Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
QtON0L47XD.exe

Overview

General Information

Sample name:QtON0L47XD.exe
renamed because original name is a hash value
Original sample name:2c9328c93b4dd4e49229511677e107b7.exe
Analysis ID:1502810
MD5:2c9328c93b4dd4e49229511677e107b7
SHA1:a7814ce1f61f998b35b4e4d45f963fd937c80652
SHA256:5f386b56951dd0065a4f76ec8797e7dd82cbbb6a27b1865bfb9be5a9c6955935
Tags:exeRedLineStealer
Infos:

Detection

PureLog Stealer, RedLine, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • QtON0L47XD.exe (PID: 7652 cmdline: "C:\Users\user\Desktop\QtON0L47XD.exe" MD5: 2C9328C93B4DD4E49229511677E107B7)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: RedLine

{"C2 url": "176.109.101.167:6607"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
QtON0L47XD.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    QtON0L47XD.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      QtON0L47XD.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        QtON0L47XD.exeMALWARE_Win_zgRATDetects zgRATditekSHen
        • 0x45c17:$s1: file:///
        • 0x45b4f:$s2: {11111-22222-10009-11112}
        • 0x45ba7:$s3: {11111-22222-50001-00000}
        • 0x423fa:$s4: get_Module
        • 0x42864:$s5: Reverse
        • 0x45226:$s6: BlockCopy
        • 0x42c23:$s7: ReadByte
        • 0x45c29:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

        PCAP (Network Traffic)

        SourceRuleDescriptionAuthorStrings
        dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
          dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                00000000.00000000.1699132028.00000000008E2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  00000000.00000000.1699132028.00000000008E2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    00000000.00000002.1769335971.0000000002CFD000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                      Click to see the 2 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      0.0.QtON0L47XD.exe.8e0000.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                        0.0.QtON0L47XD.exe.8e0000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                          0.0.QtON0L47XD.exe.8e0000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                            0.0.QtON0L47XD.exe.8e0000.0.unpackMALWARE_Win_zgRATDetects zgRATditekSHen
                            • 0x45c17:$s1: file:///
                            • 0x45b4f:$s2: {11111-22222-10009-11112}
                            • 0x45ba7:$s3: {11111-22222-50001-00000}
                            • 0x423fa:$s4: get_Module
                            • 0x42864:$s5: Reverse
                            • 0x45226:$s6: BlockCopy
                            • 0x42c23:$s7: ReadByte
                            • 0x45c29:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

                            Sigma Signatures

                            No Sigma rule has matched

                            Suricata Signatures

                            Timestamp:2024-09-02T10:32:04.108531+0200
                            SID:2046056
                            Severity:1
                            Source Port:6607
                            Destination Port:49730
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:2024-09-02T10:32:03.653098+0200
                            SID:2046045
                            Severity:1
                            Source Port:49730
                            Destination Port:6607
                            Protocol:TCP
                            Classtype:A Network Trojan was detected

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus / Scanner detection for submitted sample
                            Source: QtON0L47XD.exeAvira: detected
                            Found malware configuration
                            Source: QtON0L47XD.exe.7652.0.memstrminMalware Configuration Extractor: RedLine {"C2 url": "176.109.101.167:6607"}
                            Multi AV Scanner detection for submitted file
                            Source: QtON0L47XD.exeReversingLabs: Detection: 70%
                            Source: QtON0L47XD.exeVirustotal: Detection: 35%Perma Link
                            AI detected suspicious sample
                            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                            Machine Learning detection for sample
                            Source: QtON0L47XD.exeJoe Sandbox ML: detected
                            Source: QtON0L47XD.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: QtON0L47XD.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                            Networking

                            barindex
                            Suricata IDS alerts for network traffic
                            Source: Network trafficSuricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.4:49730 -> 176.109.101.167:6607
                            Source: Network trafficSuricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 176.109.101.167:6607 -> 192.168.2.4:49730
                            C2 URLs / IPs found in malware configuration
                            Source: Malware configuration extractorURLs: 176.109.101.167:6607
                            Source: global trafficTCP traffic: 192.168.2.4:49730 -> 176.109.101.167:6607
                            Source: Joe Sandbox ViewASN Name: SPEEDYLINERU SPEEDYLINERU
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.109.101.167
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
                            Source: QtON0L47XD.exe, 00000000.00000002.1779386816.000000001BCAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000003414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: qC:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000003414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: qC:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldbP equals www.youtube.com (Youtube)
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002F1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field1
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field1Response
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field2
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field2Response
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field3
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002F3B000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field3Response
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002FE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002FE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.oh
                            Source: QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012D6B000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012E76000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012C8F000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012DC4000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012E1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                            Source: QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012D6B000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012E76000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012C8F000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012DC4000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012E1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                            Source: QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012D6B000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012E76000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012C8F000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012DC4000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012E1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                            Source: QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012D6B000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012E76000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012C8F000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012DC4000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012E1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/users/
                            Source: QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012D6B000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012E76000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012C8F000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012DC4000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012E1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                            Source: QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012D6B000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012E76000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012C8F000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012DC4000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012E1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                            Source: QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012D6B000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012E76000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012C8F000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012DC4000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012E1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                            Source: QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012D6B000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012E76000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012C8F000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012DC4000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012E1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                            Source: QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012D6B000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012E76000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012C8F000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012DC4000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012E1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                            System Summary

                            barindex
                            Malicious sample detected (through community Yara rule)
                            Source: QtON0L47XD.exe, type: SAMPLEMatched rule: Detects zgRAT Author: ditekSHen
                            Source: 0.0.QtON0L47XD.exe.8e0000.0.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                            .NET source code contains very large array initializations
                            Source: QtON0L47XD.exe, Strings.csLarge array initialization: Strings: array initializer size 6160
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeCode function: 0_2_00007FFD9B7AC4CC0_2_00007FFD9B7AC4CC
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeCode function: 0_2_00007FFD9B8F3C510_2_00007FFD9B8F3C51
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeCode function: 0_2_00007FFD9B90A2F50_2_00007FFD9B90A2F5
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeCode function: 0_2_00007FFD9B8FAA1D0_2_00007FFD9B8FAA1D
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeCode function: 0_2_00007FFD9B90D86D0_2_00007FFD9B90D86D
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeCode function: 0_2_00007FFD9B90AFA50_2_00007FFD9B90AFA5
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeCode function: 0_2_00007FFD9B904F090_2_00007FFD9B904F09
                            Source: QtON0L47XD.exe, 00000000.00000000.1699132028.000000000096E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameGristles.exe" vs QtON0L47XD.exe
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CFD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs QtON0L47XD.exe
                            Source: QtON0L47XD.exeBinary or memory string: OriginalFilenameGristles.exe" vs QtON0L47XD.exe
                            Source: QtON0L47XD.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: QtON0L47XD.exe, type: SAMPLEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                            Source: 0.0.QtON0L47XD.exe.8e0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                            Source: QtON0L47XD.exe, Strings.csCryptographic APIs: 'CreateDecryptor'
                            Source: QtON0L47XD.exe, Class4.csCryptographic APIs: 'CreateDecryptor'
                            Source: QtON0L47XD.exe, Class4.csCryptographic APIs: 'CreateDecryptor'
                            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/1@0/1
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeFile created: C:\Users\user\AppData\Local\Microsoft\Wind?wsJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeMutant created: NULL
                            Source: QtON0L47XD.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: QtON0L47XD.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: QtON0L47XD.exeReversingLabs: Detection: 70%
                            Source: QtON0L47XD.exeVirustotal: Detection: 35%
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeSection loaded: windowscodecs.dllJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                            Source: QtON0L47XD.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                            Source: QtON0L47XD.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                            Data Obfuscation

                            barindex
                            .NET source code contains method to dynamically call methods (often used by packers)
                            Source: QtON0L47XD.exe, Class4.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                            Source: QtON0L47XD.exeStatic PE information: 0xE3FEC0F4 [Mon Mar 19 06:19:32 2091 UTC]
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeCode function: 0_2_00007FFD9B6D63EE push ss; retf 0_2_00007FFD9B6D63EF
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeCode function: 0_2_00007FFD9B6D00BD pushad ; iretd 0_2_00007FFD9B6D00C1
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeCode function: 0_2_00007FFD9B6D5CB0 push edi; iretd 0_2_00007FFD9B6D5CB6
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeCode function: 0_2_00007FFD9B7A2004 pushad ; retf 0_2_00007FFD9B7A2005
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeCode function: 0_2_00007FFD9B7A6B79 push 3000006Bh; ret 0_2_00007FFD9B7A6BB9
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeCode function: 0_2_00007FFD9B7A4150 push eax; iretd 0_2_00007FFD9B7A4151
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeCode function: 0_2_00007FFD9B8F2D75 pushad ; retf 0_2_00007FFD9B8F2D99
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                            Malware Analysis System Evasion

                            barindex
                            Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeMemory allocated: 10C0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeMemory allocated: 1AC50000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeCode function: 0_2_00007FFD9B6D20F4 sldt word ptr [eax]0_2_00007FFD9B6D20F4
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeWindow / User API: threadDelayed 841Jump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeWindow / User API: threadDelayed 3098Jump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exe TID: 7848Thread sleep time: -11068046444225724s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exe TID: 7676Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe
                            Source: QtON0L47XD.exe, 00000000.00000002.1779497676.000000001BCEC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess information queried: ProcessInformationJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeMemory allocated: page read and write | page guardJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeQueries volume information: C:\Users\user\Desktop\QtON0L47XD.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                            Source: QtON0L47XD.exe, 00000000.00000002.1779862632.000000001C146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                            Stealing of Sensitive Information

