002.1537465544.00000000027A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $_q%appdata%`,_qdC:\Users\user\AppData\Roaming`,_qdC:\Users\user\AppData\Roaming\Binance
                    Source: file.exe, 00000005.00000002.1537465544.00000000027A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\walletsLR_q\D
                    Source: file.exe, 00000005.00000002.1537465544.00000000027A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $_q&%localappdata%\Coinomi\Coinomi\walletsLR_q
                    Source: file.exe, 00000005.00000002.1537465544.00000000027A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $_q5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\cookies.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Tries to steal Crypto Currency Wallets
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                    Source: Yara matchFile source: 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.1537465544.00000000027A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 3956, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: file.exe, type: SAMPLE
                    Source: Yara matchFile source: 5.0.file.exe.100000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000000.1284557443.0000000000102000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 3956, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Masquerading                    		1
                    OS Credential Dumping                    		231
                    Security Software Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop Protocol3
                    Data from Local System                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                    Virtualization/Sandbox Evasion                    		Security Account Manager241
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                    Obfuscated Files or Information                    		NTDS1
                    File and Directory Discovery                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Install Root Certificate                    		LSA Secrets113
                    System Information Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Timestomp                    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    No Antivirus matches

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/sc/sct0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk0%URL Reputationsafe
                    http://tempuri.org/Entity/Id14ResponseD0%URL Reputationsafe
                    http://tempuri.org/Entity/Id23ResponseD0%URL Reputationsafe
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary0%URL Reputationsafe
                    http://tempuri.org/Entity/Id12Response0%URL Reputationsafe
                    http://tempuri.org/0%URL Reputationsafe
                    http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha10%URL Reputationsafe
                    http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
                    http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap0%URL Reputationsafe
                    http://tempuri.org/Entity/Id90%URL Reputationsafe
                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID0%URL Reputationsafe
                    http://tempuri.org/Entity/Id80%URL Reputationsafe
                    http://tempuri.org/Entity/Id6ResponseD0%URL Reputationsafe
                    http://tempuri.org/Entity/Id50%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare0%URL Reputationsafe
                    http://tempuri.org/Entity/Id40%URL Reputationsafe
                    http://tempuri.org/Entity/Id70%URL Reputationsafe
                    http://tempuri.org/Entity/Id60%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret0%URL Reputationsafe
                    http://tempuri.org/Entity/Id19Response0%URL Reputationsafe
                    http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence0%URL Reputationsafe
                    http://tempuri.org/Entity/Id13ResponseD0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/fault0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat0%URL Reputationsafe
                    http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey0%URL Reputationsafe
                    http://tempuri.org/Entity/Id15Response0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register0%URL Reputationsafe
                    http://tempuri.org/Entity/Id6Response0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey0%URL Reputationsafe
                    https://api.ip.sb/ip0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/04/sc0%URL Reputationsafe
                    http://tempuri.org/Entity/Id1ResponseD0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel0%URL Reputationsafe
                    http://tempuri.org/Entity/Id9Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id200%URL Reputationsafe
                    http://tempuri.org/Entity/Id210%URL Reputationsafe
                    http://tempuri.org/Entity/Id220%URL Reputationsafe
                    http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA10%URL Reputationsafe
                    http://tempuri.org/Entity/Id230%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA10%URL Reputationsafe
                    http://tempuri.org/Entity/Id240%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue0%URL Reputationsafe
                    http://tempuri.org/Entity/Id24Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego0%URL Reputationsafe
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey0%URL Reputationsafe
                    http://tempuri.org/Entity/Id21ResponseD0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/04/trust0%URL Reputationsafe
                    http://tempuri.org/Entity/Id100%URL Reputationsafe
                    http://tempuri.org/Entity/Id110%URL Reputationsafe
                    http://tempuri.org/Entity/Id10ResponseD0%URL Reputationsafe
                    http://tempuri.org/Entity/Id120%URL Reputationsafe
                    http://tempuri.org/Entity/Id16Response0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel0%URL Reputationsafe
                    http://tempuri.org/Entity/Id130%URL Reputationsafe
                    http://tempuri.org/Entity/Id140%URL Reputationsafe
                    http://tempuri.org/Entity/Id150%URL Reputationsafe
                    http://tempuri.org/Entity/Id160%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce0%URL Reputationsafe
                    http://tempuri.org/Entity/Id170%URL Reputationsafe
                    http://tempuri.org/Entity/Id180%URL Reputationsafe
                    http://tempuri.org/Entity/Id5Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id190%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns0%URL Reputationsafe
                    http://tempuri.org/Entity/Id15ResponseD0%URL Reputationsafe
                    http://tempuri.org/Entity/Id10Response0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/Renew0%URL Reputationsafe
                    http://tempuri.org/Entity/Id11ResponseD0%URL Reputationsafe
                    http://tempuri.org/Entity/Id8Response0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey0%URL Reputationsafe
                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.00%URL Reputationsafe
                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2006/02/addressingidentity0%URL Reputationsafe
                    http://tempuri.org/Entity/Id17ResponseD0%URL Reputationsafe
                    http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                    http://tempuri.org/Entity/Id8ResponseD0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey0%URL Reputationsafe
                    http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA10%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust0%URL Reputationsafe
                    http://tempuri.org/Entity/Id5ResponseD0%Avira URL Cloudsafe
                    http://purl.oen0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Textfile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/sc/sctfile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkfile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id14ResponseDfile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id23ResponseDfile.exe, 00000005.00000002.1537465544.000000000255C000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryfile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id12Responsefile.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id2Responsefile.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id21Responsefile.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrapfile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id9file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDfile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id8file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000005.00000002.1537465544.00000000027A3000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id6ResponseDfile.exe, 00000005.00000002.1537465544.0000000002788000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000005.00000002.1537465544.00000000024EF000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id5file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Preparefile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id4file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id7file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://purl.oenfile.exe, 00000005.00000002.1536654966.000000000077E000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id6file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretfile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id19Responsefile.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licensefile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuefile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Abortedfile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequencefile.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id13ResponseDfile.exe, 00000005.00000002.1537465544.00000000024EF000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/faultfile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsatfile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyfile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id15Responsefile.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id5ResponseDfile.exe, 00000005.00000002.1537465544.00000000024EF000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namefile.exe, 00000005.00000002.1537465544.00000000024EF000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renewfile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/Registerfile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id6Responsefile.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyfile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://api.ip.sb/ipfile.exefalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/scfile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id1ResponseDfile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCfile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancelfile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id9Responsefile.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id20file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id21file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id22file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id23file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id24file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issuefile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id24Responsefile.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id1Responsefile.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedfile.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyfile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Replayfile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegofile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binaryfile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCfile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyfile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id21ResponseDfile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/08/addressingfile.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuefile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Completionfile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/trustfile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id10file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id11file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id10ResponseDfile.exe, 00000005.00000002.1537465544.000000000255C000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id12file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id16Responsefile.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponsefile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancelfile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id13file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id14file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id15file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id16file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/Noncefile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id17file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000005.00000002.1537465544.00000000024E7000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id18file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id5Responsefile.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id19file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsfile.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id15ResponseDfile.exe, 00000005.00000002.1537465544.00000000024EF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000005.00000002.1537465544.00000000027A3000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id10Responsefile.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/Renewfile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id11ResponseDfile.exe, 00000005.00000002.1537465544.00000000024EF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000005.00000002.1537465544.0000000002734000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id8Responsefile.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyfile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDfile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTfile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2006/02/addressingidentityfile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id17ResponseDfile.exe, 00000005.00000002.1537465544.00000000024EF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000005.00000002.1537465544.000000000278C000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/soap/envelope/file.exe, 00000005.00000002.1537465544.00000000023F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id8ResponseDfile.exe, 00000005.00000002.1537465544.00000000024EF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000005.00000002.1537465544.00000000027A3000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyfile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1file.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trustfile.exe, 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    185.215.113.67
                    		unknownPortugal
                    		206894WHOLESALECONNECTIONSNLtrue

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1482539
                    Start date and time:2024-07-26 01:03:35 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 6m 0s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Run name:Run with higher sleep bypass
                    Number of analysed new started processes analysed:16
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:file.exe
                    Detection:MAL
                    Classification:mal96.troj.spyw.evad.winEXE@1/5@0/1
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 97%
                    • Number of executed functions: 91
                    • Number of non-executed functions: 6
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                    • VT rate limit hit for: file.exe

                    Simulations

                    Behavior and APIs

                    No simulations

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    185.215.113.67oMHveSc3hh.exeGet hashmaliciousAmadey RaccoonBrowse
                    • 185.215.113.67/4dcYcWsw3/index.php
                    0KuDEDABFO.exeGet hashmaliciousAmadey RaccoonBrowse
                    • 185.215.113.67/4dcYcWsw3/index.php
                    miOnrvnXK0.exeGet hashmaliciousAmadey RaccoonBrowse
                    • 185.215.113.67/4dcYcWsw3/index.php
                    Rh74sODsWE.exeGet hashmaliciousAmadey RaccoonBrowse
                    • 185.215.113.67/4dcYcWsw3/index.php
                    dSQUdo6EjO.exeGet hashmaliciousAmadey RaccoonBrowse
                    • 185.215.113.67/4dcYcWsw3/index.php
                    usVhwck8lN.exeGet hashmaliciousAmadey RaccoonBrowse
                    • 185.215.113.67/4dcYcWsw3/index.php
                    SecuriteInfo.com.W32.AIDetect.malware1.20102.exeGet hashmaliciousAmadeyBrowse
                    • 185.215.113.67/4dcYcWsw3/index.php
                    MR98F1zzeo.exeGet hashmaliciousAmadey Raccoon VidarBrowse
                    • 185.215.113.67/4dcYcWsw3/index.php
                    8f5718a6042061b23a4e42ee5cd8112946c135dc9d0c2.exeGet hashmaliciousAmadeyBrowse
                    • 185.215.113.67/4dcYcWsw3/index.php
                    fC4T1vVs24.exeGet hashmaliciousAmadeyBrowse
                    • umbrelladownload.uno/gp6GbqVce/index.php

                    Domains

                    No context

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    WHOLESALECONNECTIONSNLLisectAVT_2403002A_22.exeGet hashmaliciousAmadeyBrowse
                    • 185.215.113.32
                    LisectAVT_2403002A_338.exeGet hashmaliciousAmadeyBrowse
                    • 185.215.113.32
                    LisectAVT_2403002B_222.exeGet hashmaliciousAmadey, BdaejecBrowse
                    • 185.215.113.32
                    LisectAVT_2403002B_259.exeGet hashmaliciousAmadeyBrowse
                    • 185.215.113.32
                    LisectAVT_2403002B_29.exeGet hashmaliciousAmadey, BdaejecBrowse
                    • 185.215.113.32
                    LisectAVT_2403002B_290.exeGet hashmaliciousBdaejecBrowse
                    • 185.215.113.66
                    LisectAVT_2403002B_53.exeGet hashmaliciousAmadeyBrowse
                    • 185.215.113.32
                    LisectAVT_2403002B_77.exeGet hashmaliciousAmadeyBrowse
                    • 185.215.113.32
                    Lisect_AVT_24003_G1A_79.exeGet hashmaliciousAmadey, BdaejecBrowse
                    • 185.215.113.32

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\Public\Desktop\Google Chrome.lnk

                    Download File
                    Process:C:\Users\user\Desktop\file.exe
                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Thu Oct 5 10:09:14 2023, atime=Mon Oct 2 20:46:56 2023, length=3242272, window=hide
                    Category:dropped
                    Size (bytes):2104
                    Entropy (8bit):3.465084577299074
                    Encrypted:false
                    SSDEEP:48:8Sqd4TUCr5RYrnvPdAKRkdAGdAKRFdAKRN:8S9i
                    MD5:0204FCA7A946694CB22DEA259D5BC269
                    SHA1:427BDD8E24B2856DA8A27B5A704B3A5B3AC0EFE3
                    SHA-256:4298DD0E2B6A424528CDBE16972FA32BBCB0E41CA0D8A9F691B7F15B0A59EB66
                    SHA-512:FF3B6C5A9A1DE8B2AC1A39FB3CFDA3A6E28883E5F1EAD1CEC30215B07F0818C09427F2839167A3AAF1DE6504BDACAF6591969908C6FF1C633E63A643744EE81E
                    Malicious:false
                    Reputation:low
                    Preview:L..................F.@.. ......,.......`|...>'..y... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....EWXX..PROGRA~1..t......O.IEW.Y....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VEWgV....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.V..Chrome..>......CW.VEW.V....M.....................g.u.C.h.r.o.m.e.....`.1.....EW.V..APPLIC~1..H......CW.VEW.V..........................g.u.A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.BW. .chrome.exe..F......CW.VEW.Y.............................c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.!.-.-.p.r.o.x.y.-.s.e.r.v.e.r

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

                    Download File
                    Process:C:\Users\user\Desktop\file.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):3274
                    Entropy (8bit):5.3318368586986695
                    Encrypted:false
                    SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqc85VD:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlq0
                    MD5:0C1110E9B7BBBCB651A0B7568D796468
                    SHA1:7AEE00407EE27655FFF0ADFBC96CF7FAD9610AAA
                    SHA-256:112E21404A85963FB5DF8388F97429D6A46E9D4663435CC86267C563C0951FA2
                    SHA-512:46E37552764B4E61006AB99F8C542D55B2418668B097D3C6647D306604C3D7CA3FAF34F8B4121D94B0E7168295B2ABEB7C21C3B96F37208943537B887BC81590
                    Malicious:true
                    Reputation:moderate, very likely benign file
                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                    C:\Users\user\AppData\Local\Temp\Tmp49EB.tmp

                    Download File
                    Process:C:\Users\user\Desktop\file.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):2662
                    Entropy (8bit):7.8230547059446645
                    Encrypted:false
                    SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                    MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                    SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                    SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                    SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                    Malicious:false
                    Reputation:moderate, very likely benign file
                    Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                    C:\Users\user\AppData\Local\Temp\Tmp49EC.tmp

                    Download File
                    Process:C:\Users\user\Desktop\file.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):2662
                    Entropy (8bit):7.8230547059446645
                    Encrypted:false
                    SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                    MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                    SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                    SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                    SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                    Malicious:false
                    Reputation:moderate, very likely benign file
                    Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                    C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

                    Download File
                    Process:C:\Users\user\Desktop\file.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):2251
                    Entropy (8bit):0.0
                    Encrypted:false
                    SSDEEP:3::
                    MD5:0158FE9CEAD91D1B027B795984737614
                    SHA1:B41A11F909A7BDF1115088790A5680AC4E23031B
                    SHA-256:513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
                    SHA-512:C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
                    Malicious:false
                    Reputation:moderate, very likely benign file
                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Entropy (8bit):5.081927371705491
                    TrID:
                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    • Win32 Executable (generic) a (10002005/4) 49.78%
                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                    • Win16/32 Executable Delphi generic (2074/23) 0.01%
                    • Generic Win/DOS Executable (2004/3) 0.01%
                    File name:file.exe
                    File size:311'296 bytes
                    MD5:a9a37926c6d3ab63e00b12760fae1e73
                    SHA1:944d6044e111bbad742d06852c3ed2945dc9e051
                    SHA256:27955c80c620c31df686ccd2a92bce1d07e97c16fda6bd141812e9b0bdd7b06b
                    SHA512:575485d1c53b1bf145c7385940423b16089cf9ab75404e2e9c7af42b594480470f0e28dadcddbd66e4cd469e45326a6eb4eb2362ccc37edb2a956d224e04cf97
                    SSDEEP:3072:aq6EgY6iQrUjGk14lwPK4qw9LwwPITAztASKwlcZqf7D34leqiOLibBOh:ZqY6iwwPIknATAZA+lcZqf7DIvL
                    TLSH:96646C1867EC8911E27F4B799471D2749375EC56A512E30F4EC06CAB3E32741FA21AB2
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B.................0.................. ... ....@.. ....................... ............@................................

