Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1483133
MD5:4e0235942a9cde99ee2ee0ee1a736e4f
SHA1:d084d94df2502e68ee0443b335dd621cd45e2790
SHA256:a0d7bc2ccf07af7960c580fd43928b5fb02b901f9962eafb10f607e395759306
Tags:exe
Infos:

Detection

RedLine
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected RedLine Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Installs new ROOT certificates
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops certificate files (DER)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6048 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 4E0235942A9CDE99EE2EE0EE1A736E4F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["185.215.113.9:9137"], "Bot Id": "Logs", "Authorization Header": "f3f88d8c3034a76ac8ad2a0de6407050"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
file.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
      dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000000.1990396384.00000000007C2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              00000000.00000002.2157793083.0000000002D6B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Process Memory Space: file.exe PID: 6048JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 1 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  0.0.file.exe.7c0000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    No Snort rule has matched

                    Suricata Signatures

                    Timestamp:2024-07-26T17:53:04.960515+0200
                    SID:2043231
                    Source Port:49704
                    Destination Port:9137
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T17:53:11.181241+0200
                    SID:2043231
                    Source Port:49704
                    Destination Port:9137
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T17:53:09.287354+0200
                    SID:2043231
                    Source Port:49704
                    Destination Port:9137
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T17:53:06.888602+0200
                    SID:2043231
                    Source Port:49704
                    Destination Port:9137
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T17:53:05.609737+0200
                    SID:2043231
                    Source Port:49704
                    Destination Port:9137
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T17:53:08.667243+0200
                    SID:2043231
                    Source Port:49704
                    Destination Port:9137
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T17:53:12.431195+0200
                    SID:2043231
                    Source Port:49704
                    Destination Port:9137
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T17:53:07.247303+0200
                    SID:2043231
                    Source Port:49704
                    Destination Port:9137
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T17:52:58.771941+0200
                    SID:2046045
                    Source Port:49704
                    Destination Port:9137
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T17:53:56.539304+0200
                    SID:2022930
                    Source Port:443
                    Destination Port:49712
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T17:53:07.851599+0200
                    SID:2043231
                    Source Port:49704
                    Destination Port:9137
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T17:53:06.029459+0200
                    SID:2043231
                    Source Port:49704
                    Destination Port:9137
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T17:53:18.061471+0200
                    SID:2022930
                    Source Port:443
                    Destination Port:49706
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T17:53:04.657390+0200
                    SID:2043231
                    Source Port:49704
                    Destination Port:9137
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T17:53:09.292515+0200
                    SID:2043231
                    Source Port:49704
                    Destination Port:9137
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T17:53:12.092592+0200
                    SID:2043231
                    Source Port:49704
                    Destination Port:9137
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T17:53:12.697306+0200
                    SID:2043231
                    Source Port:49704
                    Destination Port:9137
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T17:53:08.104925+0200
                    SID:2043231
                    Source Port:49704
                    Destination Port:9137
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T17:53:13.010752+0200
                    SID:2043231
                    Source Port:49704
                    Destination Port:9137
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T17:53:11.838018+0200
                    SID:2043231
                    Source Port:49704
                    Destination Port:9137
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T17:53:08.415709+0200
                    SID:2043231
                    Source Port:49704
                    Destination Port:9137
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T17:53:04.096839+0200
                    SID:2043231
                    Source Port:49704
                    Destination Port:9137
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T17:53:05.341493+0200
                    SID:2043231
                    Source Port:49704
                    Destination Port:9137
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T17:53:08.964206+0200
                    SID:2043231
                    Source Port:49704
                    Destination Port:9137
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T17:52:59.051787+0200
                    SID:2043234
                    Source Port:9137
                    Destination Port:49704
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T17:53:10.639458+0200
                    SID:2043231
                    Source Port:49704
                    Destination Port:9137
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T17:53:11.436551+0200
                    SID:2043231
                    Source Port:49704
                    Destination Port:9137
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T17:53:04.496619+0200
                    SID:2046056
                    Source Port:9137
                    Destination Port:49704
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: file.exeMalware Configuration Extractor: RedLine {"C2 url": ["185.215.113.9:9137"], "Bot Id": "Logs", "Authorization Header": "f3f88d8c3034a76ac8ad2a0de6407050"}
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: file.exe, 00000000.00000002.2172567639.00000000075E9000.00000004.00000020.00020000.00000000.sdmp

                    Networking

                    barindex
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: 185.215.113.9:9137
                    Source: global trafficTCP traffic: 192.168.2.5:49704 -> 185.215.113.9:9137
                    Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.9
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9~
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                    Source: file.exe, 00000000.00000002.2157793083.0000000002D2E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                    Source: file.exe, 00000000.00000002.2157793083.0000000002D6B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                    Source: file.exe, 00000000.00000002.2157793083.0000000002D6B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                    Source: file.exe, 00000000.00000002.2157793083.0000000002D6B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                    Source: file.exe, 00000000.00000002.2157793083.0000000002D6B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                    Source: file.exe, 00000000.00000002.2157793083.0000000002D6B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                    Source: file.exe, 00000000.00000002.2157793083.0000000002D6B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                    Source: file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                    Source: file.exe, 00000000.00000002.2161650518.0000000003BAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: file.exeString found in binary or memory: https://api.ip.sb/ip
                    Source: file.exe, 00000000.00000002.2161650518.0000000003BAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: file.exe, 00000000.00000002.2161650518.0000000003BAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: file.exe, 00000000.00000002.2161650518.0000000003BAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: file.exe, 00000000.00000002.2161650518.0000000003BAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: file.exe, 00000000.00000002.2161650518.0000000003BAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: file.exe, 00000000.00000002.2161650518.0000000003BAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: file.exe, 00000000.00000002.2161650518.0000000003BAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: file.exe, 00000000.00000002.2161650518.0000000003BAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp583D.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp584E.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0116DC740_2_0116DC74
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_062C67D80_2_062C67D8
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_062CA3D80_2_062CA3D8
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_062C3F500_2_062C3F50
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_062C6FE80_2_062C6FE8
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_062C6FF80_2_062C6FF8
                    Source: file.exe, 00000000.00000002.2157793083.0000000002D6B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefirefox.exe0 vs file.exe
                    Source: file.exe, 00000000.00000002.2157793083.0000000002D6B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]q,\\StringFileInfo\\000004B0\\OriginalFilename vs file.exe
                    Source: file.exe, 00000000.00000002.2157793083.0000000002D6B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamechrome.exe< vs file.exe
                    Source: file.exe, 00000000.00000002.2157793083.0000000002D6B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]q,\\StringFileInfo\\040904B0\\OriginalFilename vs file.exe
                    Source: file.exe, 00000000.00000002.2157793083.0000000002D6B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs file.exe
                    Source: file.exe, 00000000.00000002.2157793083.0000000002D6B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXED vs file.exe
                    Source: file.exe, 00000000.00000002.2157793083.0000000002D6B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]q,\\StringFileInfo\\080904B0\\OriginalFilename vs file.exe
                    Source: file.exe, 00000000.00000002.2157793083.0000000002D6B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsedge.exe> vs file.exe
                    Source: file.exe, 00000000.00000000.1990421837.0000000000806000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameTwites.exe8 vs file.exe
                    Source: file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs file.exe
                    Source: file.exe, 00000000.00000002.2155866216.0000000000C1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
                    Source: file.exeBinary or memory string: OriginalFilenameTwites.exe8 vs file.exe
                    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: classification engineClassification label: mal96.troj.spyw.evad.winEXE@1/5@0/1
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp583D.tmpJump to behavior
                    Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\file.exeFile read: C:\Program Files (x86)\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: esdsip.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
                    Source: Google Chrome.lnk.0.drLNK file: ..\..\..\Program Files\Google\Chrome\Application\chrome.exe
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: file.exe, 00000000.00000002.2172567639.00000000075E9000.00000004.00000020.00020000.00000000.sdmp
                    Source: file.exeStatic PE information: 0xF4A21C47 [Fri Jan 22 01:32:55 2100 UTC]
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_062CECF2 push eax; ret 0_2_062CED01

                    Persistence and Installation Behavior

                    barindex
                    Installs new ROOT certificates
                    Source: C:\Users\user\Desktop\file.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 BlobJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\file.exeMemory allocated: 1140000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\file.exeMemory allocated: 2B70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\file.exeMemory allocated: 29A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 2043Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 7769Jump to behavior
                    Source: C:\Users\user\Desktop\file.exe TID: 4464Thread sleep time: -29514790517935264s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: file.exe, 00000000.00000002.2157793083.0000000003007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                    Source: file.exe, 00000000.00000002.2157793083.0000000003007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                    Source: file.exe, 00000000.00000002.2157793083.0000000003007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                    Source: file.exe, 00000000.00000002.2157793083.0000000003007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                    Source: file.exe, 00000000.00000002.2157793083.0000000003007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                    Source: file.exe, 00000000.00000002.2157793083.0000000003007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                    Source: file.exe, 00000000.00000002.2157793083.0000000003007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                    Source: file.exe, 00000000.00000002.2157793083.0000000003007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                    Source: file.exe, 00000000.00000002.2157793083.0000000003007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                    Source: file.exe, 00000000.00000002.2157793083.0000000003007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                    Source: file.exe, 00000000.00000002.2157793083.0000000003007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                    Source: file.exe, 00000000.00000002.2157793083.0000000003007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                    Source: file.exe, 00000000.00000002.2157793083.0000000003007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                    Source: file.exe, 00000000.00000002.2167326008.0000000006324000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: file.exe, 00000000.00000002.2157793083.0000000003007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                    Source: file.exe, 00000000.00000002.2157793083.0000000003007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                    Source: file.exe, 00000000.00000002.2157793083.0000000003007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                    Source: file.exe, 00000000.00000002.2157793083.0000000003007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                    Source: file.exe, 00000000.00000002.2157793083.0000000003007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                    Source: file.exe, 00000000.00000002.2157793083.0000000003007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                    Source: file.exe, 00000000.00000002.2157793083.0000000003007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                    Source: file.exe, 00000000.00000002.2157793083.0000000003007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                    Source: file.exe, 00000000.00000002.2157793083.0000000003007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                    Source: file.exe, 00000000.00000002.2157793083.0000000003007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                    Source: file.exe, 00000000.00000002.2157793083.0000000003007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                    Source: file.exe, 00000000.00000002.2157793083.0000000003007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                    Source: file.exe, 00000000.00000002.2157793083.0000000003007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                    Source: file.exe, 00000000.00000002.2157793083.0000000003007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                    Source: file.exe, 00000000.00000002.2157793083.0000000003007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                    Source: file.exe, 00000000.00000002.2157793083.0000000003007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                    Source: file.exe, 00000000.00000002.2157793083.0000000003007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                    Source: file.exe, 00000000.00000002.2157793083.0000000003007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                    Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: file.exe, 00000000.00000002.2155997500.0000000000C51000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2175209165.00000000084A0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2156155945.0000000000CBD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: file.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.file.exe.7c0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1990396384.00000000007C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 6048, type: MEMORYSTR
                    Found many strings related to Crypto-Wallets (likely being stolen)
                    Source: file.exe, 00000000.00000002.2157793083.0000000002D6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Electrum\walletsLR]q
                    Source: file.exe, 00000000.00000002.2157793083.0000000002D6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $]q2C:\Users\user\AppData\Roaming\Electrum\wallets\*
                    Source: file.exe, 00000000.00000002.2157793083.0000000002D2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty
                    Source: file.exe, 00000000.00000002.2157793083.0000000002D6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.walletLR]q<
                    Source: file.exe, 00000000.00000002.2157793083.0000000002D6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\walletsLR]q
                    Source: file.exe, 00000000.00000002.2157793083.0000000002D6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.walletLR]q<
                    Source: file.exe, 00000000.00000002.2157793083.0000000002D6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $]q%appdata%`,]qdC:\Users\user\AppData\Roaming`,]qdC:\Users\user\AppData\Roaming\Binance
                    Source: file.exe, 00000000.00000002.2157793083.0000000002D6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\walletsLR]q
                    Source: file.exe, 00000000.00000002.2157793083.0000000002D6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $]q&%localappdata%\Coinomi\Coinomi\walletsLR]q0
                    Source: file.exe, 00000000.00000002.2157793083.0000000002D6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $]q6C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Tries to steal Crypto Currency Wallets
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                    Source: Yara matchFile source: 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2157793083.0000000002D6B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 6048, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: file.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.file.exe.7c0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1990396384.00000000007C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 6048, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Masquerading                    		1
                    OS Credential Dumping                    		231
                    Security Software Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop Protocol3
                    Data from Local System                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                    Virtualization/Sandbox Evasion                    		Security Account Manager241
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Obfuscated Files or Information                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Install Root Certificate                    		LSA Secrets1
                    File and Directory Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Timestomp                    		Cached Domain Credentials113
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    No Antivirus matches