                            barindex
                            Yara detected PureLog Stealer
                            Source: Yara matchFile source: QtON0L47XD.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.QtON0L47XD.exe.8e0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.1699132028.00000000008E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Yara detected RedLine Stealer
                            Source: Yara matchFile source: dump.pcap, type: PCAP
                            Source: Yara matchFile source: QtON0L47XD.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.QtON0L47XD.exe.8e0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.1699132028.00000000008E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: QtON0L47XD.exe PID: 7652, type: MEMORYSTR
                            Yara detected zgRAT
                            Source: Yara matchFile source: QtON0L47XD.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.QtON0L47XD.exe.8e0000.0.unpack, type: UNPACKEDPE
                            Found many strings related to Crypto-Wallets (likely being stolen)
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectrumE#
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectronCashE#
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: JaxxE#
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ExodusE#
                            Source: QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: EthereumE#
                            Source: QtON0L47XD.exe, 00000000.00000000.1699132028.00000000008E2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: set_UseMachineKeyStore
                            Tries to harvest and steal browser information (history, passwords, etc)
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                            Tries to steal Crypto Currency Wallets
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\Jump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\Jump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                            Source: C:\Users\user\Desktop\QtON0L47XD.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                            Source: Yara matchFile source: 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.1769335971.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: QtON0L47XD.exe PID: 7652, type: MEMORYSTR

                            Remote Access Functionality

                            barindex
                            Yara detected PureLog Stealer
                            Source: Yara matchFile source: QtON0L47XD.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.QtON0L47XD.exe.8e0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.1699132028.00000000008E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Yara detected RedLine Stealer
                            Source: Yara matchFile source: dump.pcap, type: PCAP
                            Source: Yara matchFile source: QtON0L47XD.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.QtON0L47XD.exe.8e0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.1699132028.00000000008E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: QtON0L47XD.exe PID: 7652, type: MEMORYSTR
                            Yara detected zgRAT
                            Source: Yara matchFile source: QtON0L47XD.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.QtON0L47XD.exe.8e0000.0.unpack, type: UNPACKEDPE

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                            Windows Management Instrumentation                            		1
                            DLL Side-Loading                            		1
                            DLL Side-Loading                            		1
                            Masquerading                            		1
                            OS Credential Dumping                            		331
                            Security Software Discovery                            		Remote Services11
                            Archive Collected Data                            		1
                            Encrypted Channel                            		Exfiltration Over Other Network MediumAbuse Accessibility Features
                            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                            Disable or Modify Tools                            		LSASS Memory1
                            Process Discovery                            		Remote Desktop Protocol3
                            Data from Local System                            		1
                            Non-Standard Port                            		Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)251
                            Virtualization/Sandbox Evasion                            		Security Account Manager251
                            Virtualization/Sandbox Evasion                            		SMB/Windows Admin Shares1
                            Clipboard Data                            		1
                            Application Layer Protocol                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                            Deobfuscate/Decode Files or Information                            		NTDS1
                            Application Window Discovery                            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                            Obfuscated Files or Information                            		LSA Secrets113
                            System Information Discovery                            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                            Software Packing                            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                            Timestomp                            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                            DLL Side-Loading                            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            QtON0L47XD.exe71%ReversingLabsByteCode-MSIL.Spyware.Redline
                            QtON0L47XD.exe36%VirustotalBrowse
                            QtON0L47XD.exe100%AviraHEUR/AGEN.1312138
                            QtON0L47XD.exe100%Joe Sandbox ML

                            Dropped Files

                            No Antivirus matches

                            Unpacked PE Files

                            No Antivirus matches

                            Domains

                            No Antivirus matches

                            URLs

                            SourceDetectionScannerLabelLink
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%URL Reputationsafe
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2005/02/sc/sct0%URL Reputationsafe
                            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk0%URL Reputationsafe
                            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary0%URL Reputationsafe
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha10%URL Reputationsafe
                            http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap0%URL Reputationsafe
                            http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret0%URL Reputationsafe
                            http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2004/10/wsat/fault0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2004/10/wsat0%URL Reputationsafe
                            http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey0%URL Reputationsafe
                            https://api.ip.sb/ip0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2004/04/sc0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel0%URL Reputationsafe
                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
                            http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA10%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA10%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue0%URL Reputationsafe
                            https://www.ecosia.org/newtab/0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego0%URL Reputationsafe
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2004/04/trust0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2005/02/trust/Renew0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey0%URL Reputationsafe
                            http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.00%URL Reputationsafe
                            http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2006/02/addressingidentity0%URL Reputationsafe
                            http://tempuri.org/0%Avira URL Cloudsafe
                            176.109.101.167:66070%Avira URL Cloudsafe
                            http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                            http://tempuri.org/example/Field1Response0%Avira URL Cloudsafe
                            https://discord.com/api/v9/users/0%Avira URL Cloudsafe
                            http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey0%URL Reputationsafe
                            http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA10%URL Reputationsafe
                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2005/02/trust0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2004/06/addressingex0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2004/10/wscoor0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2004/08/addressing/fault0%URL Reputationsafe
                            http://www.w3.oh0%Avira URL Cloudsafe
                            http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew0%URL Reputationsafe
                            http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ15100%URL Reputationsafe
                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                            http://www.w3.o0%URL Reputationsafe
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd0%URL Reputationsafe
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA10%URL Reputationsafe
                            http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA10%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous0%URL Reputationsafe
                            http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2002/12/policy0%URL Reputationsafe
                            http://tempuri.org/example/Field10%Avira URL Cloudsafe
                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue0%URL Reputationsafe
                            http://tempuri.org/example/Field20%Avira URL Cloudsafe
                            http://tempuri.org/example/Field1Response1%VirustotalBrowse
                            176.109.101.167:66070%VirustotalBrowse
                            http://tempuri.org/1%VirustotalBrowse
                            http://tempuri.org/example/Field30%Avira URL Cloudsafe
                            http://tempuri.org/example/Field11%VirustotalBrowse
                            http://tempuri.org/example/Field21%VirustotalBrowse
                            https://discord.com/api/v9/users/0%VirustotalBrowse
                            http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ0%Avira URL Cloudsafe
                            http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey0%Avira URL Cloudsafe

                            Domains and IPs

                            Contacted Domains

                            No contacted domains info

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            176.109.101.167:6607true
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/sc/sctQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://duckduckgo.com/chrome_newtabQtON0L47XD.exe, 00000000.00000002.1774991356.0000000012D6B000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012E76000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012C8F000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012DC4000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012E1D000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://duckduckgo.com/ac/?q=QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012D6B000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012E76000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012C8F000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012DC4000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012E1D000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://tempuri.org/QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 1%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://discord.com/api/v9/users/QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/10/wsat/faultQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/10/wsatQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://tempuri.org/example/Field1ResponseQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 1%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002F1B000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://api.ip.sb/ipQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/04/scQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012D6B000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012E76000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012C8F000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012DC4000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012E1D000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://www.ecosia.org/newtab/QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012D6B000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012E76000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012C8F000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012DC4000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012E1D000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.w3.ohQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002FE6000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/08/addressingQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/04/trustQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/trust/NonceQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/trust/RenewQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://tempuri.org/example/Field1QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 1%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2006/02/addressingidentityQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/soap/envelope/QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://tempuri.org/example/Field2QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 1%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tempuri.org/example/Field3QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 1%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012D6B000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012E76000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012C8F000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012DC4000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012E1D000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/trustQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/10/wsat/RollbackQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCTQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/06/addressingexQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/10/wscoorQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/NonceQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponseQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/08/addressing/faultQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/RenewQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKeyQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchQtON0L47XD.exe, 00000000.00000002.1774991356.0000000012D6B000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012E76000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012C8F000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012DC4000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012E1D000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.w3.oQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002FE6000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/10/wsat/CommittedQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://tempuri.org/example/Field3ResponseQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002F3B000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 1%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/10/wscoor/faultQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/04/security/sc/sctQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponseQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/trust/CancelQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgementQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCTQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://www.google.com/images/branding/product/ico/googleg_lodp.icoQtON0L47XD.exe, 00000000.00000002.1774991356.0000000012D6B000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012E76000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012C8F000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012DC4000.00000004.00000800.00020000.00000000.sdmp, QtON0L47XD.exe, 00000000.00000002.1774991356.0000000012E1D000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1QtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002C51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_WrapQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2002/12/policyQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/02/sc/dkQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/IssueQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/IssueQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/10/wsat/CommitQtON0L47XD.exe, 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            176.109.101.167
                            		unknownRussian Federation
                            		49342SPEEDYLINERUtrue

                            General Information

                            Joe Sandbox version:40.0.0 Tourmaline
                            Analysis ID:1502810
                            Start date and time:2024-09-02 10:31:07 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 2m 48s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:1
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:QtON0L47XD.exe
                            renamed because original name is a hash value
                            Original Sample Name:2c9328c93b4dd4e49229511677e107b7.exe
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@1/1@0/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:Failed
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Stop behavior analysis, all processes terminated

                            Warnings

                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtOpenFile calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            04:32:04API Interceptor19x Sleep call for process: QtON0L47XD.exe modified

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            No context

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            SPEEDYLINERUfirmware.i686.elfGet hashmaliciousUnknownBrowse
                            • 178.215.96.174
                            botx.x86.elfGet hashmaliciousMiraiBrowse
                            • 176.114.120.113
                            2GAcJejuxn.exeGet hashmaliciousDCRat, PureLog Stealer, RedLine, zgRATBrowse
                            • 176.123.161.158
                            C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                            • 176.123.168.151
                            NMdpQecbkg.elfGet hashmaliciousMiraiBrowse
                            • 213.108.22.242
                            gZo873g1iv.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                            • 176.123.169.110
                            bXKYLbAIza.exeGet hashmaliciousDCRat, zgRATBrowse
                            • 176.123.168.238
                            0rsj8JbJNU.dllGet hashmaliciousAmadeyBrowse
                            • 176.123.171.210
                            0rsj8JbJNU.dllGet hashmaliciousAmadeyBrowse
                            • 176.123.171.210
                            sora.arm.elfGet hashmaliciousMiraiBrowse
                            • 176.109.66.246