                    File Icon

                    Icon Hash:4d8ea38d85a38e6d

                    Static PE Info

                    General

                    Entrypoint:0x42b9c6
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Time Stamp:0xBD051842 [Sun Jun 29 00:35:14 2070 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                    Entrypoint Preview

                    Instruction
                    jmp dword ptr [00402000h]
                    popad
                    add byte ptr [ebp+00h], dh
                    je 00007F8528D7D732h
                    outsd
                    add byte ptr [esi+00h], ah
                    imul eax, dword ptr [eax], 006C006Ch
                    xor eax, 59007400h
                    add byte ptr [edi+00h], dl
                    push edx
                    add byte ptr [ecx+00h], dh
                    popad
                    add byte ptr [edi+00h], dl
                    push esi
                    add byte ptr [edi+00h], ch
                    popad
                    add byte ptr [ebp+00h], ch
                    push 61006800h
                    add byte ptr [ebp+00h], ch
                    dec edx
                    add byte ptr [eax], bh
                    add byte ptr [edi+00h], dl
                    push edi
                    add byte ptr [ecx], bh
                    add byte ptr [ecx+00h], bh
                    bound eax, dword ptr [eax]
                    xor al, byte ptr [eax]
                    insb
                    add byte ptr [eax+00h], bl
                    pop ecx
                    add byte ptr [edi+00h], dl
                    js 00007F8528D7D732h
                    jnc 00007F8528D7D732h
                    pop edx
                    add byte ptr [eax+00h], bl
                    push ecx
                    add byte ptr [ebx+00h], cl
                    popad
                    add byte ptr [edi+00h], dl
                    dec edx
                    add byte ptr [ebp+00h], dh
                    pop edx
                    add byte ptr [edi+00h], dl
                    jo 00007F8528D7D732h
                    imul eax, dword ptr [eax], 5Ah
                    add byte ptr [ebp+00h], ch
                    jo 00007F8528D7D732h
                    je 00007F8528D7D732h
                    bound eax, dword ptr [eax]
                    push edi
                    add byte ptr [eax+eax+77h], dh
                    add byte ptr [ecx+00h], bl
                    xor al, byte ptr [eax]
                    xor eax, 63007300h
                    add byte ptr [edi+00h], al
                    push esi
                    add byte ptr [ecx+00h], ch
                    popad
                    add byte ptr [edx], dh
                    add byte ptr [eax+00h], bh
                    je 00007F8528D7D732h
                    bound eax, dword ptr [eax]
                    insd
                    add byte ptr [eax+eax+76h], dh
                    add byte ptr [edx+00h], bl
                    push edi
                    add byte ptr [ecx], bh
                    add byte ptr [eax+00h], dh
                    popad
                    add byte ptr [edi+00h], al
                    cmp dword ptr [eax], eax
                    insd
                    add byte ptr [edx+00h], bl
                    push edi
                    add byte ptr [esi+00h], cl
                    cmp byte ptr [eax], al
                    push esi
                    add byte ptr [eax+00h], cl
                    dec edx
                    add byte ptr [esi+00h], dh
                    bound eax, dword ptr [eax]
                    insd
                    add byte ptr [eax+00h], bh
                    jo 00007F8528D7D732h
                    bound eax, dword ptr [eax]
                    insd
                    add byte ptr [ebx+00h], dh

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x2b9740x4f.text
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x320000x1c9c4.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x500000xc.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x2b9580x1c.text
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x20000x2e9ac0x2ec0084566df0b515c6bb19b3a653166f8ed1False0.4696795621657754data6.204990180609533IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .rsrc0x320000x1c9c40x1cc00f9e85790be7519386da34345138f8079False0.2372452445652174data2.605726988651011IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .reloc0x500000xc0x40081fbfb1de1f36732da138237e2fb4305False0.025390625data0.05585530805374581IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountryZLIB Complexity
                    RT_ICON0x321a00x3d04PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9934058898847631
                    RT_ICON0x35eb40x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m0.09013072282030049
                    RT_ICON0x466ec0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m0.13905290505432216
                    RT_ICON0x4a9240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m0.17033195020746889
                    RT_ICON0x4cedc0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m0.2045028142589118
                    RT_ICON0x4df940x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m0.24645390070921985
                    RT_GROUP_ICON0x4e40c0x5adata0.7666666666666667
                    RT_VERSION0x4e4780x34adata0.44418052256532065
                    RT_MANIFEST0x4e7d40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                    Imports

                    DLLImport
                    mscoree.dll_CorExeMain

                    Network Behavior

                    Suricata IDS Alerts

                    TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                    2024-07-26T01:04:41.369324+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4970340960192.168.2.11185.215.113.67
                    2024-07-26T01:04:40.469456+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4970340960192.168.2.11185.215.113.67
                    2024-07-26T01:04:44.633276+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4970340960192.168.2.11185.215.113.67
                    2024-07-26T01:04:46.543269+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4970340960192.168.2.11185.215.113.67
                    2024-07-26T01:04:43.619800+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4970340960192.168.2.11185.215.113.67
                    2024-07-26T01:04:41.083135+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4970340960192.168.2.11185.215.113.67
                    2024-07-26T01:04:44.974829+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4970340960192.168.2.11185.215.113.67
                    2024-07-26T01:04:43.139769+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4970340960192.168.2.11185.215.113.67
                    2024-07-26T01:04:51.050265+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434970420.114.59.183192.168.2.11
                    2024-07-26T01:05:29.373404+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971020.114.59.183192.168.2.11
                    2024-07-26T01:04:40.215517+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4970340960192.168.2.11185.215.113.67
                    2024-07-26T01:04:34.607725+0200TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response4096049703185.215.113.67192.168.2.11
                    2024-07-26T01:04:40.746049+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4970340960192.168.2.11185.215.113.67
                    2024-07-26T01:04:46.794068+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4970340960192.168.2.11185.215.113.67
                    2024-07-26T01:04:42.641660+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4970340960192.168.2.11185.215.113.67
                    2024-07-26T01:04:42.092703+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4970340960192.168.2.11185.215.113.67
                    2024-07-26T01:04:44.376979+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4970340960192.168.2.11185.215.113.67
                    2024-07-26T01:04:47.090174+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4970340960192.168.2.11185.215.113.67
                    2024-07-26T01:04:42.889746+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4970340960192.168.2.11185.215.113.67
                    2024-07-26T01:04:47.382492+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4970340960192.168.2.11185.215.113.67
                    2024-07-26T01:04:34.357258+0200TCP2046045ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)4970340960192.168.2.11185.215.113.67
                    2024-07-26T01:04:45.344635+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4970340960192.168.2.11185.215.113.67
                    2024-07-26T01:04:39.656148+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4970340960192.168.2.11185.215.113.67
                    2024-07-26T01:04:43.871833+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4970340960192.168.2.11185.215.113.67
                    2024-07-26T01:04:42.389735+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4970340960192.168.2.11185.215.113.67
                    2024-07-26T01:04:39.912452+0200TCP2046056ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)4096049703185.215.113.67192.168.2.11
                    2024-07-26T01:04:45.351191+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4970340960192.168.2.11185.215.113.67
                    2024-07-26T01:04:44.126664+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity4970340960192.168.2.11185.215.113.67

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Jul 26, 2024 01:04:33.529637098 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:33.536215067 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:33.536293983 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:33.544835091 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:33.551567078 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:34.322802067 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:34.357258081 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:34.366214037 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:34.607724905 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:34.652086973 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:39.656147957 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:39.662527084 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:39.911968946 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:39.911987066 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:39.912090063 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:39.912393093 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:39.912404060 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:39.912415981 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:39.912441969 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:39.912451982 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:39.912499905 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:40.055435896 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:40.107574940 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:40.215517044 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:40.220875025 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:40.464502096 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:40.469455957 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:40.476306915 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:40.738526106 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:40.746048927 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:40.752722979 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:40.752732038 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:40.752855062 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:40.754359007 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:40.754518986 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:40.756521940 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:41.004015923 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:41.058247089 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:41.083134890 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:41.089750051 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:41.089796066 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:41.089823961 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:41.089852095 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:41.089886904 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:41.091490030 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:41.091517925 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:41.091545105 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:41.091572046 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:41.093069077 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:41.093120098 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:41.093147993 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:41.093199968 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:41.093228102 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:41.359747887 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:41.369323969 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:41.375925064 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:41.616658926 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:41.667635918 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:42.092703104 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:42.100474119 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:42.341480017 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:42.386363983 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:42.389734983 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:42.396780968 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:42.639616013 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:42.641659975 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:42.646531105 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:42.887201071 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:42.889745951 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:42.896094084 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:43.137888908 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:43.139769077 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:43.146306038 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:43.389025927 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:43.433254957 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:43.619800091 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:43.627530098 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:43.866590977 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:43.871833086 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:43.878879070 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:44.120496988 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:44.126663923 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:44.133294106 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:44.374177933 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:44.376979113 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:44.383661032 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:44.625199080 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:44.633275986 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:44.641227007 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:44.882996082 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:44.933321953 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:44.974828959 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:44.981293917 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.221921921 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.276992083 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.344635010 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.351056099 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.351090908 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.351104021 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.351109028 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.351191044 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.351226091 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.351242065 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.351294041 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.352818012 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.352834940 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.352848053 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.352859020 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.352879047 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.352904081 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.354521036 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.354558945 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.354585886 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.354625940 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.357307911 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.357382059 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.357389927 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.357429028 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.357498884 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.357863903 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.357875109 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.357925892 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.358988047 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.359075069 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.360800982 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.360894918 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.361018896 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.361068010 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.362515926 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.362612963 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.362637997 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.362694025 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.363660097 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.363671064 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.363696098 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.363707066 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.363748074 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.363781929 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.364015102 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.364070892 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.364203930 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.364213943 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.364264965 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.364267111 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.364319086 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.365448952 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.365459919 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.365492105 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.365499973 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.365513086 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.365515947 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.366769075 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.367113113 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.367182970 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.367679119 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.367691040 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.367698908 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.367733955 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.367744923 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.367758989 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.367767096 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.367777109 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.367784977 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.367794991 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.367804050 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.367814064 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.367820978 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.367830992 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.367841005 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.367901087 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.368927956 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.369004011 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.369014025 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.369044065 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.369054079 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.369107008 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.369225979 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.369235992 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.369240046 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.369242907 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.369246960 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.369259119 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.369267941 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.369294882 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.369327068 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.369688988 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.369699955 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.369709015 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.369740963 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.369774103 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.370172977 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.370193005 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.370213985 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.370223045 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.370234013 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.370271921 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.370727062 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.370738029 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.370745897 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.370755911 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.370785952 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.371970892 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.371982098 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.372126102 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.372133970 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.372143030 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.372150898 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.372159004 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.372167110 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.372169971 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.372176886 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.372641087 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.372652054 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.372659922 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.372668982 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.372677088 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.373198986 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.373385906 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.373554945 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.374387026 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.374396086 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.374406099 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.374414921 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.374454021 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.374460936 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.374485016 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.374494076 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.374504089 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.374550104 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.374550104 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.374560118 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.374571085 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.374603033 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.374618053 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.374635935 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.374681950 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.374814034 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.374824047 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.374830961 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.374840021 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.374849081 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.374855995 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.374864101 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.374866962 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.374871969 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.374875069 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.374891996 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.374901056 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.374910116 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.374912977 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.374928951 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.374932051 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.374938011 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.374948978 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.374958992 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.374963045 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.374978065 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.375000954 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.376205921 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.376276970 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.376286030 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.376382113 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.376390934 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.376398087 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.376406908 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.376424074 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.376432896 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.376441002 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.376466990 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.376475096 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.376478910 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.376524925 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.376534939 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.376668930 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.376677036 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.376683950 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.376693010 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.376701117 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.377011061 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.377095938 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.377104044 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.377113104 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.377120972 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.378247976 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.378258944 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.378393888 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.378628016 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.379925966 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.379936934 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.379962921 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.379972935 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.379981041 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.379996061 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.380032063 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.380053043 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.380100965 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.380110979 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.380120039 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.380127907 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.380136967 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.380148888 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.380183935 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.380319118 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.380330086 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.380338907 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.380347967 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.380357027 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.380376101 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.380410910 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.380629063 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.380639076 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.380671978 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.380681038 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.380681992 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.380692005 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.380701065 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.381751060 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.381771088 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.381779909 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.381911039 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.381987095 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.381994963 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.381999969 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.382006884 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.382074118 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.382082939 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.382090092 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.382097960 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.382106066 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.382196903 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.382206917 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.382214069 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.382220984 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.382230043 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.382241011 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.382251024 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.382533073 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.382584095 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.382643938 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.382807970 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.382817030 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.382824898 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.382833958 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.382841110 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.382849932 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.382858038 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.382867098 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.382875919 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.383065939 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.385005951 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.385016918 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.385061026 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.385071039 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.385099888 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.385108948 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.385119915 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.385129929 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.385149002 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.385171890 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.385190964 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.385221004 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.385236025 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.385255098 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.385265112 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.385267973 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.385313988 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.385416031 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.385426998 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.385436058 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.385445118 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.385454893 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.385466099 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.386228085 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.386281013 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.386290073 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.386300087 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.386346102 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.386354923 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.386403084 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.386413097 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.386501074 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.386509895 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.386512995 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.386538029 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.386548996 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.386698961 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.386708975 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.386717081 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.386725903 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.387033939 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.387044907 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.387126923 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.387136936 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.387343884 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.387355089 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.387363911 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.387372971 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.387382030 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.387391090 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.387402058 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.387411118 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.387419939 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.388170958 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.388192892 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.388214111 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.388277054 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.388386965 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.388396978 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.388405085 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.388415098 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.388783932 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.389480114 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.389530897 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.389544964 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.389556885 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.389586926 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.389616013 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.389619112 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.389626026 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.389689922 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.389750957 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.389760017 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.389905930 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.389915943 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.389924049 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.389934063 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.389944077 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.389986992 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.389996052 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.390059948 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.390069962 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.390078068 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.390199900 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.390209913 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.390218019 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.390227079 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.390239000 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.390281916 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.390364885 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.390376091 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.390381098 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.390413046 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.390486002 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.390496016 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.390626907 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.390636921 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.390645027 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.390654087 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.390664101 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.390758991 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.390769005 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.390777111 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.390784979 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.390794039 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.390803099 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.390856981 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.391516924 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.391530037 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.391568899 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.391577959 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.391762018 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.392180920 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.392200947 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.392209053 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.392218113 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.392230034 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.392237902 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.392453909 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.392714024 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.392834902 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.395045042 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.395056009 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.395107985 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.395117044 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.395124912 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.395173073 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.395181894 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.395186901 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.395262003 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.395270109 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.395788908 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.395798922 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.395807028 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.395814896 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.395823002 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.395831108 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.395840883 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.395848989 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.395857096 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.395859957 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.395868063 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.395876884 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.395879984 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.395890951 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.395899057 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.395906925 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.395925045 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.395934105 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.395941973 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.395950079 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.395952940 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.395956039 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.395963907 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.396007061 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.396086931 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.396095037 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.396102905 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.396142960 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.396151066 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.396203041 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.396209955 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.396214008 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.396220922 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.396229029 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.396563053 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.396573067 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.396583080 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.396591902 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.396600962 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.396610022 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.397281885 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.397319078 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.397330046 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.397543907 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.397825003 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.397928953 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.399027109 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.399036884 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.399045944 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.399054050 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.399307013 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.399317980 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.399326086 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.399333954 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.399343014 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.399353981 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.399363995 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.399372101 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.399382114 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.399391890 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.399400949 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.399472952 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.399595976 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.399605989 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.399714947 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.399728060 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.399770975 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.399799109 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.399810076 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.400166988 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.400177002 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.400185108 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.400193930 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.400203943 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.400213957 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.400223017 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.400232077 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.400240898 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.400249958 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.400259018 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.400269985 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.400461912 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.400526047 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.400535107 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.400544882 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.400553942 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.401438951 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.401448965 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.401458979 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.401467085 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.401470900 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.401479959 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.401489019 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.401499033 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.401508093 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.401518106 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.401526928 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.401535034 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.401545048 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.401556015 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.401771069 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.401886940 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.404711962 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.404723883 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.404876947 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.404923916 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.405020952 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.405031919 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.405297995 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.405308008 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.405317068 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.405325890 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.405335903 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.405345917 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.405349970 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.405358076 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.405365944 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.405374050 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.405381918 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.405390024 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.405400038 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.405407906 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.405420065 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.405431032 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.405450106 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.405458927 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.405462980 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.405471087 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.405483007 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.405493021 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.405503035 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.405512094 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.405559063 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.405567884 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.405608892 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.405618906 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.405785084 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.449433088 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:45.449749947 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:45.501465082 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:46.506551981 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:46.543268919 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:46.549978971 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:46.793303013 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:46.794068098 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:46.800292969 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:47.088644028 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:47.090173960 CEST4970340960192.168.2.11185.215.113.67
                    Jul 26, 2024 01:04:47.096390963 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:47.348496914 CEST4096049703185.215.113.67192.168.2.11
                    Jul 26, 2024 01:04:47.382492065 CEST4970340960192.168.2.11185.215.113.67