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/sc/sct0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk0%URL Reputationsafe
                    http://tempuri.org/Entity/Id14ResponseD0%URL Reputationsafe
                    http://tempuri.org/Entity/Id23ResponseD0%URL Reputationsafe
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary0%URL Reputationsafe
                    http://tempuri.org/Entity/Id12Response0%URL Reputationsafe
                    http://tempuri.org/0%URL Reputationsafe
                    http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha10%URL Reputationsafe
                    http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
                    http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap0%URL Reputationsafe
                    http://tempuri.org/Entity/Id90%URL Reputationsafe
                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID0%URL Reputationsafe
                    http://tempuri.org/Entity/Id80%URL Reputationsafe
                    http://tempuri.org/Entity/Id6ResponseD0%URL Reputationsafe
                    http://tempuri.org/Entity/Id50%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare0%URL Reputationsafe
                    http://tempuri.org/Entity/Id40%URL Reputationsafe
                    http://tempuri.org/Entity/Id70%URL Reputationsafe
                    http://tempuri.org/Entity/Id60%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret0%URL Reputationsafe
                    http://tempuri.org/Entity/Id19Response0%URL Reputationsafe
                    http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence0%URL Reputationsafe
                    http://tempuri.org/Entity/Id13ResponseD0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/fault0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat0%URL Reputationsafe
                    http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey0%URL Reputationsafe
                    http://tempuri.org/Entity/Id15Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id5ResponseD0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register0%URL Reputationsafe
                    http://tempuri.org/Entity/Id6Response0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey0%URL Reputationsafe
                    https://api.ip.sb/ip0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/04/sc0%URL Reputationsafe
                    http://tempuri.org/Entity/Id1ResponseD0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel0%URL Reputationsafe
                    http://tempuri.org/Entity/Id9Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id200%URL Reputationsafe
                    http://tempuri.org/Entity/Id210%URL Reputationsafe
                    http://tempuri.org/Entity/Id220%URL Reputationsafe
                    http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA10%URL Reputationsafe
                    http://tempuri.org/Entity/Id230%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA10%URL Reputationsafe
                    http://tempuri.org/Entity/Id240%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue0%URL Reputationsafe
                    http://tempuri.org/Entity/Id24Response0%URL Reputationsafe
                    https://www.ecosia.org/newtab/0%URL Reputationsafe
                    http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego0%URL Reputationsafe
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey0%URL Reputationsafe
                    http://tempuri.org/Entity/Id21ResponseD0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/04/trust0%URL Reputationsafe
                    http://tempuri.org/Entity/Id100%URL Reputationsafe
                    http://tempuri.org/Entity/Id110%URL Reputationsafe
                    http://tempuri.org/Entity/Id10ResponseD0%URL Reputationsafe
                    http://tempuri.org/Entity/Id120%URL Reputationsafe
                    http://tempuri.org/Entity/Id16Response0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel0%URL Reputationsafe
                    http://tempuri.org/Entity/Id130%URL Reputationsafe
                    http://tempuri.org/Entity/Id140%URL Reputationsafe
                    http://tempuri.org/Entity/Id150%URL Reputationsafe
                    http://tempuri.org/Entity/Id160%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce0%URL Reputationsafe
                    http://tempuri.org/Entity/Id170%URL Reputationsafe
                    http://tempuri.org/Entity/Id180%URL Reputationsafe
                    http://tempuri.org/Entity/Id5Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id190%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns0%URL Reputationsafe
                    http://tempuri.org/Entity/Id15ResponseD0%URL Reputationsafe
                    http://tempuri.org/Entity/Id10Response0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/Renew0%URL Reputationsafe
                    http://tempuri.org/Entity/Id11ResponseD0%URL Reputationsafe
                    http://tempuri.org/Entity/Id8Response0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey0%URL Reputationsafe
                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.00%URL Reputationsafe
                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2006/02/addressingidentity0%URL Reputationsafe
                    http://tempuri.org/Entity/Id17ResponseD0%URL Reputationsafe
                    http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                    https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                    https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9~0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Textfile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/sc/sctfile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://duckduckgo.com/chrome_newtabfile.exe, 00000000.00000002.2161650518.0000000003BAB000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkfile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://duckduckgo.com/ac/?q=file.exe, 00000000.00000002.2161650518.0000000003BAB000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id14ResponseDfile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id23ResponseDfile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryfile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id12Responsefile.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id2Responsefile.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id21Responsefile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrapfile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id9file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDfile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id8file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id6ResponseDfile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id5file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Preparefile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id4file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id7file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id6file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretfile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id19Responsefile.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licensefile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuefile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Abortedfile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequencefile.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id13ResponseDfile.exe, 00000000.00000002.2157793083.0000000002D6B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/faultfile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsatfile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyfile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id15Responsefile.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id5ResponseDfile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namefile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renewfile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/Registerfile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id6Responsefile.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyfile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://api.ip.sb/ipfile.exefalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/scfile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id1ResponseDfile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9~file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCfile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancelfile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id9Responsefile.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=file.exe, 00000000.00000002.2161650518.0000000003BAB000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Entity/Id20file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id21file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id22file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id23file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id24file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issuefile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id24Responsefile.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.ecosia.org/newtab/file.exe, 00000000.00000002.2161650518.0000000003BAB000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id1Responsefile.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedfile.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyfile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Replayfile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegofile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binaryfile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCfile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyfile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id21ResponseDfile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/08/addressingfile.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuefile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Completionfile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/trustfile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id10file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id11file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id10ResponseDfile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id12file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id16Responsefile.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponsefile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancelfile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id13file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id14file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id15file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id16file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/Noncefile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id17file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id18file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id5Responsefile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id19file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsfile.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id15ResponseDfile.exe, 00000000.00000002.2157793083.0000000002D6B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id10Responsefile.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/02/trust/Renewfile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id11ResponseDfile.exe, 00000000.00000002.2157793083.0000000002D2E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id8Responsefile.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyfile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDfile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTfile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2006/02/addressingidentityfile.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://tempuri.org/Entity/Id17ResponseDfile.exe, 00000000.00000002.2157793083.0000000002D6B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/soap/envelope/file.exe, 00000000.00000002.2157793083.0000000002B71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    185.215.113.9
                    		unknownPortugal
                    		206894WHOLESALECONNECTIONSNLtrue

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1483133
                    Start date and time:2024-07-26 17:52:10 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 4m 31s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:5
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:file.exe
                    Detection:MAL
                    Classification:mal96.troj.spyw.evad.winEXE@1/5@0/1
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 89
                    • Number of non-executed functions: 4
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                    • VT rate limit hit for: file.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    11:53:05API Interceptor55x Sleep call for process: file.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    185.215.113.9c9952fbf329b8a9b3400196c5bfefb8c48bdb7a8a3c8f.exeGet hashmaliciousRaccoon RedLineBrowse
                      fd5be24f8a05f5a97e1424b367ae6e0db88c55f7ee952.exeGet hashmaliciousRaccoon RedLineBrowse

                        Domains

                        No context

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        WHOLESALECONNECTIONSNL6SoKuOqyNh.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                        • 185.215.113.16
                        SecuriteInfo.com.Win32.TrojanX-gen.22664.27275.exeGet hashmaliciousAmadeyBrowse
                        • 185.215.113.19
                        EXyAlLKIck.exeGet hashmaliciousAmadeyBrowse
                        • 185.215.113.16
                        IRqsWvBBMc.exeGet hashmaliciousAmadey, VidarBrowse
                        • 185.215.113.16
                        LbMTyCFRzs.exeGet hashmaliciousAmadeyBrowse
                        • 185.215.113.19
                        file.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                        • 185.215.113.16
                        DHBIT8FeuO.exeGet hashmaliciousAmadeyBrowse
                        • 185.215.113.19
                        JGKjBsQrMc.exeGet hashmaliciousAmadey, Babadeda, RedLine, Stealc, VidarBrowse
                        • 185.215.113.16
                        PE1dBCFKZv.exeGet hashmaliciousAmadeyBrowse
                        • 185.215.113.16
                        random.exeGet hashmaliciousAmadeyBrowse
                        • 185.215.113.16

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\Public\Desktop\Google Chrome.lnk

                        Download File
                        Process:C:\Users\user\Desktop\file.exe
                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 13:16:54 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide
                        Category:dropped
                        Size (bytes):2104
                        Entropy (8bit):3.450269862340454
                        Encrypted:false
                        SSDEEP:48:8Sdl2dfTXdARYrnvPdAKRkdAGdAKRFdAKRE:8SdlO7
                        MD5:2D312B4093D226EFC6C913A7879DD796
                        SHA1:6C62E415C83B6D879B011FE9CE70E1982E1C36BD
                        SHA-256:614F731574AFA5181EC34C02FDDFAA7CE5B2E9EE6096747F080369B88BF36FA9
                        SHA-512:C01A71CEDC1FBDF09798BAC167885EAC52F6D477682AA39ED774FB6378A8514F28A27ADEADD76856876B0262297D6674903D92FEA6880A80ECC48745C7082203
                        Malicious:false
                        Reputation:low
                        Preview:L..................F.@.. ......,......Jm.......q.... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IDW.r....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VDWUl....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VDWUl....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VDWUl..........................."&.A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.+ .chrome.exe..F......CW.VDW.r..........................,.6.c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.!.-.-.p.r.o.x.y.-.s.e.r.v.e.r

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

                        Download File
                        Process:C:\Users\user\Desktop\file.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):3274
                        Entropy (8bit):5.3318368586986695
                        Encrypted:false
                        SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqc85VD:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlq0
                        MD5:0C1110E9B7BBBCB651A0B7568D796468
                        SHA1:7AEE00407EE27655FFF0ADFBC96CF7FAD9610AAA
                        SHA-256:112E21404A85963FB5DF8388F97429D6A46E9D4663435CC86267C563C0951FA2
                        SHA-512:46E37552764B4E61006AB99F8C542D55B2418668B097D3C6647D306604C3D7CA3FAF34F8B4121D94B0E7168295B2ABEB7C21C3B96F37208943537B887BC81590
                        Malicious:true
                        Reputation:moderate, very likely benign file
                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                        C:\Users\user\AppData\Local\Temp\Tmp583D.tmp

                        Download File
                        Process:C:\Users\user\Desktop\file.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):2662
                        Entropy (8bit):7.8230547059446645
                        Encrypted:false
                        SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                        MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                        SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                        SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                        SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                        Malicious:false
                        Reputation:moderate, very likely benign file
                        Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                        C:\Users\user\AppData\Local\Temp\Tmp584E.tmp

                        Download File
                        Process:C:\Users\user\Desktop\file.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):2662
                        Entropy (8bit):7.8230547059446645
                        Encrypted:false
                        SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                        MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                        SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                        SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                        SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                        Malicious:false
                        Reputation:moderate, very likely benign file
                        Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                        C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

                        Download File
                        Process:C:\Users\user\Desktop\file.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):2251
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3::
                        MD5:0158FE9CEAD91D1B027B795984737614
                        SHA1:B41A11F909A7BDF1115088790A5680AC4E23031B
                        SHA-256:513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
                        SHA-512:C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
                        Malicious:false
                        Reputation:moderate, very likely benign file
                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Entropy (8bit):5.081451547709962
                        TrID:
                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                        • Win32 Executable (generic) a (10002005/4) 49.78%
                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                        • Win16/32 Executable Delphi generic (2074/23) 0.01%
                        • Generic Win/DOS Executable (2004/3) 0.01%
                        File name:file.exe
                        File size:311'296 bytes
                        MD5:4e0235942a9cde99ee2ee0ee1a736e4f
                        SHA1:d084d94df2502e68ee0443b335dd621cd45e2790
                        SHA256:a0d7bc2ccf07af7960c580fd43928b5fb02b901f9962eafb10f607e395759306
                        SHA512:cfc4b7d58f662ee0789349b38c1dec0c4e6dc1d2e660f5d92f8566d49c4850b2bf1d70e43edf84db7b21cb8e316e8bcc3e20b797e32d9668c69a029b15804e3f
                        SSDEEP:3072:aq6EgY6igrUjsgMmwPPoDqeRFSCotTAbtAYKtJcZqf7D341eqiOLibBOU:ZqY6iXwPwuaFjGTARANJcZqf7DIfL
                        TLSH:BF647D1827EC8910E27F4B7994B1E6749375EC16A952D30F4ED06CEB3D32741FA21AB2
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G.................0.................. ... ....@.. ....................... ............@................................

                        File Icon

                        Icon Hash:4d8ea38d85a38e6d

                        Static PE Info

                        General

                        Entrypoint:0x42b9a2
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Time Stamp:0xF4A21C47 [Fri Jan 22 01:32:55 2100 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                        Entrypoint Preview

                        Instruction
                        jmp dword ptr [00402000h]
                        popad
                        add byte ptr [ebp+00h], dh
                        je 00007F08FC8BCE12h
                        outsd
                        add byte ptr [esi+00h], ah
                        imul eax, dword ptr [eax], 006C006Ch
                        xor eax, 59007400h
                        add byte ptr [edi+00h], dl
                        push edx
                        add byte ptr [ecx+00h], dh
                        popad
                        add byte ptr [edi+00h], dl
                        push esi
                        add byte ptr [edi+00h], ch
                        popad
                        add byte ptr [ebp+00h], ch
                        push 61006800h
                        add byte ptr [ebp+00h], ch
                        dec edx
                        add byte ptr [eax], bh
                        add byte ptr [edi+00h], dl
                        push edi
                        add byte ptr [ecx], bh
                        add byte ptr [ecx+00h], bh
                        bound eax, dword ptr [eax]
                        xor al, byte ptr [eax]
                        insb
                        add byte ptr [eax+00h], bl
                        pop ecx
                        add byte ptr [edi+00h], dl
                        js 00007F08FC8BCE12h
                        jnc 00007F08FC8BCE12h
                        pop edx
                        add byte ptr [eax+00h], bl
                        push ecx
                        add byte ptr [ebx+00h], cl
                        popad
                        add byte ptr [edi+00h], dl
                        dec edx
                        add byte ptr [ebp+00h], dh
                        pop edx
                        add byte ptr [edi+00h], dl
                        jo 00007F08FC8BCE12h
                        imul eax, dword ptr [eax], 5Ah
                        add byte ptr [ebp+00h], ch
                        jo 00007F08FC8BCE12h
                        je 00007F08FC8BCE12h
                        bound eax, dword ptr [eax]
                        push edi
                        add byte ptr [eax+eax+77h], dh
                        add byte ptr [ecx+00h], bl
                        xor al, byte ptr [eax]
                        xor eax, 63007300h
                        add byte ptr [edi+00h], al
                        push esi
                        add byte ptr [ecx+00h], ch
                        popad
                        add byte ptr [edx], dh
                        add byte ptr [eax+00h], bh
                        je 00007F08FC8BCE12h
                        bound eax, dword ptr [eax]
                        insd
                        add byte ptr [eax+eax+76h], dh
                        add byte ptr [edx+00h], bl
                        push edi
                        add byte ptr [ecx], bh
                        add byte ptr [eax+00h], dh
                        popad
                        add byte ptr [edi+00h], al
                        cmp dword ptr [eax], eax
                        insd
                        add byte ptr [edx+00h], bl
                        push edi
                        add byte ptr [esi+00h], cl
                        cmp byte ptr [eax], al
                        push esi
                        add byte ptr [eax+00h], cl
                        dec edx
                        add byte ptr [esi+00h], dh
                        bound eax, dword ptr [eax]
                        insd
                        add byte ptr [eax+00h], bh
                        jo 00007F08FC8BCE12h
                        bound eax, dword ptr [eax]
                        insd
                        add byte ptr [ebx+00h], dh

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x2b9500x4f.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x320000x1c9c4.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x500000xc.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x2b9340x1c.text
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x20000x2e9880x2ec002b9574a57e6f11c2403e283a81a605acFalse0.4696273395721925data6.204083226167587IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rsrc0x320000x1c9c40x1cc00cd8498fb3382fb9b4405f65e17325adbFalse0.23727072010869565data2.6057236427770576IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0x500000xc0x4005f9126675f1b090ba1c2822a6e06dd56False0.025390625data0.05585530805374581IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_ICON0x321a00x3d04PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9934058898847631
                        RT_ICON0x35eb40x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m0.09013072282030049
                        RT_ICON0x466ec0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m0.13905290505432216
                        RT_ICON0x4a9240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m0.17033195020746889
                        RT_ICON0x4cedc0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m0.2045028142589118
                        RT_ICON0x4df940x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m0.24645390070921985
                        RT_GROUP_ICON0x4e40c0x5adata0.7666666666666667
                        RT_VERSION0x4e4780x34adata0.44655581947743467
                        RT_MANIFEST0x4e7d40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                        Imports