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\QtON0L47XD.exe.log

                            Download File
                            Process:C:\Users\user\Desktop\QtON0L47XD.exe
                            File Type:CSV text
                            Category:dropped
                            Size (bytes):2611
                            Entropy (8bit):5.363358188931451
                            Encrypted:false
                            SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkafHKWA1eXrHKlT48BHK7HKmTHlHNW:iq+wmj0qCYqGSI6oPtzHeqKkGqhA7qZR
                            MD5:CEA017D10C4D437981D19F21660A47FA
                            SHA1:61AAFCECB5325DE172857CEF7C7E1F230F73AFFD
                            SHA-256:60B099420455DECD1878FE84F217CFE478BA0BA5E6E574077150D08355A1DD96
                            SHA-512:413384BF9D2EDC9BC2DF6D5175D09A33B91CCF9C53FE3CB21892CB57AF4FD8A9BE0608E9BCA57AF4A7F2709A4C110148719DA3210460DF433CFD77FA753B9CF8
                            Malicious:true
                            Reputation:moderate, very likely benign file
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):5.180172860423383
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                            • Win32 Executable (generic) a (10002005/4) 49.78%
                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            • DOS Executable Generic (2002/1) 0.01%
                            File name:QtON0L47XD.exe
                            File size:743'424 bytes
                            MD5:2c9328c93b4dd4e49229511677e107b7
                            SHA1:a7814ce1f61f998b35b4e4d45f963fd937c80652
                            SHA256:5f386b56951dd0065a4f76ec8797e7dd82cbbb6a27b1865bfb9be5a9c6955935
                            SHA512:c1f965fc851bcf905f4e39ff58edad69fade14e1a161104c0f70c797a4f729cc3e4422021032bec099f31466fff7958670a9281e86554f44fe1ad7c675edd65e
                            SSDEEP:12288:6D6YDzqx5XBNt1BrivR0V4TBjgYxs1wl206gBawFV2ceSb0BQ/GfM/4QiAzojgJ6:6D6Y3qx51NBXA
                            TLSH:2EF4701C5BBC058CEC8CD531BE20C9326EA04E08919FCB49A569FA151EB6277B3F5BD1
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................................@................................

                            File Icon

                            Icon Hash:0e9696961617e982

                            Static PE Info

                            General

                            Entrypoint:0x44d0ee
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Time Stamp:0xE3FEC0F4 [Mon Mar 19 06:19:32 2091 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                            Entrypoint Preview

                            Instruction
                            jmp dword ptr [00402000h]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x4d0980x53.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x4e0000x6a022.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000x4b0f40x4b200b08f646785b6ad7d00594054a20e45e9False0.4179979981281198data6.528629690725186IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rsrc0x4e0000x6a0220x6a20065e4195d76e2641b30f5c060426a53b1False0.04090059997055359data3.4733020781588206IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0xba0000xc0x2003a13fecd19ca9773d82cc3855bc1b8ebFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_ICON0x4e2b00x42028Device independent bitmap graphic, 256 x 512 x 32, image size 2703360.019047548598988075
                            RT_ICON0x902d80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.03903939429788241
                            RT_ICON0xa0b000x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 380160.0580460374185411
                            RT_ICON0xa9fa80x5488Device independent bitmap graphic, 72 x 144 x 32, image size 216000.08243992606284659
                            RT_ICON0xaf4300x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.0987836561171469
                            RT_ICON0xb36580x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.14284232365145227
                            RT_ICON0xb5c000x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.22537523452157598
                            RT_ICON0xb6ca80x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.30901639344262294
                            RT_ICON0xb76300x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.4530141843971631
                            RT_GROUP_ICON0xb7a980x84data0.7196969696969697
                            RT_VERSION0xb7b1c0x31cdata0.4535175879396985
                            RT_MANIFEST0xb7e380x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                            Imports

                            DLLImport
                            mscoree.dll_CorExeMain

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                            2024-09-02T10:32:04.108531+0200TCP2046056ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)1660749730176.109.101.167192.168.2.4
                            2024-09-02T10:32:03.653098+0200TCP2046045ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)1497306607192.168.2.4176.109.101.167

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Sep 2, 2024 10:32:02.950047016 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:02.954989910 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:02.955065966 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:02.958393097 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:02.963166952 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:03.619014025 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:03.653098106 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:03.658255100 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:03.862777948 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:03.897571087 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:03.902488947 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:04.108118057 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:04.108145952 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:04.108160019 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:04.108202934 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:04.108212948 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:04.108223915 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:04.108230114 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:04.108278036 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:04.108278036 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:04.108530998 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:04.108542919 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:04.108583927 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:04.228377104 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:04.228405952 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:04.228502035 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:04.228705883 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:04.228729010 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:04.228766918 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:04.233026028 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:04.233088017 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:04.233143091 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:04.233454943 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:04.233474016 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:04.233484030 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:04.233496904 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:04.233525038 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:04.233547926 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:04.237791061 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:04.237806082 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:04.237879992 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:04.238121033 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:04.238135099 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:04.238183975 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:04.348962069 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:04.348985910 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:04.348999977 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:04.349076986 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:04.349184036 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:04.349232912 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.634432077 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.639481068 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.639508009 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.639539957 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.639556885 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.639556885 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.639568090 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.639607906 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.639619112 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.639633894 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.639650106 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.639677048 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.639681101 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.639693022 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.639710903 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.639741898 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.639769077 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.639774084 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.640021086 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.645042896 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.645055056 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.645116091 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.645126104 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.645167112 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.645170927 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.645210981 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.645216942 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.645221949 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.645266056 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.646001101 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.646060944 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.646270990 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.646352053 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.646445036 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.646513939 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.646591902 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.646641016 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.646894932 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.646919966 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.646989107 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.647563934 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.647661924 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.652913094 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.653074026 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.653079987 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.653137922 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.653343916 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.653417110 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.653455973 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.653608084 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.653733969 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.653779984 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.653940916 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.653981924 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.653991938 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.654002905 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.654038906 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.654062033 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.654186010 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.654202938 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.654213905 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.654248953 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.654249907 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.654261112 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.654272079 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.654352903 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.654376984 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.654433012 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.654475927 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.654486895 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.654495955 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.654508114 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.654517889 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.654532909 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.654550076 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.654565096 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.654633999 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.654675961 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.654701948 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.654711962 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.654721975 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.654761076 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.654783964 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.654814959 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.654824972 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.654833078 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.654864073 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.654881954 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.657609940 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.657694101 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.657932997 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.657985926 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.657990932 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.658034086 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.658081055 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.658133030 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.658143044 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.658186913 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.658258915 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.658304930 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.658339024 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.658366919 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.658415079 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.658427954 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.658436060 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.658444881 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.658452988 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.658482075 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.658669949 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.658682108 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.658691883 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.658736944 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.658746958 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.658776999 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.658896923 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.658906937 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.658916950 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.658927917 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.658938885 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.658994913 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.659004927 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.659013987 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.659035921 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.659045935 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.659054041 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.659135103 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.659188986 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.659238100 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.659248114 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.659256935 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.659266949 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.659280062 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.659317017 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.659336090 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.659344912 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.659377098 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.659394026 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.659404993 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.659415960 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.659483910 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.659492970 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.659538031 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.659548044 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.659569025 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.659593105 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.659657001 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.660284042 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.660295963 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.660305977 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.660315990 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.660325050 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.660335064 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.660343885 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.660353899 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.660363913 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.660373926 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.660382986 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.660392046 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.660402060 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.660410881 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.660420895 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.660429955 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.660445929 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.660454035 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.660463095 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.660473108 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.662532091 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.662631035 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.662806988 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.663369894 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.663425922 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.663435936 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.663445950 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.663506985 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.663517952 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.663544893 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.663554907 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.663578033 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.663589001 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.663626909 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.663636923 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.663645983 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.663696051 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.663706064 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.663714886 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.663769007 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.663779974 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.663789034 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.663800001 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.664031982 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.664092064 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.665450096 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.665461063 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.665580034 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.665589094 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.665610075 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.665621042 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.665718079 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.665730000 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.665741920 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.665751934 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.665806055 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.665862083 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.665966988 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.665983915 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.666038036 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.666049004 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.666058064 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.666068077 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.666110039 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.666168928 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.666178942 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.666188002 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.666198969 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.666207075 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.666255951 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.666285992 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.666295052 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.666302919 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.666315079 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.666367054 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.666378021 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.666387081 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.666398048 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.666407108 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.666452885 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.666510105 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.666520119 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.666529894 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.666608095 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.666661978 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.666707039 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.666717052 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.666726112 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.666742086 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.666752100 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.666759968 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.666785002 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.666862965 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.666872978 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.666882038 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.666901112 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.666914940 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.666944981 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.668963909 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.668975115 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669019938 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669112921 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669123888 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669132948 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669207096 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.669208050 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669219017 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669229984 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669239998 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669249058 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669260979 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669260979 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.669282913 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669294119 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669303894 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669312954 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669323921 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669332981 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669348955 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669399023 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669409037 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669416904 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669435024 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669445038 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669467926 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669490099 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669512987 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669523001 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669567108 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669576883 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669585943 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669604063 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669687986 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669698000 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669706106 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669715881 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669734001 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669743061 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669753075 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669763088 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669809103 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669819117 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669856071 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669871092 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669879913 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669889927 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669933081 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669943094 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669950962 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.669961929 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.670037985 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.670047998 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.670056105 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.674441099 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.674485922 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.674494982 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.674505949 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.674556017 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.674604893 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.674655914 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.674791098 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.674809933 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.674875021 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.675127983 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.675138950 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.675148010 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.675158024 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.675167084 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.675177097 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.675184965 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.675194979 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.675203085 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.675211906 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.675220966 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.675230980 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.675249100 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.675259113 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.675267935 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.675276995 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.675296068 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.675304890 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.675415039 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.675434113 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.675441980 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.675452948 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.675470114 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.675493956 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.675594091 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.675683975 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.675694942 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.675724983 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.675789118 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.675798893 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.675823927 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.675908089 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.675918102 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.675929070 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.676003933 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.676014900 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.676079988 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.676098108 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.676109076 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.676117897 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.676136017 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.676186085 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.676198006 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.676318884 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.676328897 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.680191040 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.680286884 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.680371046 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.680382013 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.680432081 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.680468082 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.680474997 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.680495977 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.680537939 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.680635929 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.680645943 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.680655003 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.680704117 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.680767059 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.680775881 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.680809021 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.680876970 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.680886984 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.681164980 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.681178093 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.681186914 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.681197882 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.681207895 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.681216955 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.681233883 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.681245089 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.681253910 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.681262970 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.681271076 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.681282997 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.681313992 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.681324005 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.681334972 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.681396008 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.681406021 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.681415081 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.681483984 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.681493044 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.681531906 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.681541920 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.681551933 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.681560993 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.681597948 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.681607962 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.681616068 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.681626081 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.681633949 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.681644917 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.681653976 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.681729078 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.681737900 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.681746960 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.681771040 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.681781054 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.681790113 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.685486078 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.685498953 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.685651064 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.685679913 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.685750961 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.685801983 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.685807943 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.685838938 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.685904980 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.685950041 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.686058998 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.686146975 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.686197996 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.686278105 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.686288118 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.686316013 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.686362028 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.686372042 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.686456919 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.686518908 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.686528921 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.686598063 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.686608076 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.686615944 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.686635971 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.686645985 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.686775923 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.686819077 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.686829090 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.686836958 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.686856985 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.686866999 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.686908960 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.686990023 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.687000036 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.687007904 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.702898979 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.708062887 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.708317995 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.708389997 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.708389997 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.708452940 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.715209007 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.715224028 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.715287924 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.715377092 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.715388060 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.715395927 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.715679884 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.715773106 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.715783119 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.715873003 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.715989113 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.716247082 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.716319084 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.716331005 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.716439009 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.723722935 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.723874092 CEST497306607192.168.2.4176.109.101.167
                            Sep 2, 2024 10:32:07.732678890 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:07.751461983 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:08.851397038 CEST660749730176.109.101.167192.168.2.4
                            Sep 2, 2024 10:32:08.865446091 CEST497306607192.168.2.4176.109.101.167