                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    System Behavior

                    General

                    Target ID:5
                    Start time:19:04:30
                    Start date:25/07/2024
                    Path:C:\Users\user\Desktop\file.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\file.exe"
                    Imagebase:0x100000
                    File size:311'296 bytes
                    MD5 hash:A9A37926C6D3AB63E00B12760FAE1E73
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000000.1284557443.0000000000102000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.1537465544.0000000002498000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.1537465544.00000000027A3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:low
                    Has exited:true

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:10%
                      Dynamic/Decrypted Code Coverage:100%
                      Signature Coverage:0%
                      Total number of Nodes:72
                      Total number of Limit Nodes:9
                      execution_graph 40710 7224801 40711 722480a 40710->40711 40712 722479c 40710->40712 40716 72258a0 40712->40716 40720 7225891 40712->40720 40713 72247bd 40717 72258e8 40716->40717 40718 72258f1 40717->40718 40724 7225454 40717->40724 40718->40713 40721 72258a1 40720->40721 40722 72258f1 40721->40722 40723 7225454 LoadLibraryW 40721->40723 40722->40713 40723->40722 40725 72259e8 LoadLibraryW 40724->40725 40727 7225a5d 40725->40727 40727->40718 40728 48d4668 40729 48d4684 40728->40729 40730 48d4696 40729->40730 40732 48d47a0 40729->40732 40733 48d47c5 40732->40733 40737 48d48b0 40733->40737 40741 48d48a1 40733->40741 40738 48d48d7 40737->40738 40739 48d49b4 40738->40739 40745 48d4248 40738->40745 40743 48d48d7 40741->40743 40742 48d49b4 40742->40742 40743->40742 40744 48d4248 CreateActCtxA 40743->40744 40744->40742 40746 48d5940 CreateActCtxA 40745->40746 40748 48d5a03 40746->40748 40749 48dd0b8 40750 48dd0fe 40749->40750 40754 48dd289 40750->40754 40757 48dd298 40750->40757 40751 48dd1eb 40760 48dc9a0 40754->40760 40758 48dd2c6 40757->40758 40759 48dc9a0 DuplicateHandle 40757->40759 40758->40751 40759->40758 40761 48dd300 DuplicateHandle 40760->40761 40762 48dd2c6 40761->40762 40762->40751 40763 48dad38 40764 48dad47 40763->40764 40767 48dae20 40763->40767 40777 48dae30 40763->40777 40768 48dae41 40767->40768 40770 48dae64 40767->40770 40787 48d9838 40768->40787 40770->40764 40772 48dae5c 40772->40770 40773 48db068 GetModuleHandleW 40772->40773 40774 48db095 40773->40774 40774->40764 40778 48dae41 40777->40778 40781 48dae64 40777->40781 40779 48d9838 GetModuleHandleW 40778->40779 40780 48dae4c 40779->40780 40780->40781 40785 48db0b8 2 API calls 40780->40785 40786 48db0c8 2 API calls 40780->40786 40781->40764 40782 48dae5c 40782->40781 40783 48db068 GetModuleHandleW 40782->40783 40784 48db095 40783->40784 40784->40764 40785->40782 40786->40782 40788 48db020 GetModuleHandleW 40787->40788 40790 48dae4c 40788->40790 40790->40770 40791 48db0c8 40790->40791 40796 48db0b8 40790->40796 40792 48db0dc 40791->40792 40793 48d9838 GetModuleHandleW 40791->40793 40795 48db101 40792->40795 40801 48da870 40792->40801 40793->40792 40795->40772 40797 48d9838 GetModuleHandleW 40796->40797 40798 48db0dc 40797->40798 40799 48db101 40798->40799 40800 48da870 LoadLibraryExW 40798->40800 40799->40772 40800->40799 40802 48db2a8 LoadLibraryExW 40801->40802 40804 48db321 40802->40804 40804->40795