                        DLLImport
                        mscoree.dll_CorExeMain

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                        2024-07-26T17:53:04.960515+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity497049137192.168.2.5185.215.113.9
                        2024-07-26T17:53:11.181241+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity497049137192.168.2.5185.215.113.9
                        2024-07-26T17:53:09.287354+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity497049137192.168.2.5185.215.113.9
                        2024-07-26T17:53:06.888602+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity497049137192.168.2.5185.215.113.9
                        2024-07-26T17:53:05.609737+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity497049137192.168.2.5185.215.113.9
                        2024-07-26T17:53:08.667243+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity497049137192.168.2.5185.215.113.9
                        2024-07-26T17:53:12.431195+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity497049137192.168.2.5185.215.113.9
                        2024-07-26T17:53:07.247303+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity497049137192.168.2.5185.215.113.9
                        2024-07-26T17:52:58.771941+0200TCP2046045ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)497049137192.168.2.5185.215.113.9
                        2024-07-26T17:53:56.539304+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971220.114.59.183192.168.2.5
                        2024-07-26T17:53:07.851599+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity497049137192.168.2.5185.215.113.9
                        2024-07-26T17:53:06.029459+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity497049137192.168.2.5185.215.113.9
                        2024-07-26T17:53:18.061471+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434970613.85.23.86192.168.2.5
                        2024-07-26T17:53:04.657390+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity497049137192.168.2.5185.215.113.9
                        2024-07-26T17:53:09.292515+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity497049137192.168.2.5185.215.113.9
                        2024-07-26T17:53:12.092592+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity497049137192.168.2.5185.215.113.9
                        2024-07-26T17:53:12.697306+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity497049137192.168.2.5185.215.113.9
                        2024-07-26T17:53:08.104925+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity497049137192.168.2.5185.215.113.9
                        2024-07-26T17:53:13.010752+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity497049137192.168.2.5185.215.113.9
                        2024-07-26T17:53:11.838018+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity497049137192.168.2.5185.215.113.9
                        2024-07-26T17:53:08.415709+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity497049137192.168.2.5185.215.113.9
                        2024-07-26T17:53:04.096839+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity497049137192.168.2.5185.215.113.9
                        2024-07-26T17:53:05.341493+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity497049137192.168.2.5185.215.113.9
                        2024-07-26T17:53:08.964206+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity497049137192.168.2.5185.215.113.9
                        2024-07-26T17:52:59.051787+0200TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response913749704185.215.113.9192.168.2.5
                        2024-07-26T17:53:10.639458+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity497049137192.168.2.5185.215.113.9
                        2024-07-26T17:53:11.436551+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity497049137192.168.2.5185.215.113.9
                        2024-07-26T17:53:04.496619+0200TCP2046056ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)913749704185.215.113.9192.168.2.5

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jul 26, 2024 17:52:57.531431913 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:52:57.537616014 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:52:57.537693024 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:52:57.554933071 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:52:57.559849977 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:52:58.742700100 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:52:58.743396044 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:52:58.743489027 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:52:58.744636059 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:52:58.744690895 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:52:58.771940947 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:52:58.801554918 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:52:59.051786900 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:52:59.093211889 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:04.096838951 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:04.101711988 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:04.350493908 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:04.350507975 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:04.350513935 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:04.350518942 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:04.350532055 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:04.350687981 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:04.496618986 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:04.546386003 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:04.657390118 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:04.663531065 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:04.905837059 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:04.952610016 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:04.960515022 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:05.027523041 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:05.027529001 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:05.027594090 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:05.027668953 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:05.027673006 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:05.027741909 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:05.027863979 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:05.027868032 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:05.027874947 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:05.029820919 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:05.029839993 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:05.055424929 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:05.055433035 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:05.335925102 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:05.341492891 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:05.346879005 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:05.603708029 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:05.609736919 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:05.624207973 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:05.866133928 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:05.921484947 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:06.029459000 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:06.034542084 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:06.284569979 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:06.327651978 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:06.888602018 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:06.893852949 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:07.152647972 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:07.202589989 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:07.247303009 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:07.274003983 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:07.846749067 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:07.848843098 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:07.848901033 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:07.851598978 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:07.857105970 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:08.102273941 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:08.104924917 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:08.117896080 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:08.413136959 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:08.415709019 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:08.420553923 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:08.662550926 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:08.667243004 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:08.721715927 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:08.961874962 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:08.964205980 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:08.969090939 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.212260962 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.265247107 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:09.287353992 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:09.292362928 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.292392015 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.292515039 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:09.292541981 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:09.294147015 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.294159889 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.294163942 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.294178963 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.294188023 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.294193029 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.294200897 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.294204950 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.294214010 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.294218063 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.294220924 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:09.294228077 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.294236898 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.294240952 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.294244051 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.294244051 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:09.294272900 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:09.294320107 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:09.300859928 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.300980091 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:09.302938938 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.303046942 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:09.303097963 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:09.306874037 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.306879044 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.306886911 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.306890965 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.306912899 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.306916952 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.306952000 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:09.306986094 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.306994915 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.307017088 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.307020903 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.307045937 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:09.307071924 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.307071924 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:09.307076931 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.307127953 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:09.307585001 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.307750940 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:09.307837963 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.307856083 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.307863951 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.307913065 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:09.308294058 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.308343887 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:09.308361053 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.308404922 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.308420897 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:09.308451891 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.308451891 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:09.308514118 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:09.308537006 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.308541059 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.308589935 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:09.308736086 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.308741093 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.308787107 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.308792114 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.308796883 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:09.308810949 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.308850050 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:09.309062004 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.309504032 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.309509039 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.309609890 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.309613943 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.309626102 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.309674025 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.309678078 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.309681892 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.309700966 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.309705019 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.309746027 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.309750080 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.309850931 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.309921026 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.310019970 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.310024977 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.310106993 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.310151100 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.310154915 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.310163975 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.310190916 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.310597897 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.310601950 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.310611963 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.310615063 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.310846090 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:09.310909033 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:09.311927080 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.312035084 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.312206030 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.312210083 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.312220097 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.312223911 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.312243938 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.312247992 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.312257051 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.312261105 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.312294960 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.312299013 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.312330008 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.312367916 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.312371969 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.312381983 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.312411070 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.312416077 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.312576056 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.312625885 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.312798977 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.312810898 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.312814951 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.312868118 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.312916040 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.312967062 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.312971115 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.312977076 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.313014984 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.313153982 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.313332081 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.313385963 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.313498974 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.313508987 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.313599110 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.313602924 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.313688040 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.313782930 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.313787937 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.313796997 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.313802958 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.313807011 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.313921928 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.313925982 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.313935041 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.313939095 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.313941956 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.314444065 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.314661026 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.314670086 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.314714909 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.314719915 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.314932108 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:09.314995050 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:09.321083069 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.322056055 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.322097063 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.322102070 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.322164059 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.322211981 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.322216034 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.322225094 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.322598934 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.322702885 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.322710991 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.322715044 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.322752953 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.322757006 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.322813988 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.322832108 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.322837114 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.322933912 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.322937012 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.322962999 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.322967052 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.323107958 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.323141098 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.323905945 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.323914051 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.323916912 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.323924065 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.323925972 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.323940039 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.323942900 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.323950052 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.323976994 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.323986053 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.323988914 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.324013948 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.324018002 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.324033022 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.324037075 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.324043989 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.324080944 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.324131966 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.324135065 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.324141979 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.324158907 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.324162960 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.324229002 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.324289083 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.324291945 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.324295044 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.324335098 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.324343920 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.324420929 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.324512005 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.324516058 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.324522972 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.324729919 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:09.324805975 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:09.326695919 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.326790094 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.326885939 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.326981068 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.326983929 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.326992989 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.327025890 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.327029943 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.327076912 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.327135086 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.327138901 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.327153921 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.327157974 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.327203989 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.327282906 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.327286005 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.327294111 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.327306986 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.327310085 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.327317953 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.327357054 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.327426910 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.327435017 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.327477932 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.327486992 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.327565908 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.327574968 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.327578068 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.327594042 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.327636003 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.327640057 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.327730894 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.327734947 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.327749014 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.327753067 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.327776909 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.327790022 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.327832937 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.327845097 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.327919006 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.327922106 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.327929974 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.327999115 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.328007936 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.328020096 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.328109980 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.328114033 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.328120947 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.328157902 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.328161955 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.328242064 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.328619957 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.329072952 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:09.329158068 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:09.330255032 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.330290079 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.331213951 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.331218004 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.331221104 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.331224918 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.332365036 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.332412958 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.332485914 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.332540989 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.332545042 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.332617044 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.332619905 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.332727909 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.332731962 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.332740068 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.332742929 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.332750082 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.332753897 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.332762003 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.332775116 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.332787037 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.332793951 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.332797050 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.332885981 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.333002090 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.333040953 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.333045006 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.333268881 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.333271980 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.333280087 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.333282948 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.333291054 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.333293915 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.335016012 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.335191965 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:09.335243940 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.335261106 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:09.335680962 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.335848093 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:09.335916996 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:09.340253115 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.340341091 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.340394020 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.340473890 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.340476990 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.340492010 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.340651989 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.340657949 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.340771914 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.340775967 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.341099977 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.341356993 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.341636896 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.341640949 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.386981010 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:09.387280941 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:09.387346983 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:09.387460947 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:09.439205885 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:10.612859011 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:10.639457941 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:10.645189047 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:11.146013021 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:11.147845984 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:11.147933960 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:11.181241035 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:11.191390991 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:11.431571960 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:11.436551094 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:11.441626072 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:11.441639900 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:11.441651106 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:11.441659927 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:11.441739082 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:11.441771984 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:11.441858053 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:11.442056894 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:11.835877895 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:11.838017941 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:11.843276978 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:12.089555025 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:12.092592001 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:12.120547056 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:12.430394888 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:12.431195021 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:12.438395977 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:12.692397118 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:12.697305918 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:12.705673933 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:12.951303959 CEST913749704185.215.113.9192.168.2.5
                        Jul 26, 2024 17:53:13.000430107 CEST497049137192.168.2.5185.215.113.9
                        Jul 26, 2024 17:53:13.010751963 CEST497049137192.168.2.5185.215.113.9

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        System Behavior

                        General

                        Target ID:0
                        Start time:11:52:55
                        Start date:26/07/2024
                        Path:C:\Users\user\Desktop\file.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\file.exe"
                        Imagebase:0x7c0000
                        File size:311'296 bytes
                        MD5 hash:4E0235942A9CDE99EE2EE0EE1A736E4F
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000000.1990396384.00000000007C2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2157793083.0000000002C18000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2157793083.0000000002D6B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:6.8%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:0%
                          Total number of Nodes:52
                          Total number of Limit Nodes:9
                          execution_graph 30583 116d300 DuplicateHandle 30584 116d396 30583->30584 30585 116ad38 30589 116ae30 30585->30589 30597 116ae20 30585->30597 30586 116ad47 30590 116ae41 30589->30590 30591 116ae64 30589->30591 30590->30591 30605 116b0b8 30590->30605 30609 116b0c8 30590->30609 30591->30586 30592 116ae5c 30592->30591 30593 116b068 GetModuleHandleW 30592->30593 30594 116b095 30593->30594 30594->30586 30598 116ae41 30597->30598 30599 116ae64 30597->30599 30598->30599 30603 116b0b8 LoadLibraryExW 30598->30603 30604 116b0c8 LoadLibraryExW 30598->30604 30599->30586 30600 116ae5c 30600->30599 30601 116b068 GetModuleHandleW 30600->30601 30602 116b095 30601->30602 30602->30586 30603->30600 30604->30600 30606 116b0dc 30605->30606 30607 116b101 30606->30607 30613 116a870 30606->30613 30607->30592 30610 116b0dc 30609->30610 30611 116a870 LoadLibraryExW 30610->30611 30612 116b101 30610->30612 30611->30612 30612->30592 30614 116b2a8 LoadLibraryExW 30613->30614 30616 116b321 30614->30616 30616->30607 30617 116d0b8 30618 116d0fe GetCurrentProcess 30617->30618 30620 116d150 GetCurrentThread 30618->30620 30621 116d149 30618->30621 30622 116d186 30620->30622 30623 116d18d GetCurrentProcess 30620->30623 30621->30620 30622->30623 30624 116d1c3 30623->30624 30625 116d1eb GetCurrentThreadId 30624->30625 30626 116d21c 30625->30626 30627 1164668 30628 1164684 30627->30628 30629 1164696 30628->30629 30631 11647a0 30628->30631 30632 11647c5 30631->30632 30636 11648b0 30632->30636 30640 11648a1 30632->30640 30637 11648d7 30636->30637 30639 11649b4 30637->30639 30644 1164248 30637->30644 30641 11648d7 30640->30641 30642 1164248 CreateActCtxA 30641->30642 30643 11649b4 30641->30643 30642->30643 30645 1165940 CreateActCtxA 30644->30645 30647 1165a03 30645->30647