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            System Behavior

                            General

                            Target ID:0
                            Start time:04:32:00
                            Start date:02/09/2024
                            Path:C:\Users\user\Desktop\QtON0L47XD.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\Desktop\QtON0L47XD.exe"
                            Imagebase:0x8e0000
                            File size:743'424 bytes
                            MD5 hash:2C9328C93B4DD4E49229511677E107B7
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1769335971.0000000002CE4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1699132028.00000000008E2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000000.1699132028.00000000008E2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1769335971.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:15.9%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:12
                              Total number of Limit Nodes:0
                              execution_graph 17694 7ffd9b8f5609 17695 7ffd9b8f5654 CreateCompatibleBitmap 17694->17695 17697 7ffd9b8f56ba 17695->17697 17698 7ffd9b8f6daa 17699 7ffd9b8f6e03 CreateFileA 17698->17699 17701 7ffd9b8f6f72 17699->17701 17706 7ffd9b8f86c9 17707 7ffd9b8f870e DeleteDC 17706->17707 17709 7ffd9b8f8766 17707->17709 17702 7ffd9b8f78a1 17703 7ffd9b8f7910 ReadFile 17702->17703 17705 7ffd9b8f79bd 17703->17705

                              Executed Functions

                              Function 00007FFD9B904F09 Relevance: 4.1, Strings: 1, Instructions: 2880COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 0 7ffd9b904f09-7ffd9b904f5a 2 7ffd9b904f5c 0->2 3 7ffd9b904f61-7ffd9b904f78 0->3 2->3 5 7ffd9b904f81-7ffd9b904f9a 3->5 6 7ffd9b905048-7ffd9b9050b6 5->6 7 7ffd9b904fa0-7ffd9b904fab 5->7 12 7ffd9b9079e0-7ffd9b907a03 6->12 7->5 10 7ffd9b904fad-7ffd9b90503d 7->10 10->6 16 7ffd9b9050bb-7ffd9b9050f2 12->16 17 7ffd9b907a09-7ffd9b907a34 call 7ffd9b907b51 12->17 22 7ffd9b9050f8-7ffd9b905195 16->22 23 7ffd9b9051a0-7ffd9b9051e7 16->23 22->23 24 7ffd9b9052cc-7ffd9b905378 23->24 25 7ffd9b9051ed-7ffd9b90528c 23->25 40 7ffd9b9079ab-7ffd9b9079ce 24->40 59 7ffd9b905297-7ffd9b9052c1 25->59 45 7ffd9b9079d4-7ffd9b9079df call 7ffd9b907af1 40->45 46 7ffd9b90537d-7ffd9b9053b4 40->46 45->12 50 7ffd9b90551c-7ffd9b905563 46->50 51 7ffd9b9053ba-7ffd9b9053c3 46->51 55 7ffd9b90566a-7ffd9b9056c5 50->55 56 7ffd9b905569-7ffd9b90564e 50->56 51->50 64 7ffd9b9056cb-7ffd9b9056fe 55->64 56->64 110 7ffd9b905650-7ffd9b90565f 56->110 59->24 66 7ffd9b905704-7ffd9b905825 64->66 67 7ffd9b905830-7ffd9b9058ee 64->67 66->67 75 7ffd9b9059fc-7ffd9b905a08 67->75 76 7ffd9b9058f4-7ffd9b9059e1 67->76 77 7ffd9b905a09-7ffd9b905aa5 75->77 76->77 140 7ffd9b9059e3-7ffd9b9059f1 76->140 81 7ffd9b905aab-7ffd9b905bab 77->81 82 7ffd9b905bb6-7ffd9b905c7b 77->82 81->82 84 7ffd9b905c81-7ffd9b905d55 82->84 85 7ffd9b905d60-7ffd9b905e87 82->85 84->85 104 7ffd9b905f6c-7ffd9b905f9d 85->104 105 7ffd9b905e8d-7ffd9b905f50 85->105 113 7ffd9b905fa6-7ffd9b905fc3 104->113 115 7ffd9b905fc4-7ffd9b9060a6 105->115 151 7ffd9b905f52-7ffd9b905f61 105->151 110->55 113->115 137 7ffd9b9060ac-7ffd9b906170 115->137 138 7ffd9b90618b-7ffd9b906197 115->138 143 7ffd9b906198-7ffd9b90620d 137->143 171 7ffd9b906172-7ffd9b906180 137->171 138->143 140->75 149 7ffd9b9062ec-7ffd9b90635d 143->149 150 7ffd9b906213-7ffd9b90621e 143->150 152 7ffd9b906363-7ffd9b906437 149->152 153 7ffd9b906442-7ffd9b9064f9 149->153 150->149 151->104 152->153 162 7ffd9b9064fb-7ffd9b906538 153->162 163 7ffd9b90653a-7ffd9b906572 153->163 165 7ffd9b906579-7ffd9b9065b2 162->165 163->165 169 7ffd9b9065bb-7ffd9b9065d9 165->169 172 7ffd9b906687-7ffd9b9066f8 169->172 173 7ffd9b9065df-7ffd9b9065e6 169->173 171->138 182 7ffd9b907973-7ffd9b907996 172->182 175 7ffd9b9065e8-7ffd9b90661b 173->175 184 7ffd9b9065db-7ffd9b9065e6 175->184 185 7ffd9b90661d-7ffd9b90667c 175->185 186 7ffd9b90799c-7ffd9b9079a9 call 7ffd9b907a63 182->186 187 7ffd9b9066fd-7ffd9b906750 182->187 184->175 185->172 186->40 192 7ffd9b906857-7ffd9b9068dd 187->192 193 7ffd9b906756-7ffd9b906767 187->193 200 7ffd9b9068e3-7ffd9b9068f4 192->200 201 7ffd9b9069c2-7ffd9b906a78 192->201 193->192 200->201 205 7ffd9b906b26-7ffd9b906b7b 201->205 206 7ffd9b906a7e-7ffd9b906a8f 201->206 208 7ffd9b906b81-7ffd9b906b92 205->208 209 7ffd9b906cde-7ffd9b906d4f 205->209 206->205 208->209 211 7ffd9b906d55-7ffd9b906e29 209->211 212 7ffd9b906e34-7ffd9b906ec1 209->212 211->212 213 7ffd9b906ec7-7ffd9b906f9b 212->213 214 7ffd9b906fa6-7ffd9b90708d 212->214 213->214 223 7ffd9b907093-7ffd9b907193 214->223 224 7ffd9b90719e-7ffd9b907239 214->224 223->224 228 7ffd9b90736b-7ffd9b907461 224->228 229 7ffd9b90723f-7ffd9b907360 224->229 241 7ffd9b907467-7ffd9b907535 228->241 242 7ffd9b907540-7ffd9b9076de call 7ffd9b8f8120 228->242 229->228 241->242 275 7ffd9b90777a-7ffd9b9077cf 242->275 276 7ffd9b9076e4-7ffd9b90776f 242->276 278 7ffd9b9077d5-7ffd9b907897 275->278 279 7ffd9b9078a2-7ffd9b907971 275->279 276->275 278->279 279->182
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1783783672.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b8f0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID: y&[H
                              • API String ID: 0-721110885
                              • Opcode ID: 89f90978bf87a63c7311d561fa4598e81e54fd447b703799cda6499ba479c737
                              • Instruction ID: 04a55cfad9610375c003f080c0cf4d907b58b010504ffb4a9663d5cf900e7d86
                              • Opcode Fuzzy Hash: 89f90978bf87a63c7311d561fa4598e81e54fd447b703799cda6499ba479c737
                              • Instruction Fuzzy Hash: 0333A874A1991D8FDFA8DF58C8A4BA9B7F1FB68301F5041EA904DE3291DA356E81CF40
                              Function 00007FFD9B8FAA1D Relevance: 3.5, Strings: 2, Instructions: 988COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 302 7ffd9b8faa1d-7ffd9b8faa4d 303 7ffd9b8faa54-7ffd9b8fab22 call 7ffd9b8f1110 302->303 304 7ffd9b8faa4f 302->304 314 7ffd9b8fab24-7ffd9b8fab28 303->314 315 7ffd9b8fab93-7ffd9b8faba8 303->315 304->303 316 7ffd9b8faba9-7ffd9b8fac32 call 7ffd9b8f8c60 314->316 317 7ffd9b8fab2a-7ffd9b8fab36 314->317 315->316 340 7ffd9b8fac39-7ffd9b8faf3b call 7ffd9b8f01c0 * 2 316->340 341 7ffd9b8fac34 316->341 318 7ffd9b8fb1cb-7ffd9b8fb1e8 317->318 322 7ffd9b8fab3b-7ffd9b8fab8d 318->322 323 7ffd9b8fb1ee-7ffd9b8fb215 call 7ffd9b8fb727 318->323 322->315 335 7ffd9b8fb21b-7ffd9b8fb33c call 7ffd9b8f8c60 323->335 336 7ffd9b8fb6d6-7ffd9b8fb6f5 323->336 364 7ffd9b8fb343-7ffd9b8fb42a 335->364 365 7ffd9b8fb33e 335->365 420 7ffd9b8fb1ad-7ffd9b8fb1ba 340->420 341->340 390 7ffd9b8fb436-7ffd9b8fb451 364->390 365->364 391 7ffd9b8fb6c3-7ffd9b8fb6d0 390->391 391->336 393 7ffd9b8fb456-7ffd9b8fb464 391->393 395 7ffd9b8fb46b-7ffd9b8fb4f9 393->395 396 7ffd9b8fb466 393->396 406 7ffd9b8fb6bb-7ffd9b8fb6c0 395->406 407 7ffd9b8fb4ff-7ffd9b8fb5ce call 7ffd9b8f8c60 395->407 396->395 406->391 428 7ffd9b8fb5d5-7ffd9b8fb6b4 407->428 429 7ffd9b8fb5d0 407->429 422 7ffd9b8faf40-7ffd9b8faf4e 420->422 423 7ffd9b8fb1c0-7ffd9b8fb1c9 420->423 424 7ffd9b8faf55-7ffd9b8fafe3 422->424 425 7ffd9b8faf50 422->425 423->318 436 7ffd9b8fafe9-7ffd9b8fb0b8 call 7ffd9b8f8c60 424->436 437 7ffd9b8fb1a5-7ffd9b8fb1aa 424->437 425->424 428->406 429->428 454 7ffd9b8fb0ba 436->454 455 7ffd9b8fb0bf-7ffd9b8fb19e 436->455 437->420 454->455 455->437
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1783783672.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b8f0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID: /_H$y*_H