                      Executed Functions

                      Function 0722B380 Relevance: 17.9, Strings: 14, Instructions: 384COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 681 722b380-722b3a1 683 722b3a3-722b3a5 681->683 684 722b3a7 681->684 685 722b3aa-722b3bd 683->685 684->685 687 722b4bf-722b4c2 685->687 688 722b4c9-722b4d7 687->688 689 722b4c4 call 72220c8 687->689 690 722b3c2-722b3c8 688->690 691 722b4dd-722b4ea 688->691 689->688 692 722b3d4-722b3de 690->692 693 722b3ca 690->693 695 722b3e0-722b3e8 692->695 696 722b408-722b412 692->696 693->692 697 722b4eb-722b55a call 72220c8 695->697 698 722b3ee-722b3f6 695->698 702 722b414-722b417 696->702 703 722b419-722b41e 696->703 724 722b566-722b56a 697->724 725 722b55c-722b564 697->725 699 722b3f8-722b3fb 698->699 700 722b3fd-722b402 698->700 699->700 705 722b404 699->705 706 722b406 700->706 702->703 707 722b420 702->707 708 722b422-722b424 703->708 705->706 706->708 707->708 710 722b492-722b498 708->710 711 722b426-722b42c 708->711 712 722b4a4-722b4af 710->712 713 722b49a 710->713 714 722b438-722b43f 711->714 715 722b42e 711->715 712->687 713->712 714->710 717 722b441-722b447 714->717 715->714 720 722b453-722b45a 717->720 721 722b449 717->721 720->710 723 722b45c-722b462 720->723 721->720 727 722b464 723->727 728 722b46e-722b475 723->728 726 722b56f-722b574 724->726 725->726 730 722b576-722b57b 726->730 731 722b57d-722b586 726->731 727->728 728->710 729 722b477-722b47d 728->729 733 722b489-722b490 729->733 734 722b47f 729->734 732 722b589-722b58b 730->732 731->732 735 722b591-722b596 732->735 736 722b738-722b762 732->736 733->710 737 722b4b1-722b4b8 733->737 734->733 738 722b67a-722b693 call 7221a48 735->738 769 722b769-722b7a9 736->769 737->691 739 722b4ba-722b4bd 737->739 743 722b695-722b6a5 738->743 744 722b6dc-722b6e0 738->744 739->687 739->691 746 722b6b1-722b6b5 743->746 747 722b6a7-722b6af 743->747 748 722b7b0-722b7da 744->748 749 722b6e6-722b6f6 744->749 750 722b6ba-722b6bf 746->750 747->750 765 722b7e1-722b827 748->765 751 722b702-722b706 749->751 752 722b6f8-722b700 749->752 756 722b6c1-722b6c6 750->756 757 722b6c8-722b6d1 750->757 755 722b70b-722b710 751->755 752->755 760 722b712-722b717 755->760 761 722b719-722b722 755->761 759 722b6d4-722b6d6 756->759 757->759 759->744 764 722b59b-722b5a2 759->764 763 722b725-722b727 760->763 761->763 763->765 766 722b72d-722b737 763->766 767 722b5a7-722b5de call 7221910 call 7221a48 764->767 768 722b5a4 764->768 783 722b5e0-722b5e8 767->783 784 722b5ea-722b5ee 767->784 768->767 769->748 786 722b5f3-722b5f8 783->786 784->786 788 722b5fa-722b5fc 786->788 789 722b5fe 786->789 791 722b601-722b603 788->791 789->791 791->744 793 722b609-722b620 791->793 794 722b622-722b62e 793->794 795 722b630-722b64d 793->795 796 722b651-722b65d 794->796 795->796 797 722b666-722b66f 796->797 798 722b65f-722b664 796->798 799 722b672-722b674 797->799 798->799 799->738 799->769
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.1549736534.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7220000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'_q$4c_q$4c_q$4c_q$4|dq$Hcq$Hcq$Hcq$Hcq$LR_q$$_q$$_q$$_q$$_q
                      • API String ID: 0-4055236990
                      • Opcode ID: 82f1fa24aae8703bd23fd56368915cb07283b7132b1f8348a4856d4b7ffa40bd
                      • Instruction ID: 5f67e6e979d8d27656de75594b4d10de01c569c98b64276d53bf15ec217501f4
                      • Opcode Fuzzy Hash: 82f1fa24aae8703bd23fd56368915cb07283b7132b1f8348a4856d4b7ffa40bd
                      • Instruction Fuzzy Hash: 53D1E5F0A241279FCB199B79C4642BDBBF2EF86300F148469D446DB291FB78D942E750
                      Function 07227A28 Relevance: 16.2, Strings: 12, Instructions: 1187COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.1549736534.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7220000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: (__q$(__q$,cq$4c_q$4c_q$Hcq$Nv^q$$_q$$_q$$_q$c_q$c_q
                      • API String ID: 0-2707661932
                      • Opcode ID: 91fd1c56b52b3f2b44320420feb0ba046f9f392bb47dae2351e284cc07806a90
                      • Instruction ID: 53622c8cda8edfddfc3ad24262dbc989d6fbd21b40f04e3915e99f9c1e42a56d
                      • Opcode Fuzzy Hash: 91fd1c56b52b3f2b44320420feb0ba046f9f392bb47dae2351e284cc07806a90
                      • Instruction Fuzzy Hash: 3882B6B0B101259FCB699BBE541123D66D3BFCD740B2049A9E50ADF395EE34CD42CBA2
                      Function 07221BD0 Relevance: 6.6, Strings: 5, Instructions: 394COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1316 7221bd0-7221c11 1319 7221c13-7221c1b 1316->1319 1320 7221c1d-7221c21 1316->1320 1321 7221c26-7221c2b 1319->1321 1320->1321 1322 7221c34-7221c3d 1321->1322 1323 7221c2d-7221c32 1321->1323 1324 7221c40-7221c42 1322->1324 1323->1324 1325 7221c48-7221c61 call 7221a48 1324->1325 1326 7221fae-7221fd8 1324->1326 1330 7221c63-7221c73 1325->1330 1331 7221caf-7221cb6 1325->1331 1351 7221fdf-722201f 1326->1351 1332 7221f46-7221f63 1330->1332 1333 7221c79-7221c91 1330->1333 1335 7221cbb-7221ccb 1331->1335 1336 7221cb8 1331->1336 1338 7221f6c-7221f75 1332->1338 1337 7221c97-7221c9e 1333->1337 1333->1338 1339 7221cdb-7221cf8 1335->1339 1340 7221ccd-7221cd9 1335->1340 1336->1335 1341 7221ca4-7221cae 1337->1341 1342 7221f7d-7221fa7 1337->1342 1338->1342 1344 7221cfc-7221d08 1339->1344 1340->1344 1342->1326 1345 7221d0a-7221d0c 1344->1345 1346 7221d0e 1344->1346 1347 7221d11-7221d13 1345->1347 1346->1347 1350 7221d19-7221d2e 1347->1350 1347->1351 1352 7221d30-7221d3c 1350->1352 1353 7221d3e-7221d5b 1350->1353 1385 7222026-7222066 1351->1385 1356 7221d5f-7221d6b 1352->1356 1353->1356 1358 7221d74-7221d7d 1356->1358 1359 7221d6d-7221d72 1356->1359 1361 7221d80-7221d82 1358->1361 1359->1361 1363 7221e0a-7221e0e 1361->1363 1364 7221d88-7221d8a call 72220c8 1361->1364 1366 7221e42-7221e5a call 7221910 1363->1366 1367 7221e10-7221e2e 1363->1367 1368 7221d90-7221db0 call 7221a48 1364->1368 1384 7221e5f-7221e89 call 7221a48 1366->1384 1367->1366 1381 7221e30-7221e3d call 7221a48 1367->1381 1377 7221db2-7221dbe 1368->1377 1378 7221dc0-7221ddd 1368->1378 1379 7221de1-7221ded 1377->1379 1378->1379 1382 7221df6-7221dff 1379->1382 1383 7221def-7221df4 1379->1383 1381->1330 1387 7221e02-7221e04 1382->1387 1383->1387 1394 7221e8b-7221e97 1384->1394 1395 7221e99-7221eb6 1384->1395 1409 722206d-72220c2 1385->1409 1387->1363 1387->1385 1397 7221eba-7221ec6 1394->1397 1395->1397 1398 7221ec8-7221eca 1397->1398 1399 7221ecc 1397->1399 1401 7221ecf-7221ed1 1398->1401 1399->1401 1401->1330 1402 7221ed7-7221ee7 1401->1402 1404 7221ef7-7221f14 1402->1404 1405 7221ee9-7221ef5 1402->1405 1406 7221f18-7221f24 1404->1406 1405->1406 1407 7221f26-7221f2b 1406->1407 1408 7221f2d-7221f36 1406->1408 1410 7221f39-7221f3b 1407->1410 1408->1410 1418 72220c4-72220c7 1409->1418 1419 72220ca 1409->1419 1410->1409 1411 7221f41 1410->1411 1411->1325 1418->1419
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.1549736534.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7220000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: Hcq$Hcq$Hcq$Hcq$Hcq
                      • API String ID: 0-1692708840
                      • Opcode ID: 8fa6f2485240d482943a99e1b005df0acf8d77f1a292c700b8b9350aacb814a5
                      • Instruction ID: 6db9eb5017ec59a7f28d5b08efa0cd5ef3183e2ee7becd24497001d8e8a500b4
                      • Opcode Fuzzy Hash: 8fa6f2485240d482943a99e1b005df0acf8d77f1a292c700b8b9350aacb814a5
                      • Instruction Fuzzy Hash: 76F1E3B0A2026BDBCB19CF74C4505BDFBB2FF85300F248669D806AB251D774DA92DB90
                      Function 0722F9F0 Relevance: 5.3, Strings: 4, Instructions: 271COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1480 722f9f0-722fa10 1481 722fa12 1480->1481 1482 722fa17-722fae0 1480->1482 1481->1482 1491 722fdc2-722fdcb 1482->1491 1492 722fdd1-722fdec 1491->1492 1493 722fae5-722faee 1491->1493 1497 722fdf8 1492->1497 1498 722fdee-722fdf7 1492->1498 1495 722faf0 1493->1495 1496 722faf5-722fb19 1493->1496 1495->1496 1501 722fb26-722fb6b 1496->1501 1502 722fb1b-722fb24 1496->1502 1503 722fdf9 1497->1503 1498->1497 1528 722fb76 1501->1528 1504 722fb7c-722fb83 1502->1504 1503->1503 1505 722fb85-722fb91 1504->1505 1506 722fbad 1504->1506 1508 722fb93-722fb99 1505->1508 1509 722fb9b-722fba1 1505->1509 1510 722fbb3-722fbba 1506->1510 1511 722fbab 1508->1511 1509->1511 1512 722fbc7-722fc1b 1510->1512 1513 722fbbc-722fbc5 1510->1513 1511->1510 1537 722fc26 1512->1537 1515 722fc2c-722fc33 1513->1515 1516 722fc35-722fc41 1515->1516 1517 722fc5d 1515->1517 1520 722fc43-722fc49 1516->1520 1521 722fc4b-722fc51 1516->1521 1522 722fc63-722fc75 1517->1522 1523 722fc5b 1520->1523 1521->1523 1529 722fc92-722fc94 1522->1529 1530 722fc77-722fc90 1522->1530 1523->1522 1528->1504 1531 722fc97-722fca2 1529->1531 1530->1531 1534 722fd78-722fd93 1531->1534 1535 722fca8-722fd77 1531->1535 1539 722fd95-722fd9e 1534->1539 1540 722fd9f 1534->1540 1535->1534 1537->1515 1539->1540 1540->1491
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.1549736534.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7220000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: $_q$$_q$$_q$$_q
                      • API String ID: 0-1171383116
                      • Opcode ID: 2b99a3f649ffb2fecfc9cf8cfa75ad21c00d7f8e9934f3aecd459b195baac00d
                      • Instruction ID: 93e784ec2b290a968ebcf8a79907cc2103d783f6d19bec35ea4cfd533ec83aff
                      • Opcode Fuzzy Hash: 2b99a3f649ffb2fecfc9cf8cfa75ad21c00d7f8e9934f3aecd459b195baac00d
                      • Instruction Fuzzy Hash: 60C10AB0E1121DDFDB68DFA5C99079EBBB2BF89300F1085A9C409AB354DB749986CF41
                      Function 0722B828 Relevance: 4.3, Strings: 3, Instructions: 506COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1550 722b828-722b837 1551 722b88a-722b893 1550->1551 1552 722b839-722b86f 1550->1552 1556 722b8a3-722b8ae 1551->1556 1557 722b895-722b8a1 1551->1557 1561 722b881-722b888 1552->1561 1562 722b871-722b877 1552->1562 1558 722b8b6-722b8bf 1556->1558 1557->1558 1561->1558 1562->1561 1563 722b8c2-722b994 1562->1563 1573 722b9a3-722b9af 1563->1573 1574 722b996-722b9a1 1563->1574 1578 722bb4d-722bb59 1573->1578 1574->1573 1577 722b9b4-722bb41 1574->1577 1577->1578 1589 722bb5c-722bda7 1577->1589 1611 722bfbd-722bfc8 1589->1611 1612 722bdad-722bdbb 1589->1612 1617 722bfca-722bfe1 1611->1617 1618 722bffd-722c036 1611->1618 1615 722bdc1-722be0d 1612->1615 1616 722c265-722c27f 1612->1616 1615->1616 1634 722be13-722becd 1615->1634 1617->1618 1631 722bfe3-722bfe9 1617->1631 1623 722c038-722c04f 1618->1623 1624 722c08c-722c09f 1618->1624 1635 722c058-722c05a 1623->1635 1626 722c0a1 1624->1626 1630 722c0cb-722c0d7 1626->1630 1632 722c15f-722c18f 1631->1632 1633 722bfef-722bff8 1631->1633 1646 722c191-722c1f4 1632->1646 1647 722c1fb-722c25e 1632->1647 1633->1630 1634->1611 1663 722bed3-722bf0c 1634->1663 1637 722c07b-722c08a 1635->1637 1638 722c05c-722c079 1635->1638 1637->1623 1637->1624 1638->1626 1646->1647 1647->1616 1667 722bf78-722bf8d 1663->1667 1668 722bf0e-722bf2e call 722b828 1663->1668 1667->1611 1668->1667
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.1549736534.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7220000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4|dq$$_q$$_q
                      • API String ID: 0-2093243903
                      • Opcode ID: fd445593cd81d22a9d2a80f26e322e8500480a2f40635c2430258cef27d793ad
                      • Instruction ID: ecc06943db639450ffd1cfd9654491666b38ccf7684c9a96bbaa23fd6d26ab70
                      • Opcode Fuzzy Hash: fd445593cd81d22a9d2a80f26e322e8500480a2f40635c2430258cef27d793ad
                      • Instruction Fuzzy Hash: 680281B0B102199FDB18DF7AC8546AEBBB6BF89300F148469E409DB351EF74DD428B91
                      Function 07220040 Relevance: 2.9, Strings: 2, Instructions: 364COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1874 7220040-7220072 1875 7220074 1874->1875 1876 7220079-7220145 1874->1876 1875->1876 1881 7220147-7220155 1876->1881 1882 722015a 1876->1882 1883 7220608-7220615 1881->1883 1947 7220160 call 72209b0 1882->1947 1948 7220160 call 7220901 1882->1948 1949 7220160 call 7220a86 1882->1949 1950 7220160 call 72209f6 1882->1950 1884 7220166-722018f 1951 7220195 call 722ccd7 1884->1951 1952 7220195 call 722cce8 1884->1952 1886 722019b-7220204 1945 7220206 call 722ef68 1886->1945 1946 7220206 call 722ef78 1886->1946 1891 722020c-7220216 1892 7220597-72205c1 1891->1892 1894 72205c7-7220606 1892->1894 1895 722021b-7220431 1892->1895 1894->1883 1922 722043d-7220487 1895->1922 1925 7220489 1922->1925 1926 722048f-7220491 1922->1926 1927 7220493 1925->1927 1928 722048b-722048d 1925->1928 1929 7220498-722049f 1926->1929 1927->1929 1928->1926 1928->1927 1930 72204a1-7220518 1929->1930 1931 7220519-722053f 1929->1931 1930->1931 1933 7220541-722054a 1931->1933 1934 722054c-7220558 1931->1934 1936 722055e-722057d 1933->1936 1934->1936 1940 7220593-7220594 1936->1940 1941 722057f-7220592 1936->1941 1940->1892 1941->1940 1945->1891 1946->1891 1947->1884 1948->1884 1949->1884 1950->1884 1951->1886 1952->1886
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.1549736534.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7220000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: .$1
                      • API String ID: 0-1839485796
                      • Opcode ID: 553e1dc2c4887018d43a34af1287cfc1741920f8b88abb01f902ef4261280ed9
                      • Instruction ID: eb872991a436838956874a71ebacc793e3c1a6748cd21336dcda9e064bbcd2fa
                      • Opcode Fuzzy Hash: 553e1dc2c4887018d43a34af1287cfc1741920f8b88abb01f902ef4261280ed9
                      • Instruction Fuzzy Hash: 3DF1DE74E01229DFDB28CF65C984BDDBBB2BF89305F1081AAD509AB250DB759E81CF10
                      Function 07222D18 Relevance: .8, Instructions: 814COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1549736534.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7220000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7da90ce0ee15b17866b7a5ec6976ae90a88f812ca3d7bd1c73a23cf11f756190
                      • Instruction ID: 2f24570eeb114886baf790a50c5543d56cbcb68328882b9a233ae130978b22cf
                      • Opcode Fuzzy Hash: 7da90ce0ee15b17866b7a5ec6976ae90a88f812ca3d7bd1c73a23cf11f756190
                      • Instruction Fuzzy Hash: FA829EF4620223DFDB24DF68D648B6A77F1BB48308F1081A8C9099B756DB38D986DF51
                      Function 05D467D8 Relevance: .4, Instructions: 411COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e3c6befdbe4ec4dfd5e722c4d22239a1cbc5f805db64cc7c41643b43f7264ab9
                      • Instruction ID: cf5b5f016ccc78865955bdb96e634b0f9ca6dcffb69ba905f8fd7a5879d6e3e6
                      • Opcode Fuzzy Hash: e3c6befdbe4ec4dfd5e722c4d22239a1cbc5f805db64cc7c41643b43f7264ab9
                      • Instruction Fuzzy Hash: 64F1B370A002099FDB15DF69D884B9EBBF2FF89300F14856AE50ADB261DB31ED45CB91
                      Function 0722EF78 Relevance: .3, Instructions: 320COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1549736534.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7220000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 464a19d595d40f4e70516edb1ed5174effcff4ba7c4603a86f44551783249b7a
                      • Instruction ID: b76b5ffdb223e917136a1b454f608c86d07336308c00601088a178baf628454b
                      • Opcode Fuzzy Hash: 464a19d595d40f4e70516edb1ed5174effcff4ba7c4603a86f44551783249b7a
                      • Instruction Fuzzy Hash: 3AE1D6B4E11219DFDB14CFA9C984B9DFBB2FF48310F2481A9D409AB255D734A986CF50
                      Function 05D4A3D8 Relevance: .3, Instructions: 296COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bde46cdd2910bffe4efa0a00f2a2cea0464fc6e06e16e3c9d60635c6e99d7e71
                      • Instruction ID: 3aa84451747c16f538de867773ee87a6083ad40bb53add07b3dbd9287cc2dcea
                      • Opcode Fuzzy Hash: bde46cdd2910bffe4efa0a00f2a2cea0464fc6e06e16e3c9d60635c6e99d7e71
                      • Instruction Fuzzy Hash: 7CD10634E00208CFDB58EFB4D848A9DBBB2FF8A301F1095A9E50AAB354DB355985CF11
                      Function 05D4A3E8 Relevance: .3, Instructions: 289COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 537688df6458f6a220985183086e104f73bd8c683df42bfc8d4f373794bd1f9f
                      • Instruction ID: 9ffd3a0bf28f11a66ec8df500bb5aeac5e7a111963a91fe72f39b081dcf0d5b2
                      • Opcode Fuzzy Hash: 537688df6458f6a220985183086e104f73bd8c683df42bfc8d4f373794bd1f9f
                      • Instruction Fuzzy Hash: 6BD1D534A00218CFDB18EFB4D858A9DBBB2FF8A301F5095A9E50AAB354DB355985CF11
                      Function 0722F9E0 Relevance: .1, Instructions: 101COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1549736534.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7220000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 240a3e0a3c41cb6870342683eeb79045c595dc425d93fedf67599625e4c2050f
                      • Instruction ID: 4be1a71e853f853a2d84d1d008aa17dc6290c36e7a7f5ee869458a0f22ac2ade
                      • Opcode Fuzzy Hash: 240a3e0a3c41cb6870342683eeb79045c595dc425d93fedf67599625e4c2050f
                      • Instruction Fuzzy Hash: 9641F7B0E00609DFDB18DFAAC95469EFBF2BF89300F24C52AC419AB254DB745942CF51