                          Executed Functions

                          Function 062C3F50 Relevance: 1.8, Strings: 1, Instructions: 523COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 659 62c3f50-62c3f84 662 62c3f86-62c3f8f 659->662 663 62c3f92-62c3fa5 659->663 662->663 664 62c3fab-62c3fae 663->664 665 62c4215-62c4219 663->665 669 62c3fbd-62c3fc9 664->669 670 62c3fb0-62c3fb5 664->670 667 62c422e-62c4238 665->667 668 62c421b-62c422b 665->668 668->667 671 62c3fcf-62c3fe1 669->671 672 62c4253-62c4299 669->672 670->669 677 62c414d-62c415b 671->677 678 62c3fe7-62c403a 671->678 679 62c42a8-62c42d0 672->679 680 62c429b-62c42a5 672->680 683 62c41e0-62c41e2 677->683 684 62c4161-62c416f 677->684 708 62c403c-62c4048 call 62c3c88 678->708 709 62c404a 678->709 702 62c4425-62c4443 679->702 703 62c42d6-62c42ef 679->703 680->679 690 62c41e4-62c41ea 683->690 691 62c41f0-62c41fc 683->691 688 62c417e-62c418a 684->688 689 62c4171-62c4176 684->689 688->672 694 62c4190-62c41bf 688->694 689->688 692 62c41ec 690->692 693 62c41ee 690->693 699 62c41fe-62c420f 691->699 692->691 693->691 715 62c41d0-62c41de 694->715 716 62c41c1-62c41ce 694->716 699->664 699->665 720 62c44ae-62c44b8 702->720 721 62c4445-62c4467 702->721 717 62c42f5-62c430b 703->717 718 62c4406-62c441f 703->718 712 62c404c-62c405c 708->712 709->712 728 62c405e-62c4075 712->728 729 62c4077-62c4079 712->729 715->665 716->715 717->718 739 62c4311-62c435f 717->739 718->702 718->703 740 62c44b9-62c450a 721->740 741 62c4469-62c4485 721->741 728->729 730 62c407b-62c4089 729->730 731 62c40c2-62c40c4 729->731 730->731 745 62c408b-62c409d 730->745 735 62c40c6-62c40d0 731->735 736 62c40d2-62c40e2 731->736 735->736 748 62c411b-62c4127 735->748 749 62c410d-62c4110 736->749 750 62c40e4-62c40f2 736->750 787 62c4389-62c43ad 739->787 788 62c4361-62c4387 739->788 774 62c450c-62c4528 740->774 775 62c452a-62c4568 740->775 752 62c44a9-62c44ac 741->752 758 62c409f-62c40a1 745->758 759 62c40a3-62c40a7 745->759 748->699 766 62c412d-62c4148 748->766 808 62c4113 call 62c48a8 749->808 809 62c4113 call 62c48b8 749->809 763 62c40f4-62c4103 750->763 764 62c4105-62c4108 750->764 752->720 755 62c4493-62c4496 752->755 755->740 765 62c4498-62c44a8 755->765 756 62c4119 756->748 762 62c40ad-62c40bc 758->762 759->762 762->731 776 62c4239-62c424c 762->776 763->748 764->665 765->752 766->665 774->775 776->672 797 62c43df-62c43f8 787->797 798 62c43af-62c43c6 787->798 788->787 801 62c43fa 797->801 802 62c4403-62c4404 797->802 805 62c43c8-62c43cb 798->805 806 62c43d2-62c43dd 798->806 801->802 802->718 805->806 806->797 806->798 808->756 809->756
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: $]q
                          • API String ID: 0-1007455737
                          • Opcode ID: 27f4b81fadea49df15f6036b9edddb74776dab534d761d38aba40c81dd5848d0
                          • Instruction ID: 0fa8901e571b640b1e2a32b1a90ebd36dcf8565dd9981ad3b2c35afdb6104a1a
                          • Opcode Fuzzy Hash: 27f4b81fadea49df15f6036b9edddb74776dab534d761d38aba40c81dd5848d0
                          • Instruction Fuzzy Hash: F9126F34B102058FCB54DF78C9A4AAEBBF6BF88710B158169E806EB365DB70DC41CB90
                          Function 062C67D8 Relevance: .4, Instructions: 414COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d214c02af903f2adf84c465f6b6e9f51b8f33883ca6b259910208a6a40e97ca6
                          • Instruction ID: bc06d0beb2dde20b8070b943b146a1f3e412d38ea7a0ae2684a6dd83c02e28aa
                          • Opcode Fuzzy Hash: d214c02af903f2adf84c465f6b6e9f51b8f33883ca6b259910208a6a40e97ca6
                          • Instruction Fuzzy Hash: 9FF1E630A102069FCB15DF68D994B9EBBF6FF84310F148669E805EB2A1DB35DD45CB90
                          Function 062CA3D8 Relevance: .3, Instructions: 293COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8f39a896fdb111a007f4546b8d2a1e018c4cb8f647c92eabb19686ca531ab89c
                          • Instruction ID: 25b92e8433bcabeee0df978e6d0428d85f074f7d59eb667241d1ffe05dbcbb31
                          • Opcode Fuzzy Hash: 8f39a896fdb111a007f4546b8d2a1e018c4cb8f647c92eabb19686ca531ab89c
                          • Instruction Fuzzy Hash: 95D1E870D01318CFCB14EFB5D858AADBBB2FF8A302F5081A9D54AAB254DB315986CF11
                          Function 062B0D80 Relevance: 20.6, Strings: 16, Instructions: 619COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 294 62b0d80-62b0dcb 299 62b0efd-62b0f10 294->299 300 62b0dd1-62b0dd3 294->300 304 62b1006-62b1011 299->304 305 62b0f16-62b0f25 299->305 301 62b0dd6-62b0de5 300->301 307 62b0deb-62b0e1d 301->307 308 62b0e9d-62b0ea1 301->308 306 62b1019-62b1022 304->306 313 62b0f2b-62b0f51 305->313 314 62b0fd1-62b0fd5 305->314 342 62b0e1f-62b0e24 307->342 343 62b0e26-62b0e2d 307->343 310 62b0ea3-62b0eae 308->310 311 62b0eb0 308->311 312 62b0eb5-62b0eb8 310->312 311->312 312->306 316 62b0ebe-62b0ec2 312->316 344 62b0f5a-62b0f61 313->344 345 62b0f53-62b0f58 313->345 317 62b0fd7-62b0fe2 314->317 318 62b0fe4 314->318 322 62b0ed1 316->322 323 62b0ec4-62b0ecf 316->323 321 62b0fe6-62b0fe8 317->321 318->321 325 62b0fea-62b0ff4 321->325 326 62b1039-62b10b5 321->326 327 62b0ed3-62b0ed5 322->327 323->327 337 62b0ff7-62b1000 325->337 376 62b10bb-62b10bd 326->376 377 62b1189-62b119c 326->377 332 62b0edb-62b0ee5 327->332 333 62b1025-62b1032 327->333 346 62b0ee8-62b0ef2 332->346 333->326 337->304 337->305 347 62b0e91-62b0e9b 342->347 349 62b0e2f-62b0e50 343->349 350 62b0e52-62b0e76 343->350 351 62b0f63-62b0f84 344->351 352 62b0f86-62b0faa 344->352 348 62b0fc5-62b0fcf 345->348 346->301 353 62b0ef8 346->353 347->346 348->337 349->347 366 62b0e78-62b0e7e 350->366 367 62b0e8e 350->367 351->348 368 62b0fac-62b0fb2 352->368 369 62b0fc2 352->369 353->306 371 62b0e82-62b0e84 366->371 372 62b0e80 366->372 367->347 373 62b0fb6-62b0fb8 368->373 374 62b0fb4 368->374 369->348 371->367 372->367 373->369 374->369 378 62b10c0-62b10cf 376->378 380 62b11a2-62b11b1 377->380 381 62b1234-62b123f 377->381 383 62b1129-62b112d 378->383 384 62b10d1-62b10dd 378->384 391 62b11ff-62b1203 380->391 392 62b11b3-62b11dc 380->392 386 62b1247-62b1250 381->386 387 62b112f-62b113a 383->387 388 62b113c 383->388 397 62b10e7-62b10fe 384->397 390 62b1141-62b1144 387->390 388->390 390->386 395 62b114a-62b114e 390->395 393 62b1212 391->393 394 62b1205-62b1210 391->394 415 62b11de-62b11e4 392->415 416 62b11f4-62b11fd 392->416 400 62b1214-62b1216 393->400 394->400 398 62b115d 395->398 399 62b1150-62b115b 395->399 406 62b1104-62b1106 397->406 405 62b115f-62b1161 398->405 399->405 403 62b1218-62b1222 400->403 404 62b1267-62b1290 400->404 419 62b1225-62b122e 403->419 428 62b1292-62b12af 404->428 429 62b12c0 404->429 409 62b1253-62b1260 405->409 410 62b1167-62b1171 405->410 412 62b1108-62b110e 406->412 413 62b111e-62b1127 406->413 409->404 426 62b1174-62b117e 410->426 417 62b1112-62b1114 412->417 418 62b1110 412->418 413->426 420 62b11e8-62b11ea 415->420 421 62b11e6 415->421 416->419 417->413 418->413 419->380 419->381 420->416 421->416 426->378 430 62b1184 426->430 432 62b12c7-62b12e9 428->432 433 62b12b1-62b12b7 428->433 429->432 430->386 438 62b12ec-62b12f0 432->438 434 62b12bb-62b12bd 433->434 435 62b12b9 433->435 434->429 435->432 439 62b12f9-62b12fe 438->439 440 62b12f2-62b12f7 438->440 441 62b1304-62b1307 439->441 440->441 442 62b14f8-62b1500 441->442 443 62b130d-62b1322 441->443 443->438 445 62b1324 443->445 446 62b132b-62b1350 445->446 447 62b1498 445->447 448 62b13e0-62b1405 445->448 458 62b1352-62b1354 446->458 459 62b1356-62b135a 446->459 449 62b14a2-62b14b9 447->449 460 62b140b-62b140f 448->460 461 62b1407-62b1409 448->461 452 62b14bf-62b14f3 449->452 452->438 465 62b13b8-62b13db 458->465 466 62b137b-62b139e 459->466 467 62b135c-62b1379 459->467 463 62b1411-62b142e 460->463 464 62b1430-62b1453 460->464 462 62b146d-62b1493 461->462 462->438 463->462 482 62b146b 464->482 483 62b1455-62b145b 464->483 465->438 484 62b13a0-62b13a6 466->484 485 62b13b6 466->485 467->465 482->462 486 62b145f-62b1461 483->486 487 62b145d 483->487 488 62b13aa-62b13ac 484->488 489 62b13a8 484->489 485->465 486->482 487->482 488->485 489->485
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166546591.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62b0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                          • API String ID: 0-2551331179
                          • Opcode ID: 944ddcdbab4c83bfec884358bdc1087d63e9cf56b21e54daf24d58f29046e64f
                          • Instruction ID: e8543fad092eb76a3e8b118ff37adb58128ba62516194ba16fad3059d136e691
                          • Opcode Fuzzy Hash: 944ddcdbab4c83bfec884358bdc1087d63e9cf56b21e54daf24d58f29046e64f
                          • Instruction Fuzzy Hash: 8522D530B202059FDB559B69C958AAE7BF6FF89300B14945AED06CB3A2CF74DC11CB51
                          Function 062B1582 Relevance: 7.8, Strings: 6, Instructions: 335COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 490 62b1582-62b1584 491 62b158e 490->491 492 62b1598-62b15af 491->492 493 62b15b5-62b15b7 492->493 494 62b15b9-62b15bf 493->494 495 62b15cf-62b15f1 493->495 496 62b15c3-62b15c5 494->496 497 62b15c1 494->497 500 62b1638-62b163f 495->500 496->495 497->495 501 62b1571-62b1580 500->501 502 62b1645-62b1747 500->502 501->490 505 62b15f3-62b15f7 501->505 506 62b15f9-62b1604 505->506 507 62b1606 505->507 509 62b160b-62b160e 506->509 507->509 509->502 511 62b1610-62b1614 509->511 513 62b1623 511->513 514 62b1616-62b1621 511->514 515 62b1625-62b1627 513->515 514->515 517 62b174a-62b17a7 515->517 518 62b162d-62b1637 515->518 525 62b17a9-62b17af 517->525 526 62b17bf-62b17e1 517->526 518->500 527 62b17b3-62b17b5 525->527 528 62b17b1 525->528 531 62b17e4-62b17e8 526->531 527->526 528->526 532 62b17ea-62b17ef 531->532 533 62b17f1-62b17f6 531->533 534 62b17fc-62b17ff 532->534 533->534 535 62b1abf-62b1ac7 534->535 536 62b1805-62b181a 534->536 536->531 538 62b181c 536->538 539 62b18d8-62b198b 538->539 540 62b1823-62b18d3 538->540 541 62b1990-62b19bd 538->541 542 62b1a07-62b1a2c 538->542 539->531 540->531 560 62b19c3-62b19cd 541->560 561 62b1b36-62b1b73 541->561 558 62b1a2e-62b1a30 542->558 559 62b1a32-62b1a36 542->559 562 62b1a94-62b1aba 558->562 563 62b1a38-62b1a55 559->563 564 62b1a57-62b1a7a 559->564 567 62b19d3-62b1a02 560->567 568 62b1b00-62b1b2f 560->568 562->531 563->562 585 62b1a7c-62b1a82 564->585 586 62b1a92 564->586 567->531 568->561 588 62b1a86-62b1a88 585->588 589 62b1a84 585->589 586->562 588->586 589->586
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166546591.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62b0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                          • API String ID: 0-3723351465
                          • Opcode ID: 0084f52ef698ebbde9b4b8bafd0db09eae4c66814cc1ce407fb7864e1cdbeea1
                          • Instruction ID: 2a473178aa5edde0a0546da6ee9f9245c7602feab22106517108cde646bfd228
                          • Opcode Fuzzy Hash: 0084f52ef698ebbde9b4b8bafd0db09eae4c66814cc1ce407fb7864e1cdbeea1
                          • Instruction Fuzzy Hash: B3C118307602029FDB559B68C8A8A7E7BE6FF89304F10585AD9028F392CFB5DC15C761
                          Function 0116D0A8 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 593 116d0a8-116d147 GetCurrentProcess 597 116d150-116d184 GetCurrentThread 593->597 598 116d149-116d14f 593->598 599 116d186-116d18c 597->599 600 116d18d-116d1c1 GetCurrentProcess 597->600 598->597 599->600 602 116d1c3-116d1c9 600->602 603 116d1ca-116d1e5 call 116d289 600->603 602->603 606 116d1eb-116d21a GetCurrentThreadId 603->606 607 116d223-116d285 606->607 608 116d21c-116d222 606->608 608->607
                          APIs
                          • GetCurrentProcess.KERNEL32 ref: 0116D136
                          • GetCurrentThread.KERNEL32 ref: 0116D173
                          • GetCurrentProcess.KERNEL32 ref: 0116D1B0
                          • GetCurrentThreadId.KERNEL32 ref: 0116D209
                          Memory Dump Source
                          • Source File: 00000000.00000002.2157084686.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1160000_file.jbxd
                          Similarity
                          • API ID: Current$ProcessThread
                          • String ID:
                          • API String ID: 2063062207-0
                          • Opcode ID: 0c413ab459af3247c6550c0b678e81bae4ea020ad4d0fb820e8468c7618bd31e
                          • Instruction ID: 9bfdf29d5d77d4f59f31bf92557d01fa370fd25cdb6453516aad9c2c853ee13f
                          • Opcode Fuzzy Hash: 0c413ab459af3247c6550c0b678e81bae4ea020ad4d0fb820e8468c7618bd31e
                          • Instruction Fuzzy Hash: 3E5168B0900249CFDB08DFAAE548BAEBFF5EF48304F20C459E049A7360DB799944CB65
                          Function 0116D0B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 615 116d0b8-116d147 GetCurrentProcess 619 116d150-116d184 GetCurrentThread 615->619 620 116d149-116d14f 615->620 621 116d186-116d18c 619->621 622 116d18d-116d1c1 GetCurrentProcess 619->622 620->619 621->622 624 116d1c3-116d1c9 622->624 625 116d1ca-116d1e5 call 116d289 622->625 624->625 628 116d1eb-116d21a GetCurrentThreadId 625->628 629 116d223-116d285 628->629 630 116d21c-116d222 628->630 630->629
                          APIs
                          • GetCurrentProcess.KERNEL32 ref: 0116D136
                          • GetCurrentThread.KERNEL32 ref: 0116D173
                          • GetCurrentProcess.KERNEL32 ref: 0116D1B0
                          • GetCurrentThreadId.KERNEL32 ref: 0116D209
                          Memory Dump Source
                          • Source File: 00000000.00000002.2157084686.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1160000_file.jbxd
                          Similarity
                          • API ID: Current$ProcessThread
                          • String ID:
                          • API String ID: 2063062207-0
                          • Opcode ID: 5b0b0d0b8d3d0ef8d84d5dede2046e435019660e8d5ddb6a50688e974805d953
                          • Instruction ID: b9955f398bad4ccd69334dc9d734e078a89f954388f23a864628570b1ad71e3b
                          • Opcode Fuzzy Hash: 5b0b0d0b8d3d0ef8d84d5dede2046e435019660e8d5ddb6a50688e974805d953
                          • Instruction Fuzzy Hash: 095156B0900209CFDB08DFAAE548BAEBFF5EF48314F20C459E509A7360CB799944CB65
                          Function 0116AE30 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 810 116ae30-116ae3f 811 116ae41-116ae4e call 1169838 810->811 812 116ae6b-116ae6f 810->812 817 116ae64 811->817 818 116ae50 811->818 813 116ae83-116aec4 812->813 814 116ae71-116ae7b 812->814 821 116aec6-116aece 813->821 822 116aed1-116aedf 813->822 814->813 817->812 867 116ae56 call 116b0b8 818->867 868 116ae56 call 116b0c8 818->868 821->822 824 116af03-116af05 822->824 825 116aee1-116aee6 822->825 823 116ae5c-116ae5e 823->817 828 116afa0-116afb7 823->828 829 116af08-116af0f 824->829 826 116aef1 825->826 827 116aee8-116aeef call 116a814 825->827 831 116aef3-116af01 826->831 827->831 843 116afb9-116b018 828->843 832 116af11-116af19 829->832 833 116af1c-116af23 829->833 831->829 832->833 835 116af25-116af2d 833->835 836 116af30-116af39 call 116a824 833->836 835->836 841 116af46-116af4b 836->841 842 116af3b-116af43 836->842 844 116af4d-116af54 841->844 845 116af69-116af76 841->845 842->841 861 116b01a-116b060 843->861 844->845 846 116af56-116af66 call 116a834 call 116a844 844->846 852 116af78-116af96 845->852 853 116af99-116af9f 845->853 846->845 852->853 862 116b062-116b065 861->862 863 116b068-116b093 GetModuleHandleW 861->863 862->863 864 116b095-116b09b 863->864 865 116b09c-116b0b0 863->865 864->865 867->823 868->823
                          APIs
                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0116B086
                          Memory Dump Source
                          • Source File: 00000000.00000002.2157084686.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1160000_file.jbxd
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: 6907867ff8b22b25fdba0c4187aee4dfa3e6e1c87bd81798c088d16df5278dda
                          • Instruction ID: fe6ede6b74628cf1d63095bdb34c8b0dc9dba7c01133515ebca93f6224eaa7c6
                          • Opcode Fuzzy Hash: 6907867ff8b22b25fdba0c4187aee4dfa3e6e1c87bd81798c088d16df5278dda
                          • Instruction Fuzzy Hash: 89716AB0A00B058FD728DF69E54075ABBF9FF88304F00896DD48AD7A50D776E855CB91