                              • API String ID: 0-548461173
                              • Opcode ID: 442d1ab570ea02e30f1419b1c4e5b69784f808e9653d77e2f15b1c4537c87158
                              • Instruction ID: 33bd693487951c33828f6a22f8f0f87f402cb8edd8928bc24df825941b3cfb49
                              • Opcode Fuzzy Hash: 442d1ab570ea02e30f1419b1c4e5b69784f808e9653d77e2f15b1c4537c87158
                              • Instruction Fuzzy Hash: 4482CC71A19A5D8FDBA5EB58C8A5BA8B7F1FF58300F5001E9D00DE32A5DE346E818F41
                              Function 00007FFD9B8F3C51 Relevance: 2.2, Strings: 1, Instructions: 923COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 531 7ffd9b8f3c51-7ffd9b8f3c7e 534 7ffd9b8f3c85-7ffd9b8f3cfa 531->534 535 7ffd9b8f3c80 531->535 539 7ffd9b8f3cfc 534->539 540 7ffd9b8f3d01-7ffd9b8f3d23 534->540 535->534 539->540 541 7ffd9b8f3d5b-7ffd9b8f3d9f 540->541 542 7ffd9b8f3d25-7ffd9b8f3d35 540->542 548 7ffd9b8f3da5-7ffd9b8f3dc1 541->548 549 7ffd9b8f42ed-7ffd9b8f4382 call 7ffd9b8f2d48 541->549 543 7ffd9b8f3d3c-7ffd9b8f3d58 542->543 544 7ffd9b8f3d37 542->544 543->541 544->543 553 7ffd9b8f3dc4-7ffd9b8f3dd1 548->553 570 7ffd9b8f4788-7ffd9b8f47ab 549->570 554 7ffd9b8f3dd7-7ffd9b8f3de5 553->554 555 7ffd9b8f47c0-7ffd9b8f47e6 553->555 557 7ffd9b8f3dec-7ffd9b8f3e95 call 7ffd9b8f2d48 554->557 558 7ffd9b8f3de7 554->558 562 7ffd9b8f47ec-7ffd9b8f4817 call 7ffd9b8f4984 555->562 563 7ffd9b8f3a79-7ffd9b8f3aaf 555->563 589 7ffd9b8f42a1-7ffd9b8f42ca 557->589 558->557 563->562 572 7ffd9b8f3ab5-7ffd9b8f3b0c 563->572 579 7ffd9b8f4387-7ffd9b8f4403 570->579 580 7ffd9b8f47b1-7ffd9b8f47be call 7ffd9b8f4846 570->580 596 7ffd9b8f3b13-7ffd9b8f3b80 572->596 597 7ffd9b8f3b0e 572->597 603 7ffd9b8f4405-7ffd9b8f4425 579->603 604 7ffd9b8f443d-7ffd9b8f443f 579->604 580->555 594 7ffd9b8f3e9a-7ffd9b8f3f1c 589->594 595 7ffd9b8f42d0-7ffd9b8f42e8 call 7ffd9b8f48e5 589->595 618 7ffd9b8f3f56-7ffd9b8f3f58 594->618 619 7ffd9b8f3f1e-7ffd9b8f3f3e 594->619 595->553 620 7ffd9b8f3b89-7ffd9b8f3b9a 596->620 621 7ffd9b8f3b82-7ffd9b8f3b87 596->621 597->596 603->604 614 7ffd9b8f4427-7ffd9b8f443b 603->614 607 7ffd9b8f4445-7ffd9b8f444c 604->607 611 7ffd9b8f4785-7ffd9b8f4786 607->611 612 7ffd9b8f4452-7ffd9b8f44d1 607->612 611->570 643 7ffd9b8f44d8-7ffd9b8f44f2 612->643 644 7ffd9b8f44d3 612->644 614->607 623 7ffd9b8f3f5e-7ffd9b8f3f65 618->623 619->618 630 7ffd9b8f3f40-7ffd9b8f3f54 619->630 624 7ffd9b8f3b9d-7ffd9b8f3ba1 620->624 621->624 627 7ffd9b8f3f6b-7ffd9b8f3fea 623->627 628 7ffd9b8f429e-7ffd9b8f429f 623->628 624->555 629 7ffd9b8f3ba7-7ffd9b8f3bb4 624->629 655 7ffd9b8f3fec 627->655 656 7ffd9b8f3ff1-7ffd9b8f400b 627->656 628->589 631 7ffd9b8f3bbb-7ffd9b8f3c25 call 7ffd9b8f2d20 629->631 632 7ffd9b8f3bb6 629->632 630->623 645 7ffd9b8f3c2c-7ffd9b8f3c44 631->645 646 7ffd9b8f3c27 631->646 632->631 647 7ffd9b8f44f9-7ffd9b8f457f 643->647 648 7ffd9b8f44f4 643->648 644->643 645->555 646->645 662 7ffd9b8f458a-7ffd9b8f45ae 647->662 648->647 655->656 657 7ffd9b8f4012-7ffd9b8f40c7 656->657 658 7ffd9b8f400d 656->658 675 7ffd9b8f40c9-7ffd9b8f40d4 657->675 676 7ffd9b8f411a-7ffd9b8f413f 657->676 658->657 664 7ffd9b8f4601-7ffd9b8f4626 662->664 665 7ffd9b8f45b0-7ffd9b8f45bb 662->665 668 7ffd9b8f462c-7ffd9b8f4782 call 7ffd9b8f2d70 664->668 665->664 666 7ffd9b8f45bd-7ffd9b8f45e9 665->666 669 7ffd9b8f45eb 666->669 670 7ffd9b8f45f0-7ffd9b8f45ff 666->670 668->611 669->670 670->668 675->676 677 7ffd9b8f40d6-7ffd9b8f4102 675->677 679 7ffd9b8f4145-7ffd9b8f429b call 7ffd9b8f2d70 676->679 680 7ffd9b8f4109-7ffd9b8f4118 677->680 681 7ffd9b8f4104 677->681 679->628 680->679 681->680
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1783783672.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b8f0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID: @B/
                              • API String ID: 0-3863299084
                              • Opcode ID: e5e6a61bbee69c16543b78dcf33f60a99b911dad8958af56d6fbdfb4d6d347f5
                              • Instruction ID: 580830d53b1e4de588ec7a91c4f03bace749cd349aab4fa12950977316e87a4a
                              • Opcode Fuzzy Hash: e5e6a61bbee69c16543b78dcf33f60a99b911dad8958af56d6fbdfb4d6d347f5
                              • Instruction Fuzzy Hash: 1A82BD70A19A1D8FDBA5DB58C8A5BA8B7B1FF58300F5501EAD00DE32A5DA356EC0CF41
                              Function 00007FFD9B90D86D Relevance: 2.1, Strings: 1, Instructions: 824COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 709 7ffd9b90d86d-7ffd9b92a1ce 712 7ffd9b92a1d4-7ffd9b92a208 call 7ffd9b929c20 709->712 713 7ffd9b92a2b8-7ffd9b92a2bb 709->713 726 7ffd9b92a22e-7ffd9b92a237 712->726 727 7ffd9b92a20a-7ffd9b92a229 712->727 715 7ffd9b92a2fd-7ffd9b92a300 713->715 716 7ffd9b92a2bd-7ffd9b92a2c5 call 7ffd9b90d6a8 713->716 717 7ffd9b92a311-7ffd9b92a31a 715->717 718 7ffd9b92a302-7ffd9b92a30f call 7ffd9b90d8a0 715->718 723 7ffd9b92a2ca-7ffd9b92a2cd 716->723 729 7ffd9b92a31c-7ffd9b92a358 call 7ffd9b90d8a8 717->729 718->717 718->729 723->715 728 7ffd9b92a2cf-7ffd9b92a2f8 723->728 731 7ffd9b92a25e-7ffd9b92a261 726->731 732 7ffd9b92a239-7ffd9b92a249 726->732 742 7ffd9b92a5a4-7ffd9b92a5b6 727->742 746 7ffd9b92a669-7ffd9b92a67f 728->746 753 7ffd9b92a56e-7ffd9b92a571 729->753 754 7ffd9b92a35e-7ffd9b92a372 729->754 731->713 736 7ffd9b92a263-7ffd9b92a268 731->736 732->731 739 7ffd9b92a29b-7ffd9b92a2b3 736->739 740 7ffd9b92a26a-7ffd9b92a281 736->740 739->713 740->739 747 7ffd9b92a283-7ffd9b92a287 740->747 749 7ffd9b92a680-7ffd9b92a693 747->749 750 7ffd9b92a28d-7ffd9b92a296 747->750 758 7ffd9b92a696-7ffd9b92a69c 749->758 750->742 755 7ffd9b92a573-7ffd9b92a58f 753->755 756 7ffd9b92a5b7-7ffd9b92a5e5 753->756 760 7ffd9b92a840-7ffd9b92a86a 754->760 761 7ffd9b92a378-7ffd9b92a38e 754->761 755->756 776 7ffd9b92a591-7ffd9b92a595 755->776 763 7ffd9b92a5e7-7ffd9b92a619 call 7ffd9b90d868 756->763 764 7ffd9b92a639-7ffd9b92a63e 756->764 767 7ffd9b92a6a3-7ffd9b92a710 call 7ffd9b90eb90 758->767 777 7ffd9b92a871-7ffd9b92a896 760->777 778 7ffd9b92a86c 760->778 768 7ffd9b92a390-7ffd9b92a3a2 761->768 769 7ffd9b92a3bc-7ffd9b92a3d0 761->769 779 7ffd9b92a61e-7ffd9b92a620 763->779 770 7ffd9b92a645-7ffd9b92a65a 764->770 782 7ffd9b92a717-7ffd9b92a756 767->782 768->769 781 7ffd9b92a3a4-7ffd9b92a3a8 768->781 769->760 789 7ffd9b92a3d6-7ffd9b92a3e7 call 7ffd9b90d8a0 769->789 776->782 783 7ffd9b92a59b-7ffd9b92a5a2 776->783 778->777 785 7ffd9b92a622-7ffd9b92a631 779->785 786 7ffd9b92a65b-7ffd9b92a666 779->786 781->767 788 7ffd9b92a3ae-7ffd9b92a3b7 781->788 808 7ffd9b92a758-7ffd9b92a7c5 call 7ffd9b90ebf8 782->808 809 7ffd9b92a7cc-7ffd9b92a839 call 7ffd9b90eb88 782->809 783->742 785->758 792 7ffd9b92a633-7ffd9b92a637 785->792 786->746 788->742 798 7ffd9b92a40b-7ffd9b92a4a5 789->798 799 7ffd9b92a3e9-7ffd9b92a40a 789->799 792->763 792->764 798->753 834 7ffd9b92a4ab-7ffd9b92a4d6 798->834 799->798 808->809 809->760 840 7ffd9b92a4d8-7ffd9b92a515 call 7ffd9b929c20 834->840 841 7ffd9b92a54a-7ffd9b92a556 834->841 846 7ffd9b92a517-7ffd9b92a548 840->846 847 7ffd9b92a55b-7ffd9b92a569 840->847 841->770 846->840 846->841 847->746
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1783783672.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b8f0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID: ~'_H
                              • API String ID: 0-3531788527
                              • Opcode ID: 6f6983b9dde9441fdfbdf4332b77d6c75b851d2f3f07a9a5fd2b843243f472df
                              • Instruction ID: 73363e2efe2f2023395baca9aac44cf8a72cc21b9ff4279fbe2d62403d34aa95