                      Function 05D30D80 Relevance: 20.6, Strings: 16, Instructions: 617COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 304 5d30d80-5d30dcb 309 5d30dd1-5d30dd3 304->309 310 5d30efd-5d30f10 304->310 311 5d30dd6-5d30de5 309->311 314 5d31006-5d31011 310->314 315 5d30f16-5d30f25 310->315 316 5d30deb-5d30e1d 311->316 317 5d30e9d-5d30ea1 311->317 319 5d31019-5d31022 314->319 324 5d30fd1-5d30fd5 315->324 325 5d30f2b-5d30f51 315->325 352 5d30e26-5d30e2d 316->352 353 5d30e1f-5d30e24 316->353 320 5d30ea3-5d30eae 317->320 321 5d30eb0 317->321 323 5d30eb5-5d30eb8 320->323 321->323 323->319 329 5d30ebe-5d30ec2 323->329 327 5d30fd7-5d30fe2 324->327 328 5d30fe4 324->328 354 5d30f53-5d30f58 325->354 355 5d30f5a-5d30f61 325->355 330 5d30fe6-5d30fe8 327->330 328->330 332 5d30ed1 329->332 333 5d30ec4-5d30ecf 329->333 336 5d30fea-5d30ff4 330->336 337 5d31039-5d310b5 330->337 338 5d30ed3-5d30ed5 332->338 333->338 346 5d30ff7-5d31000 336->346 386 5d310bb-5d310bd 337->386 387 5d31189-5d3119c 337->387 342 5d31025-5d31032 338->342 343 5d30edb-5d30ee5 338->343 342->337 356 5d30ee8-5d30ef2 343->356 346->314 346->315 358 5d30e52-5d30e76 352->358 359 5d30e2f-5d30e50 352->359 357 5d30e91-5d30e9b 353->357 360 5d30fc5-5d30fcf 354->360 361 5d30f63-5d30f84 355->361 362 5d30f86-5d30faa 355->362 356->311 363 5d30ef8 356->363 357->356 376 5d30e78-5d30e7e 358->376 377 5d30e8e 358->377 359->357 360->346 361->360 378 5d30fc2 362->378 379 5d30fac-5d30fb2 362->379 363->319 381 5d30e82-5d30e84 376->381 382 5d30e80 376->382 377->357 378->360 383 5d30fb6-5d30fb8 379->383 384 5d30fb4 379->384 381->377 382->377 383->378 384->378 388 5d310c0-5d310cf 386->388 391 5d311a2-5d311b1 387->391 392 5d31234-5d3123f 387->392 393 5d310d1-5d310fe 388->393 394 5d31129-5d3112d 388->394 401 5d311b3-5d311dc 391->401 402 5d311ff-5d31203 391->402 398 5d31247-5d31250 392->398 416 5d31104-5d31106 393->416 395 5d3112f-5d3113a 394->395 396 5d3113c 394->396 400 5d31141-5d31144 395->400 396->400 400->398 406 5d3114a-5d3114e 400->406 425 5d311f4-5d311fd 401->425 426 5d311de-5d311e4 401->426 404 5d31212 402->404 405 5d31205-5d31210 402->405 410 5d31214-5d31216 404->410 405->410 408 5d31150-5d3115b 406->408 409 5d3115d 406->409 415 5d3115f-5d31161 408->415 409->415 413 5d31267-5d312af 410->413 414 5d31218-5d31222 410->414 440 5d312b1-5d312b7 413->440 441 5d312c7-5d312e9 413->441 430 5d31225-5d3122e 414->430 419 5d31253-5d31260 415->419 420 5d31167-5d31171 415->420 422 5d31108-5d3110e 416->422 423 5d3111e-5d31127 416->423 419->413 437 5d31174-5d3117e 420->437 428 5d31112-5d31114 422->428 429 5d31110 422->429 423->437 425->430 431 5d311e6 426->431 432 5d311e8-5d311ea 426->432 428->423 429->423 430->391 430->392 431->425 432->425 437->388 438 5d31184 437->438 438->398 442 5d312bb-5d312bd 440->442 443 5d312b9 440->443 446 5d312ec-5d312f0 441->446 442->441 443->441 447 5d312f2-5d312f7 446->447 448 5d312f9-5d312fe 446->448 449 5d31304-5d31307 447->449 448->449 450 5d314f8-5d31500 449->450 451 5d3130d-5d31322 449->451 451->446 453 5d31324 451->453 454 5d313e0-5d31405 453->454 455 5d3132b-5d31350 453->455 456 5d31498-5d314b9 453->456 466 5d31407-5d31409 454->466 467 5d3140b-5d3140f 454->467 468 5d31352-5d31354 455->468 469 5d31356-5d3135a 455->469 461 5d314bf-5d314f3 456->461 461->446 470 5d3146d-5d31493 466->470 471 5d31411-5d3142e 467->471 472 5d31430-5d31453 467->472 473 5d313b8-5d313db 468->473 474 5d3137b-5d3139e 469->474 475 5d3135c-5d31379 469->475 470->446 471->470 492 5d31455-5d3145b 472->492 493 5d3146b 472->493 473->446 490 5d313a0-5d313a6 474->490 491 5d313b6 474->491 475->473 494 5d313aa-5d313ac 490->494 495 5d313a8 490->495 491->473 496 5d3145f-5d31461 492->496 497 5d3145d 492->497 493->470 494->491 495->491 496->493 497->493
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545658272.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d30000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: $_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q
                      • API String ID: 0-585025184
                      • Opcode ID: 10534a2618f218d175ccf29377efbb51ef42529625540a3cdad9ee937c11667e
                      • Instruction ID: a58ba1aa4eb82f7bb4b501e271310077a5af2af3d18121cad0f6261fad0fe4dd
                      • Opcode Fuzzy Hash: 10534a2618f218d175ccf29377efbb51ef42529625540a3cdad9ee937c11667e
                      • Instruction Fuzzy Hash: 0C227D70B046069FCB15DBA9C859A7ABBF7BF88710B14846AE506DB3A2CF70DC41CB51
                      Function 05D31582 Relevance: 7.8, Strings: 6, Instructions: 336COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1213 5d31582-5d31584 1214 5d3158e 1213->1214 1215 5d31598-5d315af 1214->1215 1216 5d315b5-5d315b7 1215->1216 1217 5d315b9-5d315bf 1216->1217 1218 5d315cf-5d315f1 1216->1218 1219 5d315c3-5d315c5 1217->1219 1220 5d315c1 1217->1220 1223 5d31638-5d3163f 1218->1223 1219->1218 1220->1218 1224 5d31571-5d31580 1223->1224 1225 5d31645-5d31747 1223->1225 1224->1213 1228 5d315f3-5d315f7 1224->1228 1229 5d31606 1228->1229 1230 5d315f9-5d31604 1228->1230 1232 5d3160b-5d3160e 1229->1232 1230->1232 1232->1225 1235 5d31610-5d31614 1232->1235 1236 5d31623 1235->1236 1237 5d31616-5d31621 1235->1237 1238 5d31625-5d31627 1236->1238 1237->1238 1240 5d3174a-5d317a7 1238->1240 1241 5d3162d-5d31637 1238->1241 1248 5d317a9-5d317af 1240->1248 1249 5d317bf-5d317e1 1240->1249 1241->1223 1250 5d317b3-5d317b5 1248->1250 1251 5d317b1 1248->1251 1254 5d317e4-5d317e8 1249->1254 1250->1249 1251->1249 1255 5d317f1-5d317f6 1254->1255 1256 5d317ea-5d317ef 1254->1256 1257 5d317fc-5d317ff 1255->1257 1256->1257 1258 5d31805-5d3181a 1257->1258 1259 5d31abf-5d31ac7 1257->1259 1258->1254 1261 5d3181c 1258->1261 1262 5d31823-5d318d3 1261->1262 1263 5d31990-5d319bd 1261->1263 1264 5d31a07-5d31a2c 1261->1264 1265 5d318d8-5d3198b 1261->1265 1262->1254 1284 5d319c3-5d319cd 1263->1284 1285 5d31b36-5d31b73 1263->1285 1280 5d31a32-5d31a36 1264->1280 1281 5d31a2e-5d31a30 1264->1281 1265->1254 1287 5d31a57-5d31a7a 1280->1287 1288 5d31a38-5d31a55 1280->1288 1286 5d31a94-5d31aba 1281->1286 1290 5d319d3-5d31a02 1284->1290 1291 5d31b00-5d31b2f 1284->1291 1286->1254 1308 5d31a92 1287->1308 1309 5d31a7c-5d31a82 1287->1309 1288->1286 1290->1254 1291->1285 1308->1286 1311 5d31a86-5d31a88 1309->1311 1312 5d31a84 1309->1312 1311->1308 1312->1308
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545658272.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d30000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: $_q$$_q$$_q$$_q$$_q$$_q
                      • API String ID: 0-155944776
                      • Opcode ID: 9361f10eab1465c366ff09443ee25426e8fbcaf17a5e44bd55c3ba618ea11882
                      • Instruction ID: 6e730b33b8f31e05beff3e770f3a00301e811bb2d30935671ba1544799c95ef2
                      • Opcode Fuzzy Hash: 9361f10eab1465c366ff09443ee25426e8fbcaf17a5e44bd55c3ba618ea11882
                      • Instruction Fuzzy Hash: 26C1AD707042069FDB149BA9C859A3E7BE7BF89704F14886AE5038B3A2DFB5DC01CB51
                      Function 048DAE30 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 197COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1421 48dae30-48dae3f 1422 48dae6b-48dae6f 1421->1422 1423 48dae41-48dae4e call 48d9838 1421->1423 1425 48dae71-48dae7b 1422->1425 1426 48dae83-48daec4 1422->1426 1428 48dae64 1423->1428 1429 48dae50 1423->1429 1425->1426 1432 48daec6-48daece 1426->1432 1433 48daed1-48daedf 1426->1433 1428->1422 1478 48dae56 call 48db0b8 1429->1478 1479 48dae56 call 48db0c8 1429->1479 1432->1433 1434 48daee1-48daee6 1433->1434 1435 48daf03-48daf05 1433->1435 1437 48daee8-48daeef call 48da814 1434->1437 1438 48daef1 1434->1438 1439 48daf08-48daf0f 1435->1439 1436 48dae5c-48dae5e 1436->1428 1440 48dafa0-48dafb7 1436->1440 1441 48daef3-48daf01 1437->1441 1438->1441 1443 48daf1c-48daf23 1439->1443 1444 48daf11-48daf19 1439->1444 1452 48dafb9-48db018 1440->1452 1441->1439 1446 48daf25-48daf2d 1443->1446 1447 48daf30-48daf39 call 48da824 1443->1447 1444->1443 1446->1447 1453 48daf3b-48daf43 1447->1453 1454 48daf46-48daf4b 1447->1454 1472 48db01a-48db060 1452->1472 1453->1454 1455 48daf4d-48daf54 1454->1455 1456 48daf69-48daf76 1454->1456 1455->1456 1457 48daf56-48daf66 call 48da834 call 48da844 1455->1457 1463 48daf99-48daf9f 1456->1463 1464 48daf78-48daf96 1456->1464 1457->1456 1464->1463 1473 48db068-48db093 GetModuleHandleW 1472->1473 1474 48db062-48db065 1472->1474 1475 48db09c-48db0b0 1473->1475 1476 48db095-48db09b 1473->1476 1474->1473 1476->1475 1478->1436 1479->1436
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.1544205376.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_48d0000_file.jbxd
                      Similarity
                      • API ID: HandleModule
                      • String ID: ,Vu$,Vu
                      • API String ID: 4139908857-2887643215
                      • Opcode ID: 37c082bdae7ebcaacf877c5d1303746ba73a502e688b46786c45bf61c4b78e9c
                      • Instruction ID: 7818f9607e901b79a86535c4e33e889adde2bb748674b2821d178eabe14524a4
                      • Opcode Fuzzy Hash: 37c082bdae7ebcaacf877c5d1303746ba73a502e688b46786c45bf61c4b78e9c
                      • Instruction Fuzzy Hash: DD7113B0A01B458FDB28DF2AC04475ABBF1FF88304F148A29D44ADBA50D779F945CB91
                      Function 05D31291 Relevance: 2.6, Strings: 2, Instructions: 131COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1953 5d31291-5d31294 1954 5d31296-5d312af 1953->1954 1955 5d312c4-5d312c5 1953->1955 1958 5d312c7-5d312e9 1954->1958 1959 5d312b1-5d312b7 1954->1959 1957 5d31333-5d31336 1955->1957 1955->1958 1964 5d31340-5d31350 1957->1964 1967 5d312ec-5d312f0 1958->1967 1962 5d312bb-5d312bd 1959->1962 1963 5d312b9 1959->1963 1962->1958 1963->1958 1968 5d31352-5d31354 1964->1968 1969 5d31356-5d3135a 1964->1969 1970 5d312f2-5d312f7 1967->1970 1971 5d312f9-5d312fe 1967->1971 1972 5d313b8-5d313db 1968->1972 1973 5d3137b-5d3139e 1969->1973 1974 5d3135c-5d31379 1969->1974 1975 5d31304-5d31307 1970->1975 1971->1975 1972->1967 1986 5d313a0-5d313a6 1973->1986 1987 5d313b6 1973->1987 1974->1972 1976 5d314f8-5d31500 1975->1976 1977 5d3130d-5d31322 1975->1977 1977->1967 1984 5d31324 1977->1984 1988 5d313e0-5d31405 1984->1988 1989 5d3132b-5d31336 1984->1989 1990 5d31498 1984->1990 1991 5d313aa-5d313ac 1986->1991 1992 5d313a8 1986->1992 1987->1972 2000 5d31407-5d31409 1988->2000 2001 5d3140b-5d3140f 1988->2001 1989->1964 1993 5d314a2-5d314b9 1990->1993 1991->1987 1992->1987 1996 5d314bf-5d314f3 1993->1996 1996->1967 2002 5d3146d-5d31493 2000->2002 2003 5d31411-5d3142e 2001->2003 2004 5d31430-5d31453 2001->2004 2002->1967 2003->2002 2013 5d31455-5d3145b 2004->2013 2014 5d3146b 2004->2014 2015 5d3145f-5d31461 2013->2015 2016 5d3145d 2013->2016 2014->2002 2015->2014 2016->2014
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545658272.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d30000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: $_q$$_q
                      • API String ID: 0-458585787
                      • Opcode ID: e280155556149dbf4d3a2ba14b691fd304ccf5e6dfbfd6f298b8dc0497476f62
                      • Instruction ID: 5fb52e0d1929a833f467d182fd3865e7138a10906ee93315530ebd40b6b64601
                      • Opcode Fuzzy Hash: e280155556149dbf4d3a2ba14b691fd304ccf5e6dfbfd6f298b8dc0497476f62
                      • Instruction Fuzzy Hash: F441D774700202AFD754A7E98C56A3B76EBAF88714F15442AFA029F391CEA1CC41C761
                      Function 05D30598 Relevance: 1.7, Strings: 1, Instructions: 462COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545658272.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d30000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: lPj
                      • API String ID: 0-2102322720
                      • Opcode ID: 653b2ef627b732980a3b0b1408add40ccf9e91b4c6887fe93e662412b085a430
                      • Instruction ID: 415a25336d36fefc0abf1c8df490e861180a53ae32663a93058a818766d2488b
                      • Opcode Fuzzy Hash: 653b2ef627b732980a3b0b1408add40ccf9e91b4c6887fe93e662412b085a430
                      • Instruction Fuzzy Hash: 24028D707006148FDB259B68D859A2E7BF6FBC9704F044969E5039F3A1CBB9ED01CB92
                      Function 05D43F50 Relevance: 1.6, Strings: 1, Instructions: 393COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: $_q
                      • API String ID: 0-238743419
                      • Opcode ID: 761fef8041d5dccb57f4456bbbcb71cf0fa8e99088b999e55b347431811be72a
                      • Instruction ID: a398ed4999353de6c819ff42cd7eebb5b317d509c358a0a3a89f64742edff883
                      • Opcode Fuzzy Hash: 761fef8041d5dccb57f4456bbbcb71cf0fa8e99088b999e55b347431811be72a
                      • Instruction Fuzzy Hash: 39E12D74B102158FCB14DF69C594AAEBBF6BF88700B14856AE906EB365EB31DC41CF90
                      Function 048D5935 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                      Download Yara Rule
                      APIs
                      • CreateActCtxA.KERNEL32(?), ref: 048D59F1
                      Memory Dump Source
                      • Source File: 00000005.00000002.1544205376.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_48d0000_file.jbxd
                      Similarity
                      • API ID: Create
                      • String ID:
                      • API String ID: 2289755597-0
                      • Opcode ID: 808392955284e55398eb66a0c03eb63ebab72e1d5c07bc3b4c440b0a06946dfa
                      • Instruction ID: b3ca945a4f6dc5eab1c530cacf6cd6c10e20ad1dd29902d8ca08f8b16555005a
                      • Opcode Fuzzy Hash: 808392955284e55398eb66a0c03eb63ebab72e1d5c07bc3b4c440b0a06946dfa
                      • Instruction Fuzzy Hash: 7541E2B0D01629CFDB24DFA9C984BCDBBB5FF48304F24856AD408AB251DB756946CF90
                      Function 048D4248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                      Download Yara Rule
                      APIs
                      • CreateActCtxA.KERNEL32(?), ref: 048D59F1
                      Memory Dump Source
                      • Source File: 00000005.00000002.1544205376.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_48d0000_file.jbxd
                      Similarity
                      • API ID: Create
                      • String ID:
                      • API String ID: 2289755597-0
                      • Opcode ID: be562eccf54a860f953e26ee17cace56e5118500e7ebc8e7e6e8259cc1235547
                      • Instruction ID: 51576d41d12aa937632fb58cfb94878972604e5a322d8cb1b0c81bb01e2589be
                      • Opcode Fuzzy Hash: be562eccf54a860f953e26ee17cace56e5118500e7ebc8e7e6e8259cc1235547
                      • Instruction Fuzzy Hash: 8B41EFB0D0162DDBDB24DFA9C884B8DBBF5FF48304F20856AD408AB250DB756945CF90
                      Function 048DC9A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                      Download Yara Rule
                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,048DD2C6,?,?,?,?,?), ref: 048DD387
                      Memory Dump Source
                      • Source File: 00000005.00000002.1544205376.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_48d0000_file.jbxd
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: c56aff8548f283952fb197874e5c80104f0fa79d6fc32a2f24798b211c82e5d0
                      • Instruction ID: 6aa1eb5e49096f47c6ea9d4ad64f1278448c28b2a865646fae0f2e812779153a
                      • Opcode Fuzzy Hash: c56aff8548f283952fb197874e5c80104f0fa79d6fc32a2f24798b211c82e5d0
                      • Instruction Fuzzy Hash: D721E5B5901248DFDB10CF9AD984AEEBBF4EB48320F14841AE914E7310D379A954CFA5
                      Function 048DD2F9 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                      Download Yara Rule
                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,048DD2C6,?,?,?,?,?), ref: 048DD387
                      Memory Dump Source
                      • Source File: 00000005.00000002.1544205376.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_48d0000_file.jbxd
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: 824c100b05eb1bb93aaa0829077011093584a4f64a2351c51db7262611f3f3fa
                      • Instruction ID: eb9a6167e0ede3e7a72acc19b6208dfc016b9a23502d0e4851eb913438ad6e27
                      • Opcode Fuzzy Hash: 824c100b05eb1bb93aaa0829077011093584a4f64a2351c51db7262611f3f3fa
                      • Instruction Fuzzy Hash: 1821E2B5900249DFDB10CFAAD980ADEBBF5EB48320F14841AE918B7350D378A944CF61
                      Function 072259E0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,07225946), ref: 07225A4E
                      Memory Dump Source
                      • Source File: 00000005.00000002.1549736534.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7220000_file.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID:
                      • API String ID: 1029625771-0
                      • Opcode ID: 226fc0136820cc1115efa8d3697d0ae5de17441a8b86ce048ea9e8c7f120f15a
                      • Instruction ID: 564e895dcc5b30cf688b08ceb589a940ae5cf162eb0efc2b148e0e35e4db7c26
                      • Opcode Fuzzy Hash: 226fc0136820cc1115efa8d3697d0ae5de17441a8b86ce048ea9e8c7f120f15a
                      • Instruction Fuzzy Hash: 361153B1C0035ADFDB10CFAAC844A9EFBF4EF88320F14846AD419A7200D378A506CFA1
                      Function 048DA870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,048DB101,00000800,00000000,00000000), ref: 048DB312
                      Memory Dump Source
                      • Source File: 00000005.00000002.1544205376.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_48d0000_file.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID:
                      • API String ID: 1029625771-0
                      • Opcode ID: fc2f46dd573fe69742a65ed468c2c3db5618b1cb025aa0d4ba84f0b378b58e07
                      • Instruction ID: d98486ba51ed57a3108d4a3d77dab835f3655d0265fe34a32ff2f1f156e6e3e9
                      • Opcode Fuzzy Hash: fc2f46dd573fe69742a65ed468c2c3db5618b1cb025aa0d4ba84f0b378b58e07
                      • Instruction Fuzzy Hash: 851114B6D003499FDB10CF9AC444A9EFBF4EB48320F15892ED519A7200C375A544CFA5
                      Function 048DB2A0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,048DB101,00000800,00000000,00000000), ref: 048DB312
                      Memory Dump Source
                      • Source File: 00000005.00000002.1544205376.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_48d0000_file.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID:
                      • API String ID: 1029625771-0
                      • Opcode ID: 44b1b3b8509c7eb0dac67f43c721a72684ba569215e9157389bc21b9ff52a7bb
                      • Instruction ID: c994dc161aa12c615bc248ffe51241ea4ffe79a3af93faeb7a7f7581e884e163
                      • Opcode Fuzzy Hash: 44b1b3b8509c7eb0dac67f43c721a72684ba569215e9157389bc21b9ff52a7bb
                      • Instruction Fuzzy Hash: F71114B6D00249CFDB14CF9AC984ADEFBF4EF88310F15851AD419A7640C375A545CFA1
                      Function 07225454 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,07225946), ref: 07225A4E
                      Memory Dump Source
                      • Source File: 00000005.00000002.1549736534.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7220000_file.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID:
                      • API String ID: 1029625771-0
                      • Opcode ID: 00238f08fbdc40f5f61e9a6c593d2bc21323b74ef4c072f1c5a5d232c518c8c7
                      • Instruction ID: 4c9ba242e4efb00591f75d69d307cd5ba63636584b3a5f89c57f03e773a7d76f