                          Function 01165935 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 869 1165935-1165a01 CreateActCtxA 871 1165a03-1165a09 869->871 872 1165a0a-1165a64 869->872 871->872 879 1165a66-1165a69 872->879 880 1165a73-1165a77 872->880 879->880 881 1165a88 880->881 882 1165a79-1165a85 880->882 884 1165a89 881->884 882->881 884->884
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 011659F1
                          Memory Dump Source
                          • Source File: 00000000.00000002.2157084686.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1160000_file.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: 10cae77831314243cd6ed6edf8b30f21ea52b5ef8a10190670aec329cd9226bb
                          • Instruction ID: 7699701883e5fbd388682882b57d2a58cb99a7be39dcb7e701c3d089a0a1e72c
                          • Opcode Fuzzy Hash: 10cae77831314243cd6ed6edf8b30f21ea52b5ef8a10190670aec329cd9226bb
                          • Instruction Fuzzy Hash: 2541D2B1C00719CEDB18CFA9C984B9DBBF6FF49304F20806AD408AB255D7766946CF91
                          Function 01164248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 885 1164248-1165a01 CreateActCtxA 888 1165a03-1165a09 885->888 889 1165a0a-1165a64 885->889 888->889 896 1165a66-1165a69 889->896 897 1165a73-1165a77 889->897 896->897 898 1165a88 897->898 899 1165a79-1165a85 897->899 901 1165a89 898->901 899->898 901->901
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 011659F1
                          Memory Dump Source
                          • Source File: 00000000.00000002.2157084686.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1160000_file.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: e265b25c76f069af683e68a96357d40c6c306da9a85bb4b50aa2e3f096740e48
                          • Instruction ID: 08cf4a0cab14e88effa2128ffd22a62a01ffccf00f2785063ea2f36fa3cbd071
                          • Opcode Fuzzy Hash: e265b25c76f069af683e68a96357d40c6c306da9a85bb4b50aa2e3f096740e48
                          • Instruction Fuzzy Hash: BB41C3B0C00719CBDB68DFA9C884B9DBBFAFF45304F20806AD408AB255DB766945CF91
                          Function 0116A858 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 902 116a858-116a860 904 116a862-116b2e8 902->904 905 116a88c 902->905 912 116b2f0-116b31f LoadLibraryExW 904->912 913 116b2ea-116b2ed 904->913 907 116a88e-116a89c 905->907 908 116a8ec-116a8ef 905->908 909 116a89e-116a8c0 907->909 910 116a8fc-116a8ff 907->910 911 116a949-116a954 908->911 909->908 910->911 915 116b321-116b327 912->915 916 116b328-116b345 912->916 913->912 915->916
                          APIs
                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0116B101,00000800,00000000,00000000), ref: 0116B312
                          Memory Dump Source
                          • Source File: 00000000.00000002.2157084686.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1160000_file.jbxd
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: a882a5354dbe4451b6632837f4b0a277c65a07676f264045202f1d4c0a299008
                          • Instruction ID: 45293d21f9d86cc01caf95c671914734f6e1d58e370d523a66e0b736a1b422d9
                          • Opcode Fuzzy Hash: a882a5354dbe4451b6632837f4b0a277c65a07676f264045202f1d4c0a299008
                          • Instruction Fuzzy Hash: 5E31AEB68083458FDB19CF99D8416EEBFF8EF59310F05805AD454A7212C3359515CFA2
                          Function 0116D300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 924 116d300-116d394 DuplicateHandle 925 116d396-116d39c 924->925 926 116d39d-116d3ba 924->926 925->926
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0116D387
                          Memory Dump Source
                          • Source File: 00000000.00000002.2157084686.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1160000_file.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: 119b0536015516c8d71195251c137eaeec44e021841062917ebaddaa372b5283
                          • Instruction ID: 2125743439114fb90ff47fc45e6cc5d21dc15a63ec0b5fa2983f281770b33ead
                          • Opcode Fuzzy Hash: 119b0536015516c8d71195251c137eaeec44e021841062917ebaddaa372b5283
                          • Instruction Fuzzy Hash: DA21E2B59002089FDB10CFAAD984ADEFFF9FB48310F14801AE958A3310D379A954CFA0
                          Function 0116D2F9 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 919 116d2f9-116d394 DuplicateHandle 920 116d396-116d39c 919->920 921 116d39d-116d3ba 919->921 920->921
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0116D387
                          Memory Dump Source
                          • Source File: 00000000.00000002.2157084686.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1160000_file.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: 31b0eabba58a28aba471034fc84f99ba8d20bf64e9be561874ccb0e0034a2524
                          • Instruction ID: b833a513d5dad37688fb4586ff9ed32d51e9f46bd57dfa48f434640a47808293
                          • Opcode Fuzzy Hash: 31b0eabba58a28aba471034fc84f99ba8d20bf64e9be561874ccb0e0034a2524
                          • Instruction Fuzzy Hash: F921E2B5D002089FDB10CFAAD984ADEBBF9FB48310F14801AE958B3350D378A954CFA0
                          Function 0116A870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 929 116a870-116b2e8 931 116b2f0-116b31f LoadLibraryExW 929->931 932 116b2ea-116b2ed 929->932 933 116b321-116b327 931->933 934 116b328-116b345 931->934 932->931 933->934
                          APIs
                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0116B101,00000800,00000000,00000000), ref: 0116B312
                          Memory Dump Source
                          • Source File: 00000000.00000002.2157084686.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1160000_file.jbxd
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: aea0f86284bdf395603d70e7f0e3fc6d8a3c1a7e5fce12628f6f7ac967dab81b
                          • Instruction ID: 198ae2c7bfbe20545b6944896fb03391b7532286c76bd638241e40044a8c3def
                          • Opcode Fuzzy Hash: aea0f86284bdf395603d70e7f0e3fc6d8a3c1a7e5fce12628f6f7ac967dab81b
                          • Instruction Fuzzy Hash: E41112B6D043498FDB14DF9AC444AAEFBF8EB48310F10842EE919A7310C379A955CFA5
                          Function 0116B2A0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 937 116b2a0-116b2e8 938 116b2f0-116b31f LoadLibraryExW 937->938 939 116b2ea-116b2ed 937->939 940 116b321-116b327 938->940 941 116b328-116b345 938->941 939->938 940->941
                          APIs
                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0116B101,00000800,00000000,00000000), ref: 0116B312
                          Memory Dump Source
                          • Source File: 00000000.00000002.2157084686.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1160000_file.jbxd
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: 3864f5cec83526fa41316f6102201731da9256f1c2d96a2240b84af6781c7b64
                          • Instruction ID: 444bc3c12e525c7dc1195f615d8302a6cb8d8372228709387698c848ad2c0a26
                          • Opcode Fuzzy Hash: 3864f5cec83526fa41316f6102201731da9256f1c2d96a2240b84af6781c7b64
                          • Instruction Fuzzy Hash: 87111FB69042498FDB14DFAAC444ADEFBF8EF88310F10842AD929A7310C379A545CFA4
                          Function 0116B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0116B086
                          Memory Dump Source
                          • Source File: 00000000.00000002.2157084686.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1160000_file.jbxd
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: 249f018f34384a58ad2836caabeb09ca154e5c236e3734db951b2c312c2cdf82
                          • Instruction ID: 6a78e32ab124f66070bc954001819d9559a86bff221b21c4bccc085ed1a6b441
                          • Opcode Fuzzy Hash: 249f018f34384a58ad2836caabeb09ca154e5c236e3734db951b2c312c2cdf82
                          • Instruction Fuzzy Hash: EA110FB5D003498FDB24DF9AC444A9EFBF8AB89310F10841AD928B7210C37AA545CFA5
                          Function 062B1BA0 Relevance: 1.4, Instructions: 1435COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166546591.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62b0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1701c32669346fcbcf2d8454dbede5fc5b4091b51f96783a679d558bf8b6c859
                          • Instruction ID: a17038d1fa33be7005ff9dbfcf97780ce8eac3471e0ef76e83a41d7219524521
                          • Opcode Fuzzy Hash: 1701c32669346fcbcf2d8454dbede5fc5b4091b51f96783a679d558bf8b6c859
                          • Instruction Fuzzy Hash: 87C26130B502189FCB55DF64C990EEEBBB6EF88700F108499EA069B3A5DB719E41CF51
                          Function 062C3DE0 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4']q
                          • API String ID: 0-1259897404
                          • Opcode ID: 3884dca3644abd98701f3d02fc0b8df936c9669558d8e43a4be7ffb09d8c3f02
                          • Instruction ID: f434dff2ff2762ad40e671a9c15072012a62b03d66cff103b1776ac7f4e7fb06
                          • Opcode Fuzzy Hash: 3884dca3644abd98701f3d02fc0b8df936c9669558d8e43a4be7ffb09d8c3f02
                          • Instruction Fuzzy Hash: 2D31E3717042514FC71AA778A4944AE7FEADFC622030A49AAD449CF395DE34DC07C791
                          Function 062C84D8 Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4']q
                          • API String ID: 0-1259897404
                          • Opcode ID: dfd4de1999d87346a206264201e84ef5eecbe14f5a7fe916ec4847671c196cb3
                          • Instruction ID: d48d0efd20a476d759f42ef9d3ba7d9af21bf886160dbf49cf40f0696a3cfdcc
                          • Opcode Fuzzy Hash: dfd4de1999d87346a206264201e84ef5eecbe14f5a7fe916ec4847671c196cb3
                          • Instruction Fuzzy Hash: AA316D75B002059FCB08EB79A5595AE7BE7AFC8214B50493DE50ACF384EE35AC0787D1
                          Function 062C84C8 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4']q
                          • API String ID: 0-1259897404
                          • Opcode ID: 2cb28c90130863b0a02cf92523836b03e54ab0d7995835f5aa7b75804be218c1
                          • Instruction ID: 3ebb5c0e8727020796c422a7bb9d20b7ac772870e18e769273b2b8b9bdf5e30c
                          • Opcode Fuzzy Hash: 2cb28c90130863b0a02cf92523836b03e54ab0d7995835f5aa7b75804be218c1
                          • Instruction Fuzzy Hash: 242181747002058FCB09AB78956957E3AE7AFC8205B50493DE40ACF384EE39AC07C7D1
                          Function 062CB2D9 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4']q
                          • API String ID: 0-1259897404
                          • Opcode ID: 2c3ce54db5708db2087cee646a9c8677cb85e741f0cc6f19319547e226ba610c
                          • Instruction ID: 40adbbea2ce301ac422de29e6aa9247e1176e7816354dd6e7b147b064ac15a1a
                          • Opcode Fuzzy Hash: 2c3ce54db5708db2087cee646a9c8677cb85e741f0cc6f19319547e226ba610c
                          • Instruction Fuzzy Hash: 6C11E530A05205DFCB01FFB8DA598AC7FF6FF84204B5485E9D445DB265DB706A09CB41
                          Function 062CB358 Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4']q
                          • API String ID: 0-1259897404
                          • Opcode ID: 7fbb337033d266f9de5675c87b51ebe85864b9de48807048abf59d18374d8b57
                          • Instruction ID: 708e48cdb86b367b9dd560ebd92c10cec519c3b927bcb0708814462d1ccec807
                          • Opcode Fuzzy Hash: 7fbb337033d266f9de5675c87b51ebe85864b9de48807048abf59d18374d8b57
                          • Instruction Fuzzy Hash: DD012430901209DFCF44EFB8E95549CBFB2FF49200B1042A9D845EB220EF705D49CB11
                          Function 062C3EC8 Relevance: 1.3, Strings: 1, Instructions: 36COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4']q
                          • API String ID: 0-1259897404
                          • Opcode ID: c7abe453bbb863e3f59d4bead310d9b035b438892c1c51ff369b130465ed5367
                          • Instruction ID: 58ad20b70cfad0cc8a5d44a63b0f7f7d02defc369514cbcc71e8365e5aca20c1
                          • Opcode Fuzzy Hash: c7abe453bbb863e3f59d4bead310d9b035b438892c1c51ff369b130465ed5367
                          • Instruction Fuzzy Hash: 49F090713401014FC61CEB2DE9A496E7BEBEFC92107544929E04A8B768EF74FD0A87E1
                          Function 062CB368 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4']q
                          • API String ID: 0-1259897404
                          • Opcode ID: 7368dcf9d5ac18e8f80f1ae1c220d1ad57f49feccc56e725c3ea380c2ae4684c
                          • Instruction ID: 807faeb483929954df87be8ace7dceec93b16cae36267ca84f544f289300faec
                          • Opcode Fuzzy Hash: 7368dcf9d5ac18e8f80f1ae1c220d1ad57f49feccc56e725c3ea380c2ae4684c
                          • Instruction Fuzzy Hash: AFF03130A01209EFCB04EFB8E55559CBFF6FF48205B5085A9D805DB254EF705A49CB55
                          Function 062B00D8 Relevance: .7, Instructions: 676COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166546591.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62b0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 953082a3885d2e522e2d677d549fe38c83ca006d80ed797df3ee72339224f7aa
                          • Instruction ID: f466625a347746698093a041d12b9cd2ff144dce56ae88ab8fd7a6f1e570fdd3
                          • Opcode Fuzzy Hash: 953082a3885d2e522e2d677d549fe38c83ca006d80ed797df3ee72339224f7aa
                          • Instruction Fuzzy Hash: 9542AC307506198FCB25AF78D554A6FBAB6FF86314B015A1CD9039F294CF79EC098B81
                          Function 062B3838 Relevance: .6, Instructions: 633COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166546591.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62b0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 80f2ce7e42d2f25e2bdfd558ad4760a6a89807b4e160ed89d6d9f53c03e5465f
                          • Instruction ID: 7d0e92ec77714c9240ca8958b88379c3aa33c43817a3f80318ef574ee0c88301
                          • Opcode Fuzzy Hash: 80f2ce7e42d2f25e2bdfd558ad4760a6a89807b4e160ed89d6d9f53c03e5465f
                          • Instruction Fuzzy Hash: CF423B34B501158FCB54DF68C984EAEBBF6EF89704F1080A9E606DB3A6DA71ED40CB50
                          Function 062C48B8 Relevance: .6, Instructions: 592COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e597416cdaa49ae9392be0c1f4044a915b72bd0d439789ef076cbd31708c17c2
                          • Instruction ID: 2a597ed7f8e92637801a9d899d9a39de3d456976bef518c2f857a31827e9f7b9
                          • Opcode Fuzzy Hash: e597416cdaa49ae9392be0c1f4044a915b72bd0d439789ef076cbd31708c17c2
                          • Instruction Fuzzy Hash: 17327D34B106018FDB54EF29C5A8A6ABBF6FF88314B1585ADE806CB365DB30EC45CB50
                          Function 062B0598 Relevance: .5, Instructions: 462COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166546591.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62b0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a1314aedd7bbf6ee13bb58e71da00d4a591fb6c7e4340edfa28b6cab041da6d6
                          • Instruction ID: 287923716318ee4118a1ab4cdb7640fc43bb758600f4b8c9ce77105248595ff9
                          • Opcode Fuzzy Hash: a1314aedd7bbf6ee13bb58e71da00d4a591fb6c7e4340edfa28b6cab041da6d6
                          • Instruction Fuzzy Hash: 6902CD30B602158FCB559B24D954AAF7BB6FF86704F015959DA028F3A1CFB9EC09CB81
                          Function 062B0610 Relevance: .5, Instructions: 455COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166546591.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62b0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1c092dece93d92a04c270428bfa1457e9a210f188d5cfa96b2eac97429f6487e
                          • Instruction ID: a730881ef747a3a3ea0423aa2113e6097e1ba79eabc5ae9b0da37d65ebd5b595
                          • Opcode Fuzzy Hash: 1c092dece93d92a04c270428bfa1457e9a210f188d5cfa96b2eac97429f6487e
                          • Instruction Fuzzy Hash: 6D02CE30B602059FCB559B24D954A6F7BB6FF89704F009959DA028F3A1CFB9EC05CB91
                          Function 062B0688 Relevance: .4, Instructions: 389COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166546591.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62b0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f7f059d92f4188ab9219aeea9058526c56e3e0be12547d52b4b31b1857d87ff8