                              • Opcode Fuzzy Hash: 6f6983b9dde9441fdfbdf4332b77d6c75b851d2f3f07a9a5fd2b843243f472df
                              • Instruction Fuzzy Hash: BF322B32F1D90D5FEBA8DB5C88656B973D2EF98700F4501BAE44DC32E6DE24AC428741
                              Function 00007FFD9B7AC4CC Relevance: 2.0, Strings: 1, Instructions: 723COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 850 7ffd9b7ac4cc-7ffd9b7ac4ef 852 7ffd9b7ac509-7ffd9b7ac52a 850->852 853 7ffd9b7ac4f1-7ffd9b7ac507 850->853 857 7ffd9b7ac52c-7ffd9b7ac55c 852->857 858 7ffd9b7ac55f 852->858 853->852 857->858 859 7ffd9b7ac565-7ffd9b7ac5b6 858->859 860 7ffd9b7acabd-7ffd9b7acac2 858->860 859->860 874 7ffd9b7ac5bc-7ffd9b7ac5d4 859->874 864 7ffd9b7acac3-7ffd9b7acaf1 860->864 864->864 867 7ffd9b7acaf3-7ffd9b7acafa 864->867 868 7ffd9b7aca97-7ffd9b7acabc 867->868 869 7ffd9b7acafc-7ffd9b7acb0d 867->869 874->860 876 7ffd9b7ac5da-7ffd9b7ac622 874->876 882 7ffd9b7ac65b-7ffd9b7ac6a0 876->882 883 7ffd9b7ac624-7ffd9b7ac659 876->883 888 7ffd9b7ac6a7-7ffd9b7ac6bc 882->888 883->888 888->860 891 7ffd9b7ac6c2-7ffd9b7ac70a 888->891 896 7ffd9b7ac70c-7ffd9b7ac717 891->896 897 7ffd9b7ac743-7ffd9b7ac774 891->897 899 7ffd9b7ac776-7ffd9b7ac788 896->899 900 7ffd9b7ac719-7ffd9b7ac741 896->900 897->899 904 7ffd9b7ac78f-7ffd9b7ac7a4 899->904 900->904 904->860 907 7ffd9b7ac7aa-7ffd9b7ac7f2 904->907 912 7ffd9b7ac82b-7ffd9b7ac870 907->912 913 7ffd9b7ac7f4-7ffd9b7ac829 907->913 918 7ffd9b7ac877-7ffd9b7ac88c 912->918 913->918 918->860 921 7ffd9b7ac892-7ffd9b7ac8da 918->921 927 7ffd9b7ac8dc-7ffd9b7ac911 921->927 928 7ffd9b7ac913-7ffd9b7ac958 921->928 934 7ffd9b7ac95f-7ffd9b7ac974 927->934 928->934 934->860 936 7ffd9b7ac97a-7ffd9b7ac9c2 934->936 942 7ffd9b7ac9fb-7ffd9b7aca11 936->942 943 7ffd9b7ac9c4-7ffd9b7ac9f9 936->943 948 7ffd9b7aca6d-7ffd9b7aca95 942->948 949 7ffd9b7aca13-7ffd9b7aca40 942->949 952 7ffd9b7aca47-7ffd9b7aca6b 943->952 948->860 948->868 949->952 952->948
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782843240.00007FFD9B7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b7a0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID: ZJ_H
                              • API String ID: 0-3185422581
                              • Opcode ID: 5575e2dfbb4d667b88e561037c83ef0320f4f9cdcdbee8a09d3e815faee17e87
                              • Instruction ID: 7dcd7b69c60d138880b76b40271711cd3708a9ba7e8140a80db88d70b6e6c886
                              • Opcode Fuzzy Hash: 5575e2dfbb4d667b88e561037c83ef0320f4f9cdcdbee8a09d3e815faee17e87
                              • Instruction Fuzzy Hash: C622C171B1DB4D4FD7A8DB2C88A5A7877D2EF99700B4502BAE45EC72B6DE24AC018341
                              Function 00007FFD9B90A2F5 Relevance: 1.1, Instructions: 1113COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1783783672.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b8f0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 328237c6a256cdf273dcef07ee752244fc2fed612af56ad5013e062b66160ffd
                              • Instruction ID: 687c1b8084456449e9db493c0da556a8a2f8142cd16727c6dfa306938e2921c6
                              • Opcode Fuzzy Hash: 328237c6a256cdf273dcef07ee752244fc2fed612af56ad5013e062b66160ffd
                              • Instruction Fuzzy Hash: C672A230B2DA0D5FDB68EB6C9465A7973D2FF58300B5501B9E48EC72A6DE24FC428781
                              Function 00007FFD9B90AFA5 Relevance: .9, Instructions: 922COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1783783672.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b8f0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bcf58fbcabc68da6bcc0b220e1cb4d8673dbc35e65437beeadb627036a7e140d
                              • Instruction ID: 867690dab79ab5f92cbfa18c21950c3d55cc75ef3cf07dfb594765c9e0fe20b7
                              • Opcode Fuzzy Hash: bcf58fbcabc68da6bcc0b220e1cb4d8673dbc35e65437beeadb627036a7e140d
                              • Instruction Fuzzy Hash: C262A930B19A0E9FDBA8DB5CC4A4BA877E1FF58300F1541B9D44EC72A6DE34A981CB41
                              Function 00007FFD9B7ADAED Relevance: 1.8, Strings: 1, Instructions: 585COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1104 7ffd9b7adaed-7ffd9b7adaee 1105 7ffd9b7adaef-7ffd9b7adaf9 1104->1105 1106 7ffd9b7adafb-7ffd9b7adb00 1105->1106 1107 7ffd9b7adb01-7ffd9b7adb19 1105->1107 1106->1107 1108 7ffd9b7adb1b-7ffd9b7adb21 1107->1108 1109 7ffd9b7adb44-7ffd9b7adb52 1107->1109 1110 7ffd9b7adb23-7ffd9b7adb39 1108->1110 1111 7ffd9b7adba2-7ffd9b7adbeb 1108->1111 1109->1105 1112 7ffd9b7adb54-7ffd9b7adb7b 1109->1112 1123 7ffd9b7adcb9-7ffd9b7adcbe 1111->1123 1124 7ffd9b7adbf1-7ffd9b7adc11 1111->1124 1117 7ffd9b7adb95-7ffd9b7adba0 1112->1117 1118 7ffd9b7adb7d-7ffd9b7adb93 1112->1118 1117->1111 1118->1117 1127 7ffd9b7adcbf-7ffd9b7adcc6 1123->1127 1130 7ffd9b7adc63-7ffd9b7adc95 1124->1130 1131 7ffd9b7adc13-7ffd9b7adc42 1124->1131 1129 7ffd9b7adcc7-7ffd9b7adce9 1127->1129 1132 7ffd9b7adceb-7ffd9b7adcf1 1129->1132 1133 7ffd9b7add14-7ffd9b7add22 1129->1133 1130->1123 1156 7ffd9b7adc97-7ffd9b7adcb8 1130->1156 1131->1123 1146 7ffd9b7adc44-7ffd9b7adc61 1131->1146 1136 7ffd9b7adcf3-7ffd9b7add09 1132->1136 1137 7ffd9b7add72-7ffd9b7add86 1132->1137 1133->1127 1139 7ffd9b7add24-7ffd9b7add2a 1133->1139 1149 7ffd9b7add88-7ffd9b7addbb 1137->1149 1150 7ffd9b7addcd-7ffd9b7addf7 1137->1150 1139->1129 1145 7ffd9b7add2c-7ffd9b7add4b 1139->1145 1152 7ffd9b7add65-7ffd9b7add70 1145->1152 1153 7ffd9b7add4d-7ffd9b7add63 1145->1153 1146->1130 1164 7ffd9b7adf37-7ffd9b7adf72 1149->1164 1165 7ffd9b7addc1-7ffd9b7addcc 1149->1165 1166 7ffd9b7addfe-7ffd9b7addff 1150->1166 1152->1137 1153->1152 1169 7ffd9b7adf0f-7ffd9b7adf13 1164->1169 1170 7ffd9b7adf74-7ffd9b7adf92 1164->1170 1165->1150 1168 7ffd9b7ade06-7ffd9b7ade12 1166->1168 1168->1164 1171 7ffd9b7ade18-7ffd9b7ade69 1168->1171 1169->1164 1173 7ffd9b7adf15-7ffd9b7adf36 1169->1173 1171->1164 1180 7ffd9b7ade6f-7ffd9b7adec0 1171->1180 1180->1164 1185 7ffd9b7adec2-7ffd9b7adf0b 1180->1185 1185->1169
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782843240.00007FFD9B7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b7a0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID: _?_H
                              • API String ID: 0-3627674236
                              • Opcode ID: 8ae0288015ee22026dd4f64b03ddc11f1f746c340d7fb452167869c1ca1ae560
                              • Instruction ID: c5640c59966c4434b9b308fd47ef629ea5e02f973df57a6fced2d4f2a7af5e36
                              • Opcode Fuzzy Hash: 8ae0288015ee22026dd4f64b03ddc11f1f746c340d7fb452167869c1ca1ae560
                              • Instruction Fuzzy Hash: B6F10461B1FBC90FD7A69B6888649643FE1EF56210B0A02FBD09DCB1F3DD28AC458351
                              Function 00007FFD9B8F6DAA Relevance: 1.7, APIs: 1, Instructions: 249fileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1292 7ffd9b8f6daa-7ffd9b8f6e3f 1295 7ffd9b8f6e41-7ffd9b8f6e50 1292->1295 1296 7ffd9b8f6e9d-7ffd9b8f6f70 CreateFileA 1292->1296 1295->1296 1297 7ffd9b8f6e52-7ffd9b8f6e55 1295->1297 1306 7ffd9b8f6f78-7ffd9b8f6fbc call 7ffd9b8f6fd8 1296->1306 1307 7ffd9b8f6f72 1296->1307 1299 7ffd9b8f6e57-7ffd9b8f6e6a 1297->1299 1300 7ffd9b8f6e8f-7ffd9b8f6e97 1297->1300 1301 7ffd9b8f6e6c 1299->1301 1302 7ffd9b8f6e6e-7ffd9b8f6e81 1299->1302 1300->1296 1301->1302 1302->1302 1304 7ffd9b8f6e83-7ffd9b8f6e8b 1302->1304 1304->1300 1311 7ffd9b8f6fc3-7ffd9b8f6fd7 1306->1311 1312 7ffd9b8f6fbe 1306->1312 1307->1306 1312->1311
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1783783672.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b8f0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID: CreateFile