                      • Opcode Fuzzy Hash: 00238f08fbdc40f5f61e9a6c593d2bc21323b74ef4c072f1c5a5d232c518c8c7
                      • Instruction Fuzzy Hash: 761123B5C10359DBDB10CF9AC545A9EFBF4EF88320F14845AD419AB300D375A506CFA1
                      Function 05D459C8 Relevance: 1.6, Strings: 1, Instructions: 301COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: d
                      • API String ID: 0-2564639436
                      • Opcode ID: 015c422725d753a245ec35e0a77e9feff9d0ecff4575ecba8b39ef932e358f8f
                      • Instruction ID: 336315e6601620384142e291c6e99e16e9910081606e825a9f7aa6091e6744aa
                      • Opcode Fuzzy Hash: 015c422725d753a245ec35e0a77e9feff9d0ecff4575ecba8b39ef932e358f8f
                      • Instruction Fuzzy Hash: 78C16C35600606CFCB14CF59D584D6ABBF2FF88314B25C99AD59A8B665DB30F846CF80
                      Function 048D9838 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,048DAE4C), ref: 048DB086
                      Memory Dump Source
                      • Source File: 00000005.00000002.1544205376.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_48d0000_file.jbxd
                      Similarity
                      • API ID: HandleModule
                      • String ID:
                      • API String ID: 4139908857-0
                      • Opcode ID: d7de0d0ba1594b9af027aaa7e7f81cf7463d214d796b900c51f04bdce641d1cf
                      • Instruction ID: 44080845f5912e4703e22fe3c23d98ac20fbc957c2811353d0c113207cc30d34
                      • Opcode Fuzzy Hash: d7de0d0ba1594b9af027aaa7e7f81cf7463d214d796b900c51f04bdce641d1cf
                      • Instruction Fuzzy Hash: 5C1123B5C00349CBDB20DF9AC444B9EFBF4EB48320F15891AD428B7200D375A909CFA1
                      Function 05D43DE0 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'_q
                      • API String ID: 0-2033115326
                      • Opcode ID: 9c0e9b4e465666621459d0e687b7e7a5c353478d1ad6acd1da5e22cfeb3da110
                      • Instruction ID: a28ad6b1241640a73d193fe3508f120cba7b883633f5747088e9c3d101d15083
                      • Opcode Fuzzy Hash: 9c0e9b4e465666621459d0e687b7e7a5c353478d1ad6acd1da5e22cfeb3da110
                      • Instruction Fuzzy Hash: 183104B17042508FC71AA778A4501AE3BE6EFCA311355487AE08ACB752DF24EC0687E1
                      Function 05D484C8 Relevance: 1.4, Strings: 1, Instructions: 100COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'_q
                      • API String ID: 0-2033115326
                      • Opcode ID: eb3ccd20ac1e9965fd3a536972ad398e13eed99bd42228ccafec533f545d8b2e
                      • Instruction ID: 299fe4720c72256118bbba9d46d115743f8164d7f30f5bb8443ff957d6c0746e
                      • Opcode Fuzzy Hash: eb3ccd20ac1e9965fd3a536972ad398e13eed99bd42228ccafec533f545d8b2e
                      • Instruction Fuzzy Hash: CB31BC757002168FCB09ABB9A4A467E77E3AFC86197104839D50ADF385EE34CC068BD2
                      Function 05D4B358 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'_q
                      • API String ID: 0-2033115326
                      • Opcode ID: 3a356540b06bbeedd8bb2122b19b2370af48942f9035c47383025a1f1dc9c5db
                      • Instruction ID: 610883d2df1ac70577b53ff867d720d43c1b26a05574547b79cdb57494a0ff0a
                      • Opcode Fuzzy Hash: 3a356540b06bbeedd8bb2122b19b2370af48942f9035c47383025a1f1dc9c5db
                      • Instruction Fuzzy Hash: 8601B1B4901249EFCB49EF78E88948C7FB6FB44300B108599E80A97251EB301E44CF12
                      Function 05D43EC8 Relevance: 1.3, Strings: 1, Instructions: 36COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'_q
                      • API String ID: 0-2033115326
                      • Opcode ID: 8b837bd6988549b1ac3f220b5bfcde478688fdafd0ef2e2dd0b171fe6b2a65eb
                      • Instruction ID: 9f4fac21bba6b6db1ce296d84c5282ea14924582c078f5a6409d7c8ed6632cc7
                      • Opcode Fuzzy Hash: 8b837bd6988549b1ac3f220b5bfcde478688fdafd0ef2e2dd0b171fe6b2a65eb
                      • Instruction Fuzzy Hash: E5F090B13001018FC61CEB6AE49596E77E7DBCD2113544D28F00A9B714EF24BD4687E2
                      Function 05D4B368 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'_q
                      • API String ID: 0-2033115326
                      • Opcode ID: f0c33e51d97e2c59af27a7faa654a7e844eb2061cb1152b72950a9fad0e7f611
                      • Instruction ID: e723cc95b6625c0ea522a022841b1cc62f1fa4c46e53133712abea1a919f2f7c
                      • Opcode Fuzzy Hash: f0c33e51d97e2c59af27a7faa654a7e844eb2061cb1152b72950a9fad0e7f611
                      • Instruction Fuzzy Hash: 87F03174A01209EFCB08EFB9E58D55D7BB6FB44300F1085A9E80A97350EB306E54CF41
                      Function 05D32078 Relevance: 1.0, Instructions: 1042COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545658272.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d30000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4c0ad7faeb6a8ee941aa111c7736cdd5d60e3b24521c891cc105a5fc9088547b
                      • Instruction ID: b95f09bf715cb6eaf1209504cc7207158e0357381aa5e3a0494f858daa62e5b2
                      • Opcode Fuzzy Hash: 4c0ad7faeb6a8ee941aa111c7736cdd5d60e3b24521c891cc105a5fc9088547b
                      • Instruction Fuzzy Hash: 1C924074B006189FDB159B64CC55BEEBBB2FF88700F10849AE506AB3A1DB719D81CF91
                      Function 05D33838 Relevance: .9, Instructions: 884COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545658272.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d30000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9499f755d9bdb1df01d685338db44de3babb104a00378d4ee25a407efb0b948b
                      • Instruction ID: 66ce354e99ed09d8e366d3da3e579df069c7a38ddbcc929c6fc86735e06505b8
                      • Opcode Fuzzy Hash: 9499f755d9bdb1df01d685338db44de3babb104a00378d4ee25a407efb0b948b
                      • Instruction Fuzzy Hash: 63722874B002049FCB44DF69C895E6ABBF6BF89700F15809AE506DB3A6DB71ED40CB61
                      Function 05D31EC8 Relevance: .7, Instructions: 732COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545658272.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d30000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 27d2b36b9a0e91320e27bf648c3acfa9c355a9d15f41e802b04a81c54c37946b
                      • Instruction ID: 509c3a74cb9c0f1fce1c93c7319ab3de3eac3b1183896b2f0c67fb558b4def8f
                      • Opcode Fuzzy Hash: 27d2b36b9a0e91320e27bf648c3acfa9c355a9d15f41e802b04a81c54c37946b
                      • Instruction Fuzzy Hash: FE526F74B002149FDB149B64C855EAE77B2FF88704F21849AE9069F7A2CB71ED81CF91
                      Function 05D300D8 Relevance: .7, Instructions: 676COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545658272.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d30000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ed8951b3148f7a5ea3cf73234434f9b9bec8abba93a53a61a6e84e0804133a74
                      • Instruction ID: 1d43244efee0c136a31a5c595299ffde8ca3b74e07e478250c52c9caac93a1a4
                      • Opcode Fuzzy Hash: ed8951b3148f7a5ea3cf73234434f9b9bec8abba93a53a61a6e84e0804133a74
                      • Instruction Fuzzy Hash: FA426770700A198FCB29AF79D45462E7BF2FBC5304B404A5CD507AF3A5DBB9AD018B86
                      Function 05D34951 Relevance: .6, Instructions: 649COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545658272.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d30000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 47ae1185e4eeea1d7bf5df79620dbec80dbdbc1098f904933afa223ab3fac53b
                      • Instruction ID: 6fcfc874148aac9240e9c889d1f6599453b9afb6aae38242573c7c59fd02e723
                      • Opcode Fuzzy Hash: 47ae1185e4eeea1d7bf5df79620dbec80dbdbc1098f904933afa223ab3fac53b
                      • Instruction Fuzzy Hash: 38F19E707142049FCB55DF68C859E6ABBF6FF89310B1584AAE506DB3A2CB35DC01CBA1
                      Function 05D448A8 Relevance: .5, Instructions: 491COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 72b4d39689fb2cb3e079d4200a47a4d044cd871e31966fce6a7b2f31ad220622
                      • Instruction ID: 1c816799e9c2a8b4bf95a7d87e70a1b3873c47484803483307d1b3dfc6860ea9
                      • Opcode Fuzzy Hash: 72b4d39689fb2cb3e079d4200a47a4d044cd871e31966fce6a7b2f31ad220622
                      • Instruction Fuzzy Hash: 041226747006058FCB14DF69C988A6ABBF2FF88305B1584A9E546DB362DB31EC85CF50
                      Function 05D30610 Relevance: .5, Instructions: 481COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545658272.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d30000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ec0397890a507006b013dd2bbe3efb60eca3bc3bb4fadeebc7a6180a91ece45a
                      • Instruction ID: 31be5d31fc474867f47a640ed07a17edbedced73c54f8ff816e385d2b3263010
                      • Opcode Fuzzy Hash: ec0397890a507006b013dd2bbe3efb60eca3bc3bb4fadeebc7a6180a91ece45a
                      • Instruction Fuzzy Hash: C1026C707006048FDB149B68D859A2E7BE6FBC9704F144969E9039F3A1CFB9ED41CB92
                      Function 05D30700 Relevance: .4, Instructions: 365COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545658272.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d30000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6429eb10f1577ce69bedf42268d4e84130d86ce1d8191dc018d2542c34112dd4
                      • Instruction ID: 54fa6adf73aeddac72c276693fa7e6dd8b318e7156c3a61b1e48464eff79841c
                      • Opcode Fuzzy Hash: 6429eb10f1577ce69bedf42268d4e84130d86ce1d8191dc018d2542c34112dd4
                      • Instruction Fuzzy Hash: 46D15B707006049FDB149B68C859B3A7BE6FF89704F14846AE9029F3A1CBB9ED41CF91
                      Function 05D300BB Relevance: .3, Instructions: 336COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545658272.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d30000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0b68ecdc1a92355f975160b86a39212394cfd86264928a892dff1500d4cfa37d
                      • Instruction ID: 9db323a9ed92b804e067b64fd9646327b4e9681072483fc2b91aeeea578eb9cc
                      • Opcode Fuzzy Hash: 0b68ecdc1a92355f975160b86a39212394cfd86264928a892dff1500d4cfa37d
                      • Instruction Fuzzy Hash: 18C16D747012049FDB149B68C85AB7A7AE6FF89704F148066E902DB3A1CBB5ED41CFA1
                      Function 05D3067A Relevance: .3, Instructions: 329COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545658272.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d30000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 599abdcec82e90047165bcd4bb6c74b899d6cc90e4b4538a47f8c70926f02730
                      • Instruction ID: df7ac8269b65f2becacc7d4b3563f014b36b77e80a6055d7f4f689bb9ed984ba
                      • Opcode Fuzzy Hash: 599abdcec82e90047165bcd4bb6c74b899d6cc90e4b4538a47f8c70926f02730
                      • Instruction Fuzzy Hash: 45C15C747012049FEB149B68C859B7A7AE7FF89704F148066EA029F3A1CBB5ED41CF91
                      Function 05D47D58 Relevance: .1, Instructions: 147COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3a83661abdd47a98532e27ea5d48fe232ea5757a63524da3c1acb552d6f26234
                      • Instruction ID: 45d46e38455a27d552bdc142ec504082a061fbbe31915318a07bdf6b236b5375
                      • Opcode Fuzzy Hash: 3a83661abdd47a98532e27ea5d48fe232ea5757a63524da3c1acb552d6f26234
                      • Instruction Fuzzy Hash: 9A513671E00259DFDB19CFA9C980B9EBBF6FF48310F14852AD415AB244DB749942CF91
                      Function 05D334D8 Relevance: .1, Instructions: 143COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545658272.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d30000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0d61be1bb8b7f17e97006ba1cccaab52caa043bed4b186abe11c629cb6dfe2d8
                      • Instruction ID: 0ced6dcf676dea23b17be52d38324ed3b619b8f692b474c03ee030403a050883
                      • Opcode Fuzzy Hash: 0d61be1bb8b7f17e97006ba1cccaab52caa043bed4b186abe11c629cb6dfe2d8
                      • Instruction Fuzzy Hash: 13513935B105099FCB44DF69C884DAABBF2FF89310B15846AE906AB361DB70EC05CB50
                      Function 05D33328 Relevance: .1, Instructions: 143COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545658272.0000000005D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D30000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d30000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a7c35349ca45dc9604f680e02c9c45611b8e1cf10071fb6109cf41b5fa901bab
                      • Instruction ID: 243bc99fd8d55a331bd56b2c3bdcb0e065bb4f4490907aecb7d70b1ce17bd154
                      • Opcode Fuzzy Hash: a7c35349ca45dc9604f680e02c9c45611b8e1cf10071fb6109cf41b5fa901bab
                      • Instruction Fuzzy Hash: C9510935B10618AFCB44CF69C984DAEBBB6FF89710B15846AED05AB361DB31EC05CB50
                      Function 05D47D4C Relevance: .1, Instructions: 128COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b608fe4edaa6d680adaff8639bb589e9d27ba199ff63e9e9e40c5820fc79c4e1
                      • Instruction ID: 19856fbb0a728105b1650a014eaf4b012a69398aadc9542faa28191adb27cf1a
                      • Opcode Fuzzy Hash: b608fe4edaa6d680adaff8639bb589e9d27ba199ff63e9e9e40c5820fc79c4e1
                      • Instruction Fuzzy Hash: 465145B1E00259DBDB19CFA9C980B9DBBF5FF48300F14852AD419EB280DB749842CF81
                      Function 05D45588 Relevance: .1, Instructions: 96COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 60a6dc5e149bf78dd1af599d73f81596129e65cd231ecc102ad7c1a2338f6c19
                      • Instruction ID: 29984af72b177bd4733b945543bc80912056a0e1037cbc3d8810d180b9fb43e6
                      • Opcode Fuzzy Hash: 60a6dc5e149bf78dd1af599d73f81596129e65cd231ecc102ad7c1a2338f6c19
                      • Instruction Fuzzy Hash: 7B3178747012149FCB15DF79D888A6EBBB6FF89341B4088A9E906CB355DB31ED01CB90
                      Function 05D45579 Relevance: .1, Instructions: 96COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: fb21ae9a8738533b0d78ff7e29d06cdf0cc0b650a7215fbb189eb9437112c1b1
                      • Instruction ID: 7f907bf7e636d8497646a16c252ff354b4a681f3e082df62b5565030d069812f
                      • Opcode Fuzzy Hash: fb21ae9a8738533b0d78ff7e29d06cdf0cc0b650a7215fbb189eb9437112c1b1
                      • Instruction Fuzzy Hash: 663166797012049FCB06DF78D49496EBFB2FF89201B4088AAE906CB366DB30DD05CB90
                      Function 05D487A0 Relevance: .1, Instructions: 93COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e294b267ba01e4b63a6f1191b5e738d72eeea76ffafa46f624de43127299356d
                      • Instruction ID: 7f2600cd20137a48336058229371f2ae4432a2ca2eae0ea7a36856aa853a6d25
                      • Opcode Fuzzy Hash: e294b267ba01e4b63a6f1191b5e738d72eeea76ffafa46f624de43127299356d
                      • Instruction Fuzzy Hash: 9E41F3B1D01248DFDB14DFAAD940ADEFBF6AF88310F14842AE415BB250DB35A945CF91
                      Function 05D48795 Relevance: .1, Instructions: 79COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6338261be17fb3550e074f8c6fa5a3f4b2edb7270b8ace02993933e240def7ec
                      • Instruction ID: 5087732acc1cd816c6fd96b8d7a55f3b48dd9f0e4aafba5034a1ba0c01fdf662
                      • Opcode Fuzzy Hash: 6338261be17fb3550e074f8c6fa5a3f4b2edb7270b8ace02993933e240def7ec
                      • Instruction Fuzzy Hash: 58311FB1D002489BDB14DFAAD980ADEBBF6AF48300F14842AE406BB250DB359945CF91
                      Function 05D48A98 Relevance: .1, Instructions: 77COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4afc27717ea8d6ec7abdaf47a22545d6ca89749f7bc87dbe9f268048fa62ce52
                      • Instruction ID: 5b2c53a55e952625fbcfbf53252379b352498e2a63a5f915f6b70c33bb5da624
                      • Opcode Fuzzy Hash: 4afc27717ea8d6ec7abdaf47a22545d6ca89749f7bc87dbe9f268048fa62ce52
                      • Instruction Fuzzy Hash: D33102B1D01258DFDB14DFA9D880A9EBBF9EF48350F14842AE409B7240CB75A946CF90
                      Function 0075D01C Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1536355436.000000000075D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0075D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_75d000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a48b1bee62d98c2c73045deacfbd29850bf937ab57a6e11257cb245c9a9194bd
                      • Instruction ID: 317e43ee3facc9899101c3482564969d08950f34fff82b277e3919ab659bef77
                      • Opcode Fuzzy Hash: a48b1bee62d98c2c73045deacfbd29850bf937ab57a6e11257cb245c9a9194bd
                      • Instruction Fuzzy Hash: CD21F171604244DFDB34DF14D580B56BBA5EB88315F24C569DC0D4B286C3BADC0BCA61
                      Function 05D48A8C Relevance: .1, Instructions: 64COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: dc01afbdb882d5abd2f10dcb5bf4394a74edc44ae66b284d07378be616c37a91
                      • Instruction ID: 3b06b09310544fa846bb6a61839ac938d253975e38875f7d79ae5efdcb012abf
                      • Opcode Fuzzy Hash: dc01afbdb882d5abd2f10dcb5bf4394a74edc44ae66b284d07378be616c37a91
                      • Instruction Fuzzy Hash: 522110B1D01258DFDB14CFA9C995B9EBBF9AF08350F14842AE409FB240CB749946CF60
                      Function 0075D005 Relevance: .1, Instructions: 63COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1536355436.000000000075D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0075D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_75d000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 98b4a39bca6e71eeb00f3cb96efa266b81a2ce321bf83f7f23b4c4008194398b
                      • Instruction ID: 57026dee8aaaeeb4724003de6c4bc59877fe40dfe02dbdceda2ec0944b0108a7
                      • Opcode Fuzzy Hash: 98b4a39bca6e71eeb00f3cb96efa266b81a2ce321bf83f7f23b4c4008194398b
                      • Instruction Fuzzy Hash: 932183755083849FDB12CF24D994B15BF71EB46314F28C5DAD8498F2A7C37A9C0ACB62
                      Function 05D45698 Relevance: .1, Instructions: 58COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4899d475adf1c303c1107591303db5dac12b1a6c345e8a244566c2b82a4a3a60
                      • Instruction ID: c040565e4e817662592e341c05b767cb16617fdfc9bbb475b9194b4b10e24a96
                      • Opcode Fuzzy Hash: 4899d475adf1c303c1107591303db5dac12b1a6c345e8a244566c2b82a4a3a60
                      • Instruction Fuzzy Hash: 6E11C27620C3818FD306DF64F8548867FA1FB52310B4688ABE185CB276DB349849CB54