                          • Instruction ID: 36b18055f44e3232099245c367f07d77bdeb20fe8a28daa7a4dc76117f023786
                          • Opcode Fuzzy Hash: f7f059d92f4188ab9219aeea9058526c56e3e0be12547d52b4b31b1857d87ff8
                          • Instruction Fuzzy Hash: 10E1AE30B602059FDB459B64C994BAF7BB6FF89704F009559EA028F3A1CBB9DC05CB91
                          Function 062B0700 Relevance: .4, Instructions: 365COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166546591.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62b0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b987b508a8669514490b36fad2c8cb0a15d5b247013b6f9e0c09d3ea9c555285
                          • Instruction ID: bb9458ad211d1493c66a9537034b14fb04b2f7d8664bfdb523aae9ae8ed8ac19
                          • Opcode Fuzzy Hash: b987b508a8669514490b36fad2c8cb0a15d5b247013b6f9e0c09d3ea9c555285
                          • Instruction Fuzzy Hash: A0D1AF30B602059FDB459B64C998B6F7BB6FF89704F009559EA028F3A2CBB5DC05CB91
                          Function 062B00B9 Relevance: .3, Instructions: 338COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166546591.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62b0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: baf529a6fd6305b1ad5bf6264661178059e8c264b529b801a15e62edef8779aa
                          • Instruction ID: e6673ea7627dd6d8c52d346ff67a6b34a400896f900017786b952bacfbf70efd
                          • Opcode Fuzzy Hash: baf529a6fd6305b1ad5bf6264661178059e8c264b529b801a15e62edef8779aa
                          • Instruction Fuzzy Hash: 4EC1C230B202059FDB459B64C958BAF7BF6EF89704F109155EA028B3A2CBB5DC05CB91
                          Function 062C48A8 Relevance: .3, Instructions: 278COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 17cdc81b2f6a5f2343466f95390e69900ae731875c259c2047ec9e59f59c80ea
                          • Instruction ID: 26c8a6b0639d08bebf9d73ca338fbee83d9c3a872b043bfb38179e5f085baecb
                          • Opcode Fuzzy Hash: 17cdc81b2f6a5f2343466f95390e69900ae731875c259c2047ec9e59f59c80ea
                          • Instruction Fuzzy Hash: E5B16834B106058FCB44EF39D998AAABBF6BF88214B1541ACE446DB3B1DB30EC05CB50
                          Function 062C7D58 Relevance: .1, Instructions: 147COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 55484d043f44191d00df50ed3c58d6130c8eb3b2ff2e1a9b3c28dc6ea7b4ccb5
                          • Instruction ID: 6f51ae328e023ac238789207d3f7b27f55ac05b08fc8bf3bb3dea69ce475436d
                          • Opcode Fuzzy Hash: 55484d043f44191d00df50ed3c58d6130c8eb3b2ff2e1a9b3c28dc6ea7b4ccb5
                          • Instruction Fuzzy Hash: A8513671E10259CFDB55CFA9C880BDEBBF6AF88310F148529D815AB244DB749846CF80
                          Function 062B34D8 Relevance: .1, Instructions: 143COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166546591.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62b0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 64d0618a20cbecc5920488abfcb52ce6bd4dd547cdedfdf74423f42a95c8ca90
                          • Instruction ID: d7fedddc50ebd4a90307c6129ee3f1395cdf0cf6a9b2d8d9ceae945dc7048bf0
                          • Opcode Fuzzy Hash: 64d0618a20cbecc5920488abfcb52ce6bd4dd547cdedfdf74423f42a95c8ca90
                          • Instruction Fuzzy Hash: CA513635B206199FCB44CF69C88499EBBB2EF8D314B118069E905AB365DB71EC45CB60
                          Function 062C7D4C Relevance: .1, Instructions: 127COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fc0a69582e50b53664c9d8e95c295ac6ec8ffe13a86bc6602977b6c3d01bbc5c
                          • Instruction ID: 7c9b8b10b1eb97304fdaa03d57bfd1c943c397e9b7fb86193f404c8e48fa914e
                          • Opcode Fuzzy Hash: fc0a69582e50b53664c9d8e95c295ac6ec8ffe13a86bc6602977b6c3d01bbc5c
                          • Instruction Fuzzy Hash: EE5155B1D10259CFDB54CFA9C881BDEBBF5AF48314F14852ED809AB280DB749842CF80
                          Function 062C59C8 Relevance: .1, Instructions: 119COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6796c04f548c70c96fb0ef64c4a090205b68bd5a7bd2587e8fef74f35b486d1a
                          • Instruction ID: 6fe2e32b92edcb8ca417cde5551e1d38df4e892a96f6330672d4bc09f611a29f
                          • Opcode Fuzzy Hash: 6796c04f548c70c96fb0ef64c4a090205b68bd5a7bd2587e8fef74f35b486d1a
                          • Instruction Fuzzy Hash: 03415B35A10606CFCB14CF59C8809AABBF2FF89320B15CA99E955AB365D731F911CB90
                          Function 062C5579 Relevance: .1, Instructions: 102COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 19056c9ca4c5e8c4c60f960d233d7b963ec7b084c518b390537dc48d71b3c503
                          • Instruction ID: eb1c7fc12a866d5d8f94f1b70c6330a28418c17dc047af2134ede2065386bbc6
                          • Opcode Fuzzy Hash: 19056c9ca4c5e8c4c60f960d233d7b963ec7b084c518b390537dc48d71b3c503
                          • Instruction Fuzzy Hash: 94319A75B112019FCB05DF38D8949AE7FB2BF89200B158569E805CB3A5DB34ED46CB90
                          Function 062CF920 Relevance: .1, Instructions: 98COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 76fabacddcfd5fd5642bebfe61c670f296bc18989726f90725c42fb8c14c2663
                          • Instruction ID: a0bb02cf6b65aff30361cc154d1eed431fd29cb213a88344e74889c8420dc59e
                          • Opcode Fuzzy Hash: 76fabacddcfd5fd5642bebfe61c670f296bc18989726f90725c42fb8c14c2663
                          • Instruction Fuzzy Hash: 4B315B347083545FCB096F38A82846A3FABEFCE22931145BBE909CB352DE718C09C751
                          Function 062C5588 Relevance: .1, Instructions: 96COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 23153594768a32af69f4d3e826921dfddcbf2a08a3911c404872750950d079b7
                          • Instruction ID: 47443b257291b4ac307d0c85ba486dc7a0134c6fbf94d3f980126c1e65e8eb97
                          • Opcode Fuzzy Hash: 23153594768a32af69f4d3e826921dfddcbf2a08a3911c404872750950d079b7
                          • Instruction Fuzzy Hash: F5318934B112119FCB19DF38D89896EBBB6FF89300B108469E806CB3A5DB34ED55CB90
                          Function 062C87A0 Relevance: .1, Instructions: 93COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8f80d4444094bbbe507b15ad2b19956ffa19ab132694a6f2829e22eabf7bee6e
                          • Instruction ID: 312309d76fb98d08cb91c35ed6c06ec4686e19f2efdba5f5b63ea91eb10bb1ae
                          • Opcode Fuzzy Hash: 8f80d4444094bbbe507b15ad2b19956ffa19ab132694a6f2829e22eabf7bee6e
                          • Instruction Fuzzy Hash: 4A41F0B1D1120CDFDB54DFAAD940ADEFFB6AF88310F10812AE819A7250DB34A945CF90
                          Function 062B2EB4 Relevance: .1, Instructions: 91COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166546591.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62b0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d061feb1927d4aa5230cc31431a99022546145dfa67939c151937f3a885961e9
                          • Instruction ID: d6e1b092413b919ecbc3cf07720c7c037291ffc62e2de1796dc326c80909a954
                          • Opcode Fuzzy Hash: d061feb1927d4aa5230cc31431a99022546145dfa67939c151937f3a885961e9
                          • Instruction Fuzzy Hash: 4A318E35E2524A9FCB05CF69C8808DEFBB2FF89300B15806AEC44EB361DB30A945CB51
                          Function 062B105C Relevance: .1, Instructions: 78COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166546591.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62b0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0fcda601f0793cd19123964102e15b6a7ab76ab27292215b84dc8f1666b6b214
                          • Instruction ID: 98b790cfbd043a945286f9b8366a56d49ea9a04fdd43c3048272abe52ee0e3d0
                          • Opcode Fuzzy Hash: 0fcda601f0793cd19123964102e15b6a7ab76ab27292215b84dc8f1666b6b214
                          • Instruction Fuzzy Hash: 842179307102459FC741DB79DD189AEBBF6EF85310719556AD815CB2A2CB30CC24C791
                          Function 062C8796 Relevance: .1, Instructions: 77COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bcd73a7fa8d57374f8bf74c0003531eff2ac2e2c27fd4d149533afd095ff659b
                          • Instruction ID: c224a2016daff4fe50b342a27da58c377c64ac70f902fdd7f137524a3b6c62f1
                          • Opcode Fuzzy Hash: bcd73a7fa8d57374f8bf74c0003531eff2ac2e2c27fd4d149533afd095ff659b
                          • Instruction Fuzzy Hash: 5E3112B1D10248DFDB14DFA9C944ADEBFF6AF48310F10822AD819A7290DB385945CF90
                          Function 062C8A98 Relevance: .1, Instructions: 77COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cac0b273d8f66a4b0160b243f43852a78bb86086f56e86fa78c6238111fcffa0
                          • Instruction ID: 9934405218c2ea0d66688ce7f4d16287f839425a8c95d3f35bc098468dc31b48
                          • Opcode Fuzzy Hash: cac0b273d8f66a4b0160b243f43852a78bb86086f56e86fa78c6238111fcffa0
                          • Instruction Fuzzy Hash: 703114B1D11218DFDB14DFA9D890ADEBFF9AF48320F14812AE809E7240C778A845CB90
                          Function 010ED4C4 Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2156737953.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_10ed000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6bba9e265c4cb4090cda8068a7d695bb2956ff271b68b0e8720a38064f8a042d
                          • Instruction ID: 7b55ed6e9153e9cc44f0c84adca80525b4cc28d5c42cce9d538d1e675743dce3
                          • Opcode Fuzzy Hash: 6bba9e265c4cb4090cda8068a7d695bb2956ff271b68b0e8720a38064f8a042d
                          • Instruction Fuzzy Hash: 95212872500240DFDB05DF59D9C4F2ABFE5FB88318F20C5A9D9490B256C336D456CBA1
                          Function 010FD01C Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2156815198.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_10fd000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7c5b323d411f8d201df6ca14721c132982a98803163931e06f071bf00d60a895
                          • Instruction ID: 979bc18b57ffab6a32bfdc1b75e2856d780ea7e6196960c74b835f86ddc050d7
                          • Opcode Fuzzy Hash: 7c5b323d411f8d201df6ca14721c132982a98803163931e06f071bf00d60a895
                          • Instruction Fuzzy Hash: 10212571504200DFDB15DF68D581B16BFA5FB84314F20C5ADEA894B756C33AD407CB61
                          Function 062C8F42 Relevance: .1, Instructions: 70COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e3cb7335e952daaa34d2a2cd90953c2fefb9febf13a29e1415c0ad6fe359ff7e
                          • Instruction ID: 4668d3aa255528f19c654e6a4e1a588bbd12eac327aa7544b99dc44643d090a9
                          • Opcode Fuzzy Hash: e3cb7335e952daaa34d2a2cd90953c2fefb9febf13a29e1415c0ad6fe359ff7e
                          • Instruction Fuzzy Hash: 9621D0B5D1420ADFCB40CFA8D5856EEBBB1FB09321F5081AAE915A7351D7385A81CF90
                          Function 062CC0BF Relevance: .1, Instructions: 67COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4457ff40a2f4c1c41e14aec031c74669e336f3cd7383bf172862e1ed1df2fa13
                          • Instruction ID: 3e7e3299e9a44041ad42da4e3a05153a1d2ef52f0ac8bcb6ab8f3c8094d59b67
                          • Opcode Fuzzy Hash: 4457ff40a2f4c1c41e14aec031c74669e336f3cd7383bf172862e1ed1df2fa13
                          • Instruction Fuzzy Hash: 1B113D32A053A14FC351EF3DEAB14E93FA4DD8623031445ABE089CF132C564C80EC385
                          Function 062C8A8C Relevance: .1, Instructions: 67COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7133b9732f89fb0f43497bd4807f1180ad9bbc8a9a27621496e96f5a739e89b8
                          • Instruction ID: 9095c84df73f85df6021a6c57a707545396e80412cdc1eb5ad62df75589ae769
                          • Opcode Fuzzy Hash: 7133b9732f89fb0f43497bd4807f1180ad9bbc8a9a27621496e96f5a739e89b8
                          • Instruction Fuzzy Hash: 652124B1D112489FCB14CFA9C894BDEBFF9AF08310F248129E809E7340C7789946CBA4
                          Function 062CBC5F Relevance: .1, Instructions: 59COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e6d6a26731986dab44e30c9d23f14c2bc138404c16de8b9edf9b8df8df708b74
                          • Instruction ID: d8bbd864e704870bd8fe56a7a885e08910881aa264cab55a52607251e0e713e5
                          • Opcode Fuzzy Hash: e6d6a26731986dab44e30c9d23f14c2bc138404c16de8b9edf9b8df8df708b74
                          • Instruction Fuzzy Hash: D511E9302101058FC685A774A8649BD7FABFFC62507455A3CE143CFA64DDB46D4EC791
                          Function 010ED4BF Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2156737953.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_10ed000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                          • Instruction ID: a217af8d071c32c4635c1b38950f7f1e44bb1ef899ba4d2863342f4bb038cf56
                          • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                          • Instruction Fuzzy Hash: 6A110376404280CFCB06CF54D9C4B16BFB1FB88314F24C6AAD9490B257C336D45ACBA2
                          Function 010FD017 Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2156815198.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_10fd000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                          • Instruction ID: a307fca5768906321e53a098932bdbba624da7378b95e9cc8c2871d83360fe43
                          • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                          • Instruction Fuzzy Hash: D211D075504280CFDB16CF54D5C4B15FFA2FB84314F24C6AEE9494B656C33AD40ACB62
                          Function 062C8350 Relevance: .0, Instructions: 50COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 355cd3c638f0c4f924744f521f2a2457998b417081a21f9ab17e1f0423c61e51
                          • Instruction ID: 1c8d3286305555dfe0a94ec317ecbaa4a35fd260e49342da954b28bf9234534b
                          • Opcode Fuzzy Hash: 355cd3c638f0c4f924744f521f2a2457998b417081a21f9ab17e1f0423c61e51
                          • Instruction Fuzzy Hash: A401B171B101099FDF10DAA9AC44AAFFBBEFB84321F14803AE904D3240DB31990587A0
                          Function 062CC499 Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 98f1dd3c6578c0345f1d6369f208e664ec6b84caecbf2779706b86077aa8285e
                          • Instruction ID: c25cf894542959566aeb6011d52730d5a7779dbee70911fcb486d87c41567cc8
                          • Opcode Fuzzy Hash: 98f1dd3c6578c0345f1d6369f208e664ec6b84caecbf2779706b86077aa8285e
                          • Instruction Fuzzy Hash: 9711C2712442058FD325AF25E51866E3BE3EFC9321B50C639D14A8B655CFB49C0ECB91
                          Function 062CBC70 Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a833d75534110e899124d791b057c0a27d9931d7cb5658ac027ec9cf9298d4f6
                          • Instruction ID: f06d64785c4a13b4367348705bbe9bf84f8daee61692f14c263fac5ec2b6130d
                          • Opcode Fuzzy Hash: a833d75534110e899124d791b057c0a27d9931d7cb5658ac027ec9cf9298d4f6
                          • Instruction Fuzzy Hash: C7019E312001068F8688A779A56897E7FABFEC82507558938E147CF614DDF4B85E8792
                          Function 010EDAA5 Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2156737953.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_10ed000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6931e7892540ff13cf7c3fffaab01a9e9bed7daf362d2471dece7f474a2ecbb8
                          • Instruction ID: 576b4a36978157b6a7a38e4931768bcbc63f05c83c8f477295f25ababdc7c310
                          • Opcode Fuzzy Hash: 6931e7892540ff13cf7c3fffaab01a9e9bed7daf362d2471dece7f474a2ecbb8
                          • Instruction Fuzzy Hash: A601F731108340DEE7108B9AC988B67BFDCEF45320F18C46AED880A286C2799840C771
                          Function 062CE8B0 Relevance: .0, Instructions: 44COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a9d9dea79e618743570346362e8493c31e32eb7d577cf77498068578e665e8b3
                          • Instruction ID: f950c3155c0e991194c85a559826f9501b966385a09f0416a2779e26630b0d1c
                          • Opcode Fuzzy Hash: a9d9dea79e618743570346362e8493c31e32eb7d577cf77498068578e665e8b3
                          • Instruction Fuzzy Hash: 26014934608308DFCB42DF74C8148693FBAEF8A21070485EDE944CB362EA32CC06CB81
                          Function 062CC4A8 Relevance: .0, Instructions: 42COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 67f52d2772f5acdaa978588a32fbf636c93ab8952021e509ce554f14bf25a5ed