                              • String ID:
                              • API String ID: 823142352-0
                              • Opcode ID: 9a10ca33cad4bb33c3623e7008574a7382d8aa3bbf73d9cc00f200ffa4200b94
                              • Instruction ID: c1acd73810a47bf9d5ff0ce6607cb148b5a87624f97b062e85ad90abfb5fd93e
                              • Opcode Fuzzy Hash: 9a10ca33cad4bb33c3623e7008574a7382d8aa3bbf73d9cc00f200ffa4200b94
                              • Instruction Fuzzy Hash: 3371B671A18B4C4FDB68DF28D8567E97BD1FB58310F10426EE84EC7292DA74A941CBC2
                              Function 00007FFD9B8F78A1 Relevance: 1.7, APIs: 1, Instructions: 166fileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1699 7ffd9b8f78a1-7ffd9b8f7953 1703 7ffd9b8f7955-7ffd9b8f795a 1699->1703 1704 7ffd9b8f795d-7ffd9b8f79bb ReadFile 1699->1704 1703->1704 1706 7ffd9b8f79c3-7ffd9b8f7a0b call 7ffd9b8f7a0c 1704->1706 1707 7ffd9b8f79bd 1704->1707 1707->1706
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1783783672.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b8f0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID: FileRead
                              • String ID:
                              • API String ID: 2738559852-0
                              • Opcode ID: 03f13779891b27257205a324324b6305e1d0cda88ad965c30dcd0a2833b4e135
                              • Instruction ID: 2fadee3a55c45d11e700895e891e2e298844e0058e0ad0e97c43d82e9fe1d9fd
                              • Opcode Fuzzy Hash: 03f13779891b27257205a324324b6305e1d0cda88ad965c30dcd0a2833b4e135
                              • Instruction Fuzzy Hash: 2D419F31E08A1C8FDB58EF989845AEDBBF1FB99310F00426ED44DD7256CA34A945CBC2
                              Function 00007FFD9B8F5609 Relevance: 1.6, APIs: 1, Instructions: 118windowCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1787 7ffd9b8f5609-7ffd9b8f56b8 CreateCompatibleBitmap 1791 7ffd9b8f56ba 1787->1791 1792 7ffd9b8f56c0-7ffd9b8f56e8 1787->1792 1791->1792
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1783783672.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b8f0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID: BitmapCompatibleCreate
                              • String ID:
                              • API String ID: 1901715728-0
                              • Opcode ID: d345f7599e53a679af1b4c0cf2b12f824a4b5218024f959fe23d6c091378c2bf
                              • Instruction ID: d03c0dc3fffb6800ca81ec76911f747f6b5b03b1bda50b5e9b8b3392ba2e0130
                              • Opcode Fuzzy Hash: d345f7599e53a679af1b4c0cf2b12f824a4b5218024f959fe23d6c091378c2bf
                              • Instruction Fuzzy Hash: DD312C31A1CA4C4FDB1CEF9898166F9BBE0EB59321F00427FD05EC3292DF6568028781
                              Function 00007FFD9B8F86C9 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1783783672.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b8f0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID: Delete
                              • String ID:
                              • API String ID: 1035893169-0
                              • Opcode ID: 13602f72da4ec75537066be462f6f0dc551540bb0fe6d7b19d4b770021866767
                              • Instruction ID: 13ebf625c13ee0760399424de0460b4c361e8123c0b90d9b5eddb3f54e5ef3cc
                              • Opcode Fuzzy Hash: 13602f72da4ec75537066be462f6f0dc551540bb0fe6d7b19d4b770021866767
                              • Instruction Fuzzy Hash: 83210431A0C60C8FDB5CDFA8845A7FA7BE1EF95320F04416FD44DC7192DA7599068B81
                              Function 00007FFD9B7AC02C Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782843240.00007FFD9B7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b7a0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID: |?_H
                              • API String ID: 0-1790896812
                              • Opcode ID: 524cbd5b8fcfaa0c3a6dc4ac197393bc2b18d26dda02990d3e0b4c1848fe7dee
                              • Instruction ID: 9cb43f6fa3667c26dc5ec23de036815b5eac09faf3135dd2226300313b2b1f16
                              • Opcode Fuzzy Hash: 524cbd5b8fcfaa0c3a6dc4ac197393bc2b18d26dda02990d3e0b4c1848fe7dee
                              • Instruction Fuzzy Hash: 1071F262B0EB894FE7A5EB7C8C655247BE1EF69210B0602BFD099C71F3D928AC458341
                              Function 00007FFD9B7ADD11 Relevance: 1.5, Strings: 1, Instructions: 233COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782843240.00007FFD9B7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b7a0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID: _?_H
                              • API String ID: 0-3627674236
                              • Opcode ID: c30743281a5b921d54458b0768ccac07a22c75800095bd4b8f75e16a6b5ae420
                              • Instruction ID: b96e868b0df80337071522268caf40745c901816533d11898e5a48d5d8bd6be8
                              • Opcode Fuzzy Hash: c30743281a5b921d54458b0768ccac07a22c75800095bd4b8f75e16a6b5ae420
                              • Instruction Fuzzy Hash: B161F261B2EB990FD7A4DB288468A383BE1EF59710B0606BED09DC71F3DE24BC458345
                              Function 00007FFD9B7AD9CA Relevance: 1.4, Strings: 1, Instructions: 152COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782843240.00007FFD9B7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b7a0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID: 0-3916222277
                              • Opcode ID: 68991e5c7d1f39f1e572b1e641abfa2522e03ba59926068b00216bc9d0dadae6
                              • Instruction ID: 68685b7df5c97968a8a16db452c414f635a19d50157abb9601dc203671d1c053
                              • Opcode Fuzzy Hash: 68991e5c7d1f39f1e572b1e641abfa2522e03ba59926068b00216bc9d0dadae6
                              • Instruction Fuzzy Hash: 1741707171CE0D4FDBA8EB1CD465A6473D2FB98710B5102AAE04EC72B6DE25EC428781
                              Function 00007FFD9B7A1B01 Relevance: .5, Instructions: 479COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782843240.00007FFD9B7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b7a0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7b721424e1df939579bb04c4bc2569992e39bd40f78a0b8e3209fa4d268e4e6f
                              • Instruction ID: c4e0c3676ea6a8a0e0cc76d86a3296d2bad156c2537f97b7c995e71ed2fc9196
                              • Opcode Fuzzy Hash: 7b721424e1df939579bb04c4bc2569992e39bd40f78a0b8e3209fa4d268e4e6f
                              • Instruction Fuzzy Hash: 7AD11331B0DA494FE7A8D65C9869A7537D2EF9A311F1503BAE04EC36F2DD14AD42C381
                              Function 00007FFD9B6D1922 Relevance: .4, Instructions: 430COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782258396.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b6d0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ccf4799cc3028b1891450eeca871330875eb337c5101e20a94b38b350514bc28
                              • Instruction ID: 7a0e14ff0f39b2a739a86bf6aedc24886a5dda194864ca703abddcc1e9d197bf
                              • Opcode Fuzzy Hash: ccf4799cc3028b1891450eeca871330875eb337c5101e20a94b38b350514bc28
                              • Instruction Fuzzy Hash: 27F11A70A0991D8FDBA8DB58C8A5BA877F1FF98301F1102E9D41DD76A1DA74AE81CF40
                              Function 00007FFD9B6D3299 Relevance: .4, Instructions: 355COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782258396.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b6d0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c1500ddd3e9e463cee60b7aed8319cc73177635f212691ea335590fc49565b49