                      Function 05D4BC5F Relevance: .1, Instructions: 57COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a4d27159473710e7b7d95ad2817350653d1c0eb3ba7f33c6066cb66ec914cdbf
                      • Instruction ID: bb14d33a3004a4a2c3755f12640caa69780b335232e8c00e51d76febfd1de788
                      • Opcode Fuzzy Hash: a4d27159473710e7b7d95ad2817350653d1c0eb3ba7f33c6066cb66ec914cdbf
                      • Instruction Fuzzy Hash: AA112B312102018FC799A736E99856D3FA3EFC93503048D1CF54B8B651EF747D8A9B92
                      Function 05D48350 Relevance: .0, Instructions: 50COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f12b229616481822cc3b6626eee14d3ff2238a0253fc4259cd364318db709322
                      • Instruction ID: 1b21eef62e20a35cd32e06f1ddf26e269663bdb7eaa6b33c70b4eed56feafce1
                      • Opcode Fuzzy Hash: f12b229616481822cc3b6626eee14d3ff2238a0253fc4259cd364318db709322
                      • Instruction Fuzzy Hash: 9B01D431B001099FDF14DEA9EC89ABFBBFAFBC4251B144036E604D3240DB30990587E0
                      Function 05D4C499 Relevance: .0, Instructions: 48COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e3d03c9c881f15ad91d65335fd32a2ce5c4adef56fd422e9a558db6e0078a84d
                      • Instruction ID: 70fd84fd767ef0047728687737548dd9bed4aaac2b385db7b386d078545851c7
                      • Opcode Fuzzy Hash: e3d03c9c881f15ad91d65335fd32a2ce5c4adef56fd422e9a558db6e0078a84d
                      • Instruction Fuzzy Hash: FA01A5712043018FD3159F75E44969E3BE3EFC9315B10CA29E14B8B685DF78AD0ACB92
                      Function 05D4BC70 Relevance: .0, Instructions: 46COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7c1d78a7a53200727ec0665b70a9a4e179ff86e62fa20a50b2923c348e50ed99
                      • Instruction ID: 91c6e20989a40cd67ae9a61963e18db8a64beae648269606117cf9aaf9443551
                      • Opcode Fuzzy Hash: 7c1d78a7a53200727ec0665b70a9a4e179ff86e62fa20a50b2923c348e50ed99
                      • Instruction Fuzzy Hash: 2701D8312102018FC698A736E59852D3B93EFC93503448D1CF10B8B650DF747D869B96
                      Function 0074DAA5 Relevance: .0, Instructions: 45COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1536311110.000000000074D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_74d000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 05476a026e8235af31e712c72bc298300fd28697ed4922236e708767900b8c9c
                      • Instruction ID: 6a5314b04cdfd4a91209f54ece83bc9612c774ee0125840df62491564ea16b11
                      • Opcode Fuzzy Hash: 05476a026e8235af31e712c72bc298300fd28697ed4922236e708767900b8c9c
                      • Instruction Fuzzy Hash: 3901A2711083449AE7318A1AC984B67BFA8DF45760F18C95AED494E282C77D9C40CA71
                      Function 05D454F8 Relevance: .0, Instructions: 44COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b144f9f5c8e08a07d347db43c1b0531edbb58d6e212ddd4614b42348a400c0c9
                      • Instruction ID: 5f20e27c7b1c3fd7962be4edb094195b4e4b14d5a2ed25f8e0e48da5f74bbd15
                      • Opcode Fuzzy Hash: b144f9f5c8e08a07d347db43c1b0531edbb58d6e212ddd4614b42348a400c0c9
                      • Instruction Fuzzy Hash: 9C019E316057858FCB29CE75F94473ABBB3BF84215F18886EE04786A54DA35D484CF40
                      Function 05D4ACB8 Relevance: .0, Instructions: 44COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2efe16f766cbbf3eeb75b79ebf2814b06505d2e373c5dc472a9e4e188097869b
                      • Instruction ID: 1fde813f94c6e13e2f56ea645865c1c5e9c21b4d2f8478fa63cd45a313d7a6e2
                      • Opcode Fuzzy Hash: 2efe16f766cbbf3eeb75b79ebf2814b06505d2e373c5dc472a9e4e188097869b
                      • Instruction Fuzzy Hash: F2F0AC3A3482519FC7670BA5AC140F97FA6DE87341348489FE282CB211DA584903CBE1
                      Function 05D4E8B0 Relevance: .0, Instructions: 43COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 66048187bf0ecb1fac9bcbe99253817e56523b7e6dd727edc34eda1649f83131
                      • Instruction ID: d2b72707acbd927a05362e80f4f7889538201f0399b67d47d603bcf75f62877b
                      • Opcode Fuzzy Hash: 66048187bf0ecb1fac9bcbe99253817e56523b7e6dd727edc34eda1649f83131
                      • Instruction Fuzzy Hash: 5301D6346083489FCB05DF74D8548593FBAFF8A300B1488AAE545CB262DA36DD01DB91
                      Function 05D4C4A8 Relevance: .0, Instructions: 42COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7e511b287ab9775a11e43eabff9c31f76126a1cf49077d188c079e40d4d098d9
                      • Instruction ID: c7107bfc134091f0b59c0d0e1e8d708dc4d1abcf0841c3f446a4664d1495c195
                      • Opcode Fuzzy Hash: 7e511b287ab9775a11e43eabff9c31f76126a1cf49077d188c079e40d4d098d9
                      • Instruction Fuzzy Hash: 040144712042058FD314AF79E44C65E7BE3EFC9315B108A29E14B97644DF75AD09CB91
                      Function 05D48F50 Relevance: .0, Instructions: 37COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7b146bc3f8404abb407986d29fa070ab4f251032f41e239dc670d3de4827afd2
                      • Instruction ID: e1b9a47a7d6f160d4fd819a4604493d571efe2864534f0470a60816a43534995
                      • Opcode Fuzzy Hash: 7b146bc3f8404abb407986d29fa070ab4f251032f41e239dc670d3de4827afd2
                      • Instruction Fuzzy Hash: CB01D2B4D0821AEFCB04DFA9D9446AEBBF1FF88301F1084AAD815A3351E7785A41DF91
                      Function 0074DAA4 Relevance: .0, Instructions: 36COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1536311110.000000000074D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_74d000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 93ab348094116270fc753e9933f8bf1184652e031bf6ee036fd5556301b88a76
                      • Instruction ID: f7b877ac0e2821c7263c22db0d06b09b54f07e349446d4640492decdf9062d4f
                      • Opcode Fuzzy Hash: 93ab348094116270fc753e9933f8bf1184652e031bf6ee036fd5556301b88a76
                      • Instruction Fuzzy Hash: E5F06272404344AAE7218E16C984B66FFE8EB91774F18C55AED485B286C3799C44CA71
                      Function 05D4C170 Relevance: .0, Instructions: 36COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ff3188023626e852a6993c5f06d5dcee3f45b04938b98322b0476298a5ac315e
                      • Instruction ID: 38d590edb9fb4c7b769efd9b28bdefeb6de75ec537fdd42d2be1f15ee7ada35c
                      • Opcode Fuzzy Hash: ff3188023626e852a6993c5f06d5dcee3f45b04938b98322b0476298a5ac315e
                      • Instruction Fuzzy Hash: B201D176501B018FD319DF26E888452BBF6FF49300700C91EE487C3651DB70A54ACF80
                      Function 05D4ADE9 Relevance: .0, Instructions: 36COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c60335acf5e5506512d1b5989905d92cd19a5d7cc296dce60f70f8a1b65c2c14
                      • Instruction ID: 316de5c65db316d597b1c9c20a23c16c01df4c4b361a0fb783b58b612aea0842
                      • Opcode Fuzzy Hash: c60335acf5e5506512d1b5989905d92cd19a5d7cc296dce60f70f8a1b65c2c14
                      • Instruction Fuzzy Hash: 1FF0A731245241AFC3696B6AE8586DA7FEADFCF710B10896EF14EC3242CAA528458761
                      Function 05D48F42 Relevance: .0, Instructions: 36COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 06399159ac113bf4d89ea5de39076160ce8db9faa236ece166a233dd12f2b64d
                      • Instruction ID: 6bc3c1389b1209fc4c679cb65d036c513b4e24faf5d16557fb88fe3084307736
                      • Opcode Fuzzy Hash: 06399159ac113bf4d89ea5de39076160ce8db9faa236ece166a233dd12f2b64d
                      • Instruction Fuzzy Hash: 0E015AB4D0824ADFCB01DFA4DA446EDBFB1BF49305F10819AD451A7391D7740A40DF91
                      Function 05D46EA0 Relevance: .0, Instructions: 35COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: fa0d2030be2dcd834e6d253bf484151734771ec52173527efc7b980df6fb7505
                      • Instruction ID: f142a0e7703b4fdb87ebb442cb84fba26405cc730a55cfd953575ee5662c9835
                      • Opcode Fuzzy Hash: fa0d2030be2dcd834e6d253bf484151734771ec52173527efc7b980df6fb7505
                      • Instruction Fuzzy Hash: DDF0A7722041E83F8B214E9B5C10CFB3FEDDA8E161B084156FED8C2141C52DC921ABB0
                      Function 05D46E92 Relevance: .0, Instructions: 34COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 520fde251952ecce40191f37d551e91eda0e56161083959f044aaec402985dfa
                      • Instruction ID: ad599e30a75a4eb41e323806fdcacd77d4f06f097e79d90afed755bc13ce920e
                      • Opcode Fuzzy Hash: 520fde251952ecce40191f37d551e91eda0e56161083959f044aaec402985dfa
                      • Instruction Fuzzy Hash: 66F0B4762042D82FDB128EA55C109FB3FEDDA8D1227094096FAE4C6251C63CC962AB70
                      Function 05D4C110 Relevance: .0, Instructions: 33COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5554a57ac3376b1071631e75b35cc7061fed4f6f789583985c0900b8df396635
                      • Instruction ID: 40d8ffdf1da392a8100de8af8a96fc4202033333a6af078efc93aa4dff9f004b
                      • Opcode Fuzzy Hash: 5554a57ac3376b1071631e75b35cc7061fed4f6f789583985c0900b8df396635
                      • Instruction Fuzzy Hash: EDF0BB312067D04FC312973DF91869E3FE6DF86208B04455AF186CB252DA656D058BA2
                      Function 05D48FC0 Relevance: .0, Instructions: 33COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: cff8023dadb8d66e673cad2cae54786be8b7e67bf22420458caad8e3c9dc6e46
                      • Instruction ID: 8310a916e237d0c1afd81e5546d2443dd80c3145fdcd33b9c8cbf10dbbe7b6d8
                      • Opcode Fuzzy Hash: cff8023dadb8d66e673cad2cae54786be8b7e67bf22420458caad8e3c9dc6e46
                      • Instruction Fuzzy Hash: 62F049B5D081599FCB01CBA4C8555AEBFB1EF5A241F004197E846E7252E6398A51DF40
                      Function 05D467C8 Relevance: .0, Instructions: 30COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f0ef7120f65f56b1d606113103562ef2cf8abc43856ccd3d599435f1c7c38fff
                      • Instruction ID: f3447b5374f3e852b065be9415111d1f9521bc9df59dd85a3b2afc735b0282d0
                      • Opcode Fuzzy Hash: f0ef7120f65f56b1d606113103562ef2cf8abc43856ccd3d599435f1c7c38fff
                      • Instruction Fuzzy Hash: 05F0B871B403008FDB218B64E842F653FE1EB02711F10C66AE2518F1E2E3B1E804DB81
                      Function 05D45508 Relevance: .0, Instructions: 29COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8df6247b955406e139d3099edc5ac920493a05ee28c97d24492480da3eecac0c
                      • Instruction ID: 7b817780d877a5b02bf8b78e2b8da7f37c6bb1ce8a47d47971fa30dd1eb68954
                      • Opcode Fuzzy Hash: 8df6247b955406e139d3099edc5ac920493a05ee28c97d24492480da3eecac0c
                      • Instruction Fuzzy Hash: A5F0A030600746CFCB24CE26E900A77B7F7FF80214B04882EE04646914DAB1F485CF80
                      Function 05D48341 Relevance: .0, Instructions: 29COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: be856ca69aecd1bf21e28452ab2eb6bdc80c7406bf27bcf904c4a42a622c4e2d
                      • Instruction ID: d5a31819305cc4fd73108a1955bb64c22cfc27539f45600d95261fde10787317
                      • Opcode Fuzzy Hash: be856ca69aecd1bf21e28452ab2eb6bdc80c7406bf27bcf904c4a42a622c4e2d
                      • Instruction Fuzzy Hash: F3F02B32B101158F9F14DAF8AC886BEBBF6BB88291B0C4077D554E3240FF3098068BE1
                      Function 05D4ADF8 Relevance: .0, Instructions: 28COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 54658b634e3542d88cb9f4cb1da8fcaf09ee23bf2a962d874a6dcbb7ddabbafa
                      • Instruction ID: 1e8adef9a7048d48341923aae9380d26b3bfc98d70d6a76e9d86e4b774c5b366
                      • Opcode Fuzzy Hash: 54658b634e3542d88cb9f4cb1da8fcaf09ee23bf2a962d874a6dcbb7ddabbafa
                      • Instruction Fuzzy Hash: A8E09231340101ABC3282A6AE84CADF7ADBEBCA751B10852DF20EC3242CFA5180547A5
                      Function 05D4C180 Relevance: .0, Instructions: 27COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6740e1286a7f883925f7258d0fb24d6bf3f4529b165561b496ade2d4a28cac36
                      • Instruction ID: 8b335ba65dbad4700f2ec2f6b9ef7510f8722d1d668cd7f3a40e43a77246d1af
                      • Opcode Fuzzy Hash: 6740e1286a7f883925f7258d0fb24d6bf3f4529b165561b496ade2d4a28cac36
                      • Instruction Fuzzy Hash: D8F06774501B018FE729EF26E48C552BBF6FB88344700C62EE88B82A50DB70A909CF84
                      Function 05D4B500 Relevance: .0, Instructions: 25COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4b0057de52c3c85c3de06fcc65745d9245fbee321da88de215d98949de05004d
                      • Instruction ID: 268e8031049674d50bf302263715e15f7e7222e8e720961ec0a0909ee9518d83
                      • Opcode Fuzzy Hash: 4b0057de52c3c85c3de06fcc65745d9245fbee321da88de215d98949de05004d
                      • Instruction Fuzzy Hash: E3F0C979D0120DBFCB41DFB8E9499CDBFB9EB48204F1082A6E905E3254EA306B55DF91
                      Function 05D4C120 Relevance: .0, Instructions: 25COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 666e598f2f0803405e8506b76dd1f809f868ac30c06c978b1c8459cca03ee926
                      • Instruction ID: 9287211034d6d09d18d21ea33c506d52cf3df367bf437e52a4ed540488f30911
                      • Opcode Fuzzy Hash: 666e598f2f0803405e8506b76dd1f809f868ac30c06c978b1c8459cca03ee926
                      • Instruction Fuzzy Hash: FFE030302007518FC615A73EE54C7AE7BE6DF85318F044929F2468B651DBA578458B91
                      Function 05D4CC38 Relevance: .0, Instructions: 25COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 991d1a7185db33ac1bee9f93388e2475d6f416648bb33d6e18ea7dd93b09a875
                      • Instruction ID: 0e5c7e6c5b7ea46c053b93ce397c577fba4c73fb8d056c15c9e788dfedc69663
                      • Opcode Fuzzy Hash: 991d1a7185db33ac1bee9f93388e2475d6f416648bb33d6e18ea7dd93b09a875
                      • Instruction Fuzzy Hash: 30E026332166408FCF56EB25F8C0ADD3B66EB8A720F404253E404CB666CB300C868FD6
                      Function 05D4CE88 Relevance: .0, Instructions: 23COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7a811e223e92f486ecb92b7cf1732dedfb161238bb5b38c5549269ce00f41d57
                      • Instruction ID: 8df66c0d50f44b831bd7d377988cd28f900141b829b23236f8c4794d23483e9a
                      • Opcode Fuzzy Hash: 7a811e223e92f486ecb92b7cf1732dedfb161238bb5b38c5549269ce00f41d57
                      • Instruction Fuzzy Hash: 38E026B1406380EFDB43E320F8C5D953FA9DB06710F014695FC048B66AC7304C828F92
                      Function 05D4E1FF Relevance: .0, Instructions: 22COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 18de76b8110ec2fbba2851e0a34aef5a61954c5c7191813d659c419f913be73f
                      • Instruction ID: db176528b9c42a57720e108ae9dfe3bcfcdf2c8ceec0b64959369fe35be38866
                      • Opcode Fuzzy Hash: 18de76b8110ec2fbba2851e0a34aef5a61954c5c7191813d659c419f913be73f
                      • Instruction Fuzzy Hash: B5E0DF71A05204EFCB01DFA4E84499E3BB2DF86204F2042DAF809D7291E6300F108B52
                      Function 05D4E280 Relevance: .0, Instructions: 22COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c8cf8885f88ee629dfefa1c1f0c263a1c9b0b01625033b8522efb5b56084a0ad
                      • Instruction ID: 45706754ebdac52599a3565bff1d330861f51623a82731970db837bc86479879
                      • Opcode Fuzzy Hash: c8cf8885f88ee629dfefa1c1f0c263a1c9b0b01625033b8522efb5b56084a0ad
                      • Instruction Fuzzy Hash: A3E09A304027409FCB26BB20BEC29953BAAE74AB00F410245EC055B2AAC7641A89CFD6
                      Function 05D4AC80 Relevance: .0, Instructions: 20COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6c2ada989b5f1674758f4635d6a11e670bbf04533651552d6f236721481af678
                      • Instruction ID: 3253d77064a3c0178b3445da364647c320c670a1798b2a16db5b3e35eb094a2d
                      • Opcode Fuzzy Hash: 6c2ada989b5f1674758f4635d6a11e670bbf04533651552d6f236721481af678
                      • Instruction Fuzzy Hash: 24D05E31340128A78A5D2769F4584FE7BAFEBDA662304992AF70BC7240DF6D1D0287D6
                      Function 05D4E8F8 Relevance: .0, Instructions: 20COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 38454ce3418d6ba8faab7f765ce387b177ab0c3010a5051466ce7c9c3fc14f4c
                      • Instruction ID: 601a49f2f7330ee46d6dfaf886ba49ce9bfb9221d7f3ab337a395e924bb19a92
                      • Opcode Fuzzy Hash: 38454ce3418d6ba8faab7f765ce387b177ab0c3010a5051466ce7c9c3fc14f4c
                      • Instruction Fuzzy Hash: F3E0177A224244AFC7829F54C8818943FB9FF5A61030984C6F6848F273C231E926EB61
                      Function 05D4B510 Relevance: .0, Instructions: 19COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 728fef4cdeab2502a6576a6b55358412f1fe4fafd0f6c32d1cecdb6f463bdae3
                      • Instruction ID: f42122cbe21d44ddd05b9ae72bcd404bb8cb79fa0ef8f63d9d57dafe8999994d
                      • Opcode Fuzzy Hash: 728fef4cdeab2502a6576a6b55358412f1fe4fafd0f6c32d1cecdb6f463bdae3
                      • Instruction Fuzzy Hash: 9AE09A75D0020DEFCB40DFE5E5888DDBBB9EB48200F1082A6D905E3250EB306B55DF80
                      Function 05D4E210 Relevance: .0, Instructions: 16COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d418642f41966b2832cd0dbf6d8b1284a7805c1fd6d15fc47aa5f600fb545764
                      • Instruction ID: 8ac48d8f470486e605fcbd578843539eaf95fa955063f46f292cd8beb5772612
                      • Opcode Fuzzy Hash: d418642f41966b2832cd0dbf6d8b1284a7805c1fd6d15fc47aa5f600fb545764
                      • Instruction Fuzzy Hash: 3ED017B1A00208FF8B44EFA9E94595DB7BAEB45204B1096A9E909E7200EA312F009B91
                      Function 05D4F8EA Relevance: .0, Instructions: 14COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d03718de11e717f69c693240c9572dd4c3cde826dfa196e6c70a9a2d7fa14d82
                      • Instruction ID: c4158cd8726fb6d3626bf2007441f0727771f7d70eb1c6bde9f58132177eb818
                      • Opcode Fuzzy Hash: d03718de11e717f69c693240c9572dd4c3cde826dfa196e6c70a9a2d7fa14d82
                      • Instruction Fuzzy Hash: 50C08C327001208B02D8AA6C701816D77D3C3CC6A338581BFFA0EE3348DEB08D824780
                      Function 05D4DFD1 Relevance: .0, Instructions: 8COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 65400481ba6d8fa2aab2f96149561e12b83d6b064dcb465122ebb241c2f5b99f
                      • Instruction ID: 601d622caf876ced06b5ab9bc78888629844eee422fa036448adc9800c7a45ad
                      • Opcode Fuzzy Hash: 65400481ba6d8fa2aab2f96149561e12b83d6b064dcb465122ebb241c2f5b99f
                      • Instruction Fuzzy Hash: EEB09B7154B7D06EDB0247309D0D9453E655F56710B1550C6F7419D0A3D6314005CB91