                          • Instruction ID: dfb9680cfc8ac6c895e3014b699641d9d4fb71430e6a71895dc1da75e683cada
                          • Opcode Fuzzy Hash: 67f52d2772f5acdaa978588a32fbf636c93ab8952021e509ce554f14bf25a5ed
                          • Instruction Fuzzy Hash: 170192712006098FD329AF65E15866E7BE7FFC9315B508A39D1468B644CFB4EC0DCB91
                          Function 062C5508 Relevance: .0, Instructions: 42COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 228d43cda99eca3e65c7079cdc58a506fb5fa93e0521bc8095353205601eca68
                          • Instruction ID: 99bbe2b6368848ecf8c2ef91a9ee558084974d670eaaeb232d0dc8eb6de12d6f
                          • Opcode Fuzzy Hash: 228d43cda99eca3e65c7079cdc58a506fb5fa93e0521bc8095353205601eca68
                          • Instruction Fuzzy Hash: 2201D130A31702CFDBA88A39A904523B7F7BF84265704893CE80692658DBB5F890CB80
                          Function 062C6E92 Relevance: .0, Instructions: 40COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a11ca5399f812bdec7d21c6c9927c9e59383fa82cd7fd129692ed8578ada79d7
                          • Instruction ID: af89911615a40050e86df7c2e4e54e146e3bc011fe9f144c407da941a72bb12a
                          • Opcode Fuzzy Hash: a11ca5399f812bdec7d21c6c9927c9e59383fa82cd7fd129692ed8578ada79d7
                          • Instruction Fuzzy Hash: 6EF096672081D83ECB124EA95C649FB3FFD9E4E1627194096FAD4D6142C02CC916A770
                          Function 062CC170 Relevance: .0, Instructions: 37COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7053d8c2c6df6a320f6ac7ed0ead23fd6bc23a795da055170ce8cb084d965bf8
                          • Instruction ID: 292f1670463f676c4833d1c028ae109b827171567b438fb192d97823d9089749
                          • Opcode Fuzzy Hash: 7053d8c2c6df6a320f6ac7ed0ead23fd6bc23a795da055170ce8cb084d965bf8
                          • Instruction Fuzzy Hash: EF01A2315057008FC3159F2AE808161BBF6FF4D310700C66EE44AC2A21DBB0A50BCF84
                          Function 062C8F50 Relevance: .0, Instructions: 37COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1fe998a2605f3dcf88e2fa268b685481088d031b03cc307196b2f2acda3c43ae
                          • Instruction ID: 83fd8b7696e3eeb775096491e9834b6b4cb8fee91af2df1d4af8f6c698fd552f
                          • Opcode Fuzzy Hash: 1fe998a2605f3dcf88e2fa268b685481088d031b03cc307196b2f2acda3c43ae
                          • Instruction Fuzzy Hash: 8D01C0B4D1420AEFCB44DFA9D9456AEFFF1BB48311F5082AAA915A3350E7780A41CF90
                          Function 010EDAA4 Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2156737953.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_10ed000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 14c140e8608a03650a808e33eefcc312c2e5c61b496505b38a2d5970a4e5af4d
                          • Instruction ID: ba32ef8a0897a471a60c805371307a05253d38be3ba02feb0ff34a6dc440e727
                          • Opcode Fuzzy Hash: 14c140e8608a03650a808e33eefcc312c2e5c61b496505b38a2d5970a4e5af4d
                          • Instruction Fuzzy Hash: 89F06271405344DEEB518F1AC888B67FFE8EF45664F18C45AED484B286D3799844CB71
                          Function 062CC110 Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8087d4563ec7a4caf4a43e8cbea8b8251544e3e6370be3cee35966a4894eeec0
                          • Instruction ID: 96efdf34ef608ca7db659600dafc8f37dfa221889f10f02ac74d83ae07ea6725
                          • Opcode Fuzzy Hash: 8087d4563ec7a4caf4a43e8cbea8b8251544e3e6370be3cee35966a4894eeec0
                          • Instruction Fuzzy Hash: 3EF0FC312053D04FC352A73DED146AA3FEADF86254B08456DE146CB656C6B59C09CF51
                          Function 062CADE9 Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 72df85291592f4db9ee9f955a842d7eb5ed9744ea23e691a991f104f8831050e
                          • Instruction ID: ab4344df9179e32e2a679fae50c75c7a90fc4ac98eb76417753ca09d66ef12a8
                          • Opcode Fuzzy Hash: 72df85291592f4db9ee9f955a842d7eb5ed9744ea23e691a991f104f8831050e
                          • Instruction Fuzzy Hash: C0F0E9302041555FC3105769AC58AABBFEAEFCA351744457DE54AC7243C96518058766
                          Function 062C6EA0 Relevance: .0, Instructions: 35COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d749353fbb5fe5ca113e57251ac2b77c0281d275ce543ef6e2bad4468d65282c
                          • Instruction ID: 52a7f8bd630cf8f7c538602fddbf22ea476612de4e28cc2cda1899afd2a11de3
                          • Opcode Fuzzy Hash: d749353fbb5fe5ca113e57251ac2b77c0281d275ce543ef6e2bad4468d65282c
                          • Instruction Fuzzy Hash: F8F082622041E83F8B119E9A5C20CFB7FEDDA8E1617084156FEE8D2141C429C921ABB0
                          Function 062CACB8 Relevance: .0, Instructions: 35COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: faded0b735cd8bdc3a8b06556c1c11b2d5d6137a06f8f9aa942195651fa25ac3
                          • Instruction ID: fcfc12b90490b6c9257bd715e86a82a95424212be9b2f6e012bf68f3c6c2830f
                          • Opcode Fuzzy Hash: faded0b735cd8bdc3a8b06556c1c11b2d5d6137a06f8f9aa942195651fa25ac3
                          • Instruction Fuzzy Hash: 2DF0597120D1644FC312172868144BD3FB9DEC62A230445EED582CB252DA444506C3D2
                          Function 062C67C8 Relevance: .0, Instructions: 33COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 84a35af74e594fdb8054c8c6159e8a60a05b873f44c9f2958642ad20ac916f00
                          • Instruction ID: 7cb718758020047eef77bb910688bea4d59d1a634cbe411c1426c790deecc92b
                          • Opcode Fuzzy Hash: 84a35af74e594fdb8054c8c6159e8a60a05b873f44c9f2958642ad20ac916f00
                          • Instruction Fuzzy Hash: 22F02E32B503009FC720CB68E941FA03BE4AB46321F05832AE610CF1E2D3B0E80AC740
                          Function 062C8FC0 Relevance: .0, Instructions: 33COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 82d4b4bbc215e507ea397e889fa51b8c47f38bafc9b5f6ed51f47d75b0ed9ecd
                          • Instruction ID: f4934a1ea25c2180193e0fc7ff5ec048ab4412a3b7277a2c63cc43195835a964
                          • Opcode Fuzzy Hash: 82d4b4bbc215e507ea397e889fa51b8c47f38bafc9b5f6ed51f47d75b0ed9ecd
                          • Instruction Fuzzy Hash: 70F0AFB1C18259DFDB00CBA4C4154AEBFB0EB1A211F4082DAEC02E7261E6784A41CB40
                          Function 062C54F8 Relevance: .0, Instructions: 31COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: add10cf84ab4562b4b7e9e16c8181858036be72615244239ed8bf4b23e111166
                          • Instruction ID: 638029c45ec36e11d723e2b6a193758ddff91fde36d5b7afcefbb11add9c98d5
                          • Opcode Fuzzy Hash: add10cf84ab4562b4b7e9e16c8181858036be72615244239ed8bf4b23e111166
                          • Instruction Fuzzy Hash: 81F05931520702CFDBA4CE21EA007677BF2BF80364F08896CD84252A25CBB4F999CB80
                          Function 062C8340 Relevance: .0, Instructions: 31COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 35bae8ac855491ac39dfe36dec278b3d6b99745cd7c4191f090a311a32729e5e
                          • Instruction ID: 47093466057e4235b42a02adb63f5385b6e394cb5a604b360077a4f984afe8c8
                          • Opcode Fuzzy Hash: 35bae8ac855491ac39dfe36dec278b3d6b99745cd7c4191f090a311a32729e5e
                          • Instruction Fuzzy Hash: DFF08272B241165BCF109A69AD486EFBFA9AFC4262F0D453FE954D3200EB349505C792
                          Function 062CADF8 Relevance: .0, Instructions: 28COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: def0db50ed584975133193633132205a09e828e899af7019b51004581d7b763e
                          • Instruction ID: 1c636c0fdbeaacd228606828c8030c36fac77447ae135a58e5acf26a3c8fe867
                          • Opcode Fuzzy Hash: def0db50ed584975133193633132205a09e828e899af7019b51004581d7b763e
                          • Instruction Fuzzy Hash: E0E09B312001116FC3146A5AA85CA9EBEDEEBC9391B40453CF14EC7241CA65580547A6
                          Function 062CC180 Relevance: .0, Instructions: 27COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8b6d020e2e8b41dce7736c3ec08d8082c92ae2567c2d8adb9512ea26bff5257f
                          • Instruction ID: 2bc9bd7fe6b2064c0b3595daf32b99ac3bbdd10ef803694b0f61035e3dd9108e
                          • Opcode Fuzzy Hash: 8b6d020e2e8b41dce7736c3ec08d8082c92ae2567c2d8adb9512ea26bff5257f
                          • Instruction Fuzzy Hash: 50F09A34501B058FD725EF26E408526BBFAFB8C315700C62EE88BC3A10DBB0A50ACF84
                          Function 062CCE88 Relevance: .0, Instructions: 27COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ca1ddb81434f6f651fbc8555e44755b275243904a255c9e74cc330fc7617a5e5
                          • Instruction ID: 067d7c60e99a784340a640607513312c1b8278affde2a5694effe0d31a9975cf
                          • Opcode Fuzzy Hash: ca1ddb81434f6f651fbc8555e44755b275243904a255c9e74cc330fc7617a5e5
                          • Instruction Fuzzy Hash: 97F0E571E183919FC786E728EA45AB93FB0DF07124B024699DC59CBA15D6308804CB45
                          Function 062CCC38 Relevance: .0, Instructions: 27COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 155c8bbb05b2e370851c73562ebc75293138d7494c9b44f6cbd774b96bdfabed
                          • Instruction ID: f60ac5824b064001a48be9db58590c3396d5d20dd9902dd755034fee2190ab8d
                          • Opcode Fuzzy Hash: 155c8bbb05b2e370851c73562ebc75293138d7494c9b44f6cbd774b96bdfabed
                          • Instruction Fuzzy Hash: 8BE061327152404FCB42EB3CFC005F97F70DB45524B0046A9D408C7A45D6304909CB96
                          Function 062CB500 Relevance: .0, Instructions: 25COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6fe150a362327da7e0d0d04c33bf538d2e85f65cbcd17462283c094cd8cb1c8f
                          • Instruction ID: 4f5211917c3aee040559a5a8d2116e58059d7777ba3e19c778adce9aad4a5dad
                          • Opcode Fuzzy Hash: 6fe150a362327da7e0d0d04c33bf538d2e85f65cbcd17462283c094cd8cb1c8f
                          • Instruction Fuzzy Hash: 65F03975D0020CBFCB41DFB4D9498CDBFB9EB48340F1082AAE805E3240EA305B59CB80
                          Function 062CC120 Relevance: .0, Instructions: 25COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f77f71e3d3824f9ce5ff28f2bf581ee45eebc7c361a6950c010c22d78c1d3eb8
                          • Instruction ID: 52885284c5b4e89ebad28e8e5686143c72e833ee91f25a2e88a3e3bfea6326da
                          • Opcode Fuzzy Hash: f77f71e3d3824f9ce5ff28f2bf581ee45eebc7c361a6950c010c22d78c1d3eb8
                          • Instruction Fuzzy Hash: 58E0E5302007904FC310E72DE509BAE7FEADF85354F04452DE246CB600CBB5A809CB91
                          Function 062C5698 Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4c6f44982f2e281141a080e6d06f803471fac36bb91464cee5670129f75958a7
                          • Instruction ID: 4fe554a82f8928fe210d2001c5a4a0c38644852997146035fcfd555fa2a28bc0
                          • Opcode Fuzzy Hash: 4c6f44982f2e281141a080e6d06f803471fac36bb91464cee5670129f75958a7
                          • Instruction Fuzzy Hash: D6E092B210C2119FE304DB24E8408967BE4EB91320B15C86EE480D7241E731E881CBA5
                          Function 062CE1FF Relevance: .0, Instructions: 22COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b5f980194996b0af4bc1661cd4fdb1b2d508e9f956ff646a2e37a7f03ef1912b
                          • Instruction ID: 402130e814b5bd203562d31c98082aeb8a3488521fc0cdbff31142e547b066bb
                          • Opcode Fuzzy Hash: b5f980194996b0af4bc1661cd4fdb1b2d508e9f956ff646a2e37a7f03ef1912b
                          • Instruction Fuzzy Hash: C4E0DF71E49204EFCB01DFA4A9409BE7FB5DB8A200B2042EAE809DB251E6704F188792
                          Function 062CF910 Relevance: .0, Instructions: 22COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e8da6923f007042f29da60c95fed9bad05d859cf4738c51bb9c40d7c3404aefc
                          • Instruction ID: 00b7f4fdc9cfd348f81768a410f36317968c59b42ad37e1fb9861d19b0cde0af
                          • Opcode Fuzzy Hash: e8da6923f007042f29da60c95fed9bad05d859cf4738c51bb9c40d7c3404aefc
                          • Instruction Fuzzy Hash: 64E0C2266042255FCB491B7869240B77BA75EDB221355C1ABDA46C7206CE324C0B8785
                          Function 062CE280 Relevance: .0, Instructions: 21COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d623f69d6aedcd0708bf325b94a5be59ffa2eb00e4ec5cd510e7e203042d1106
                          • Instruction ID: 3a1fd4fcb00726b2c8a068188b8730490cc55d3a5da60784aea7db423fee334b
                          • Opcode Fuzzy Hash: d623f69d6aedcd0708bf325b94a5be59ffa2eb00e4ec5cd510e7e203042d1106
                          • Instruction Fuzzy Hash: 05E02B329006018FC322E700FE1563477F5F7556187024158C8415B9A8C77065098FC5
                          Function 062CAC80 Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5d97d76a24a56bfac3139fce315b846a67113fa92825e8079ba52b84811d61b7
                          • Instruction ID: 6e0a65db1688e47c3062d995fd49b8d34fbe0e42df7f8903ca6112b5ee84fb15
                          • Opcode Fuzzy Hash: 5d97d76a24a56bfac3139fce315b846a67113fa92825e8079ba52b84811d61b7
                          • Instruction Fuzzy Hash: 58D05B313001355786056769B4184FE7BAFEAC56A33004539E747C7340DF655D0587D6
                          Function 062CE8F8 Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: de74e560867bbe7729a1515698305f0322c1ce428193b8efdc30461af076e721
                          • Instruction ID: 3106da6392c542f7e458eeb0c65a1fdcf8382026518ecae5ea049f808da37a01
                          • Opcode Fuzzy Hash: de74e560867bbe7729a1515698305f0322c1ce428193b8efdc30461af076e721
                          • Instruction Fuzzy Hash: D0E012391682489FCB829B54CC458543F79AF5E62038681CAF9948F173D621DC21DBA1
                          Function 062CB510 Relevance: .0, Instructions: 19COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d49562eba0c37be35f81dba97b739c342055d525a314936c25779d2b507ac3d7
                          • Instruction ID: a5431cd37025c0916ff5d7f62559c12a814ae868f9d60389960eb4ada5c2ba94
                          • Opcode Fuzzy Hash: d49562eba0c37be35f81dba97b739c342055d525a314936c25779d2b507ac3d7
                          • Instruction Fuzzy Hash: 6DE07E75D0020CEFCB40EFA4E9458DDBBB9EB48200F1082AAD909E3200EA706B599B80
                          Function 062CE210 Relevance: .0, Instructions: 16COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 071ef1f408b8c2e190c4e3d68c1a7e43082224501e2f7a5bd04b3b4ae9cd6711
                          • Instruction ID: 432c46e927d9761b28f764524bc3dd2fc8c501ef6710483ae00f7a7cc00e7631
                          • Opcode Fuzzy Hash: 071ef1f408b8c2e190c4e3d68c1a7e43082224501e2f7a5bd04b3b4ae9cd6711
                          • Instruction Fuzzy Hash: 73D05B71A0010CFFCB40DFA8E90096DBBF9EF44214B1041E9D409D7200DA715F149791
                          Function 062CF8EB Relevance: .0, Instructions: 14COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 44fd232cb59f6016be51713feab1741707ac1ef0eea3923719e512659a1a494c
                          • Instruction ID: 24b9fbaf6f5bf09530c175c6c7d57e54a2ce87c114986a10a7452663a5447710
                          • Opcode Fuzzy Hash: 44fd232cb59f6016be51713feab1741707ac1ef0eea3923719e512659a1a494c
                          • Instruction Fuzzy Hash: 2EC012327000200F1284A66C70240BDAAD792CD1A738A513BE60EC7348CDA28C5A4395
                          Function 062C3721 Relevance: .0, Instructions: 10COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f217ce1823febc08fb1c7ce9758ff8d2a7824852182b9b4a54f08bc06efe03b3
                          • Instruction ID: f9c59f3360bdd7871812721f160e24864e9849bdf4c39d1e3fcd9ab06fc9cea3
                          • Opcode Fuzzy Hash: f217ce1823febc08fb1c7ce9758ff8d2a7824852182b9b4a54f08bc06efe03b3
                          • Instruction Fuzzy Hash: 48C08C719093800FD30282606C1AE913F30AB96B01B0B1082E2828A0D3D2540849CB72
                          Function 062CDFD1 Relevance: .0, Instructions: 8COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ec256da9121856f498efafa5059184491250cd21f1fe9fa6f6502fbfc121d695
                          • Instruction ID: 30296cc188c1ddf8b0794e30d48ca169b9538313b2e4512b4eedf44067db0ed5
                          • Opcode Fuzzy Hash: ec256da9121856f498efafa5059184491250cd21f1fe9fa6f6502fbfc121d695
                          • Instruction Fuzzy Hash: E4C09B7196E7D05EEB421774890D9043E126F4B63471545CED655CF0B3C5614409C751