                      Non-executed Functions

                      Function 05D46FE8 Relevance: .8, Instructions: 785COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f35f640391b20c5b7175711d120c3911445a28fd8def4f6f3cef29b4f3d9dab8
                      • Instruction ID: 566986f700447e6de8bd3a420570a4c52eecb85f26ec5fcf549e69b6dbd2a6b8
                      • Opcode Fuzzy Hash: f35f640391b20c5b7175711d120c3911445a28fd8def4f6f3cef29b4f3d9dab8
                      • Instruction Fuzzy Hash: 936223B07002009FDB4CDF69D45872A7AE6EB84308F64C95CD10D9F396DBBAD94B8B91
                      Function 05D46FF8 Relevance: .8, Instructions: 780COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a8410e0a545f5ddf5dae7a17fa683b563911ed5fa0baba485f0b87c96ba094b9
                      • Instruction ID: d6d7bc347520448d20ead03a66d9804c1d2e14b0ce3c4ad20aefe1b1b4539e8e
                      • Opcode Fuzzy Hash: a8410e0a545f5ddf5dae7a17fa683b563911ed5fa0baba485f0b87c96ba094b9
                      • Instruction Fuzzy Hash: A16222B07002009FDB4CDF69D45872A7AE6EB84308F64C95CD10D9F396DBBAD94B8B91
                      Function 048DDC74 Relevance: .3, Instructions: 264COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1544205376.00000000048D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_48d0000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: cec6daa41b34985f8fada3d3830bdd11ef3cf765cc6428b2e232ede6d1f00292
                      • Instruction ID: 75a87fe096717da39ed9f50962b9efded9c19f2baffba356ee9480f363b0b460
                      • Opcode Fuzzy Hash: cec6daa41b34985f8fada3d3830bdd11ef3cf765cc6428b2e232ede6d1f00292
                      • Instruction Fuzzy Hash: B9A17032E012058FCF05DFB9C84059EB7F2FF84304B258A6AE906EB255DB75E945DB80
                      Function 0722F483 Relevance: .3, Instructions: 262COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1549736534.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7220000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 80b5a64961d1111e5f0c60451c6f72183c5054cc45ff8d119c5f1212722ade1f
                      • Instruction ID: 88c5eb0db9c280a562e7bece6904ffe47fca7f651fc506b984706d4b5edf5734
                      • Opcode Fuzzy Hash: 80b5a64961d1111e5f0c60451c6f72183c5054cc45ff8d119c5f1212722ade1f
                      • Instruction Fuzzy Hash: 9CC1B174E01218CFDB58DFA9D990A9DBBB2FF89300F1085AAD409AB355DB349E46CF41
                      Function 0722F490 Relevance: .3, Instructions: 257COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000005.00000002.1549736534.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_7220000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: df87804efaba3ec4659de1d656b7318883c011cca067233bbd9181b070ce03dd
                      • Instruction ID: dd791ad55c0eecffed78fba58cf9a677a8d1cf632fcda8c40c32931496124d52
                      • Opcode Fuzzy Hash: df87804efaba3ec4659de1d656b7318883c011cca067233bbd9181b070ce03dd
                      • Instruction Fuzzy Hash: ACC1B174E01218CFDB58DFA9D990B9DBBB2BF89300F1085AAD409AB355DB349D46CF41
                      Function 05D4ED10 Relevance: 7.9, Strings: 6, Instructions: 377COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000005.00000002.1545682229.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_5_2_5d40000_file.jbxd
                      Similarity
                      • API ID:
                      • String ID: (__q$(__q$(__q$(__q$(__q$(__q
                      • API String ID: 0-1985298857
                      • Opcode ID: 60e739f4227a8fe3d78e3064246a9ab69384b9b161d71b6b743c7cedd4392b08
                      • Instruction ID: c49e8308dc313cff58aa385334ded77b66bef179921d7fb74638b3629cccdabc
                      • Opcode Fuzzy Hash: 60e739f4227a8fe3d78e3064246a9ab69384b9b161d71b6b743c7cedd4392b08
                      • Instruction Fuzzy Hash: 37D1EF34B04344AFCB149F68D4585AE7BB6FF86300F64856AE80ADB391DB359E02CB91