                          Non-executed Functions

                          Function 062C6FE8 Relevance: .8, Instructions: 785COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8fa144228dbe0918823755ae43279771107e20d92c848a34869b1901aaf2652d
                          • Instruction ID: 42f696e29063a9e60aed9228212f89a1597872d13cd10d02c31c3cb7460d486c
                          • Opcode Fuzzy Hash: 8fa144228dbe0918823755ae43279771107e20d92c848a34869b1901aaf2652d
                          • Instruction Fuzzy Hash: A26230B06002019FD748DF19D45876ABEEAEF85308F64C95C900D9F396CBBAD90B8B95
                          Function 062C6FF8 Relevance: .8, Instructions: 780COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5045bd2f6bfefc5c9ac265f164596061b6a3728274705922e2315c5bbd634238
                          • Instruction ID: eb1c0ecf6171ed191383be651a350af12370485dee6db6bf4361f6f95c412bfe
                          • Opcode Fuzzy Hash: 5045bd2f6bfefc5c9ac265f164596061b6a3728274705922e2315c5bbd634238
                          • Instruction Fuzzy Hash: 326230B06002019FD748DF19D45876ABEEAEF85308F64C95C900D9F396CBBAD90BCB95
                          Function 0116DC74 Relevance: .3, Instructions: 264COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2157084686.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1160000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: aad7e31c535d6edcfb8a3b3bb55a5367f7e65eb26be491cb3c9b2ce96900122b
                          • Instruction ID: 78a7124ecd44c5d2318cec6fc85c84857c721d3e2434b6b8bd4ea8e8002cc699
                          • Opcode Fuzzy Hash: aad7e31c535d6edcfb8a3b3bb55a5367f7e65eb26be491cb3c9b2ce96900122b
                          • Instruction Fuzzy Hash: 43A18132F0020A8FCF09DFB9D85059EB7B6FF84304B15456EE905AB255DB72D926CB40
                          Function 062CED10 Relevance: 5.2, Strings: 4, Instructions: 243COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2166707918.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_62c0000_file.jbxd
                          Similarity
                          • API ID:
                          • String ID: (_]q$(_]q$(_]q$(_]q
                          • API String ID: 0-2651352888
                          • Opcode ID: e6330ae475c8feae0d000d6a1a1f64339f090aceb3818ae59867a74904b32231
                          • Instruction ID: d96ee81f6c061528aa71f32415bb1eb9589ffe9c74c21d7b11fa294a6ab49b38
                          • Opcode Fuzzy Hash: e6330ae475c8feae0d000d6a1a1f64339f090aceb3818ae59867a74904b32231
                          • Instruction Fuzzy Hash: B491CE78A042059FCB049F68C4645AE7FB6EF89310F2585AEED46DF381DA31DD06CB91