                              • Instruction ID: 11c1c2ff16dd34fe13bda5a792f7b123efc94503116ac01bab39041186a6f346
                              • Opcode Fuzzy Hash: c1500ddd3e9e463cee60b7aed8319cc73177635f212691ea335590fc49565b49
                              • Instruction Fuzzy Hash: B1D14F71E0955D8FEBA8DB98C8657A8B7A1FF98300F4042BAD01DD72A2DE346985CB41
                              Function 00007FFD9B6D7D65 Relevance: .3, Instructions: 338COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782258396.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b6d0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: de9cedbf92f00403ddace1c73c595265d0dae60b2e82b67a61e574b6aa39bd7a
                              • Instruction ID: 0e0785adfaf91434299a7f1818a21415deeb7aa65a04f1d2473f312f81e48df0
                              • Opcode Fuzzy Hash: de9cedbf92f00403ddace1c73c595265d0dae60b2e82b67a61e574b6aa39bd7a
                              • Instruction Fuzzy Hash: C5D14071E0995D8FEBA4EB588865AA8B3F1FF68340F5042F9D41CD3296DE346E818F01
                              Function 00007FFD9B7AC260 Relevance: .3, Instructions: 288COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782843240.00007FFD9B7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b7a0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8c0ae1bb671cbe791479ff7b40c93bada1386029636c410e673355c43fe707aa
                              • Instruction ID: d6fc9f6fdb3779be3ebe7912c44a451f80cd7165ef7aae9777408325d2300a4b
                              • Opcode Fuzzy Hash: 8c0ae1bb671cbe791479ff7b40c93bada1386029636c410e673355c43fe707aa
                              • Instruction Fuzzy Hash: BE81183170DB4C4FE7A5DB6C98656757BD1EF9A310B0502BAE08AC72B3DD14EC428742
                              Function 00007FFD9B7ABD6C Relevance: .3, Instructions: 287COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782843240.00007FFD9B7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b7a0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e7756f39d47586f60359238bdee64a81101a06ad0e036802ca731e209293e75d
                              • Instruction ID: 18df671cc636f559ee87d6bf103b839643af14320f3857a7aaf68736987a0d98
                              • Opcode Fuzzy Hash: e7756f39d47586f60359238bdee64a81101a06ad0e036802ca731e209293e75d
                              • Instruction Fuzzy Hash: D571277170DB4C4FDBA8DB1C9865A757BD2EF99710B0602AEE48AC72B3DD24EC428741
                              Function 00007FFD9B6D2FF0 Relevance: .3, Instructions: 282COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782258396.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b6d0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d10431c1971c866897c773dd696538156b4bece65abcf9198ba2aac31ec03d5c
                              • Instruction ID: d44818558e98e7842db40c8bf211ce8263ae7c83d3d568dfaf643e4e34dee162
                              • Opcode Fuzzy Hash: d10431c1971c866897c773dd696538156b4bece65abcf9198ba2aac31ec03d5c
                              • Instruction Fuzzy Hash: 1491D471B0DA8E4FDB94CB9C88756BD7BF1EFD8340F05027AE05DE72A2DA2469018741
                              Function 00007FFD9B6D0F4F Relevance: .3, Instructions: 267COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782258396.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b6d0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 777fe592c9a0386b787d5737d7e6733ed98739f09ad986935119765ba9902956
                              • Instruction ID: fb6083c310ba020f2d573e610b13d4264e64ec1d4bf8d782b47aefe9f0e117cd
                              • Opcode Fuzzy Hash: 777fe592c9a0386b787d5737d7e6733ed98739f09ad986935119765ba9902956
                              • Instruction Fuzzy Hash: 54B17174A05A1C8FDBA4EB18C898BA8B7F1FF69300F1541E9915DE7265DB70AE81CF40
                              Function 00007FFD9B6D0DF5 Relevance: .3, Instructions: 265COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782258396.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b6d0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 472a0c03fbddf014f81acf1cdb606ab5a6966d7adf7ffe4f2ad676aa69e54db7
                              • Instruction ID: 38deba5a955c9df46f3f35081d383bca21a3ca9b26777545080c84bddf20a2d2
                              • Opcode Fuzzy Hash: 472a0c03fbddf014f81acf1cdb606ab5a6966d7adf7ffe4f2ad676aa69e54db7
                              • Instruction Fuzzy Hash: 31A1EE71A0965D8FDBA4DB58C8A8BA8B7F1FF58300F1542E9D41DD72A5DB34AE80CB40
                              Function 00007FFD9B6D2E90 Relevance: .3, Instructions: 260COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782258396.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b6d0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9d0133069bc2aef071a9761e64c245c12ad77263b5e5fd79e4d6bea6b24d85f2
                              • Instruction ID: 470659752fd7b71fe0a8bbab10009bca5d44e7e3582f95595c67e04ef15b7859
                              • Opcode Fuzzy Hash: 9d0133069bc2aef071a9761e64c245c12ad77263b5e5fd79e4d6bea6b24d85f2
                              • Instruction Fuzzy Hash: E791FD70A0991D8FDFA4EB58C8A5BAC77F1FF98300F4501A9D01DDB2A6CE35A981CB40
                              Function 00007FFD9B7AD1D8 Relevance: .2, Instructions: 220COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782843240.00007FFD9B7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b7a0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 88eb8ad54357964998fabf966028b7707580a2631f3f729aa970eee6e9d5fc34
                              • Instruction ID: f6cee862b903021f7806bde884d5dc6eaf79ca36533f3c11313cd677a2941df5
                              • Opcode Fuzzy Hash: 88eb8ad54357964998fabf966028b7707580a2631f3f729aa970eee6e9d5fc34
                              • Instruction Fuzzy Hash: A651E171B1DB4C4FEBA8DA1D986657437D2EF9930070A02EEE49EC32B2ED15EC428741
                              Function 00007FFD9B6D15AE Relevance: .2, Instructions: 213COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782258396.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b6d0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d5b67380c25aa7618f702b6b234fd69442a1e26138a593d1994b171334f8ba23
                              • Instruction ID: 629f2b8d1ef5f57a5971bae06025d1f992177928c9796ac1bccc10e39390f607
                              • Opcode Fuzzy Hash: d5b67380c25aa7618f702b6b234fd69442a1e26138a593d1994b171334f8ba23
                              • Instruction Fuzzy Hash: 07818675A0561D8FDBA8DB58C8A4BA8B7B1FF59300F5041E9D01EE72A5CB34AE81CF40
                              Function 00007FFD9B7A22EE Relevance: .2, Instructions: 169COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782843240.00007FFD9B7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b7a0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d7fb392fe89821493fdce7ae41c7a7916cbb69421f1751d13172aadf050ee628
                              • Instruction ID: 95d22fb8fb59f4e56a3382127c60dd9bb7e17deb06e313b18a532f56b6a498ea
                              • Opcode Fuzzy Hash: d7fb392fe89821493fdce7ae41c7a7916cbb69421f1751d13172aadf050ee628
                              • Instruction Fuzzy Hash: 8E41C220B0EA894FEBA9D7AC84657747BE1EF9A310F1501BAD48EC71F3CD29AD418341
                              Function 00007FFD9B6D2F0D Relevance: .2, Instructions: 162COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782258396.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b6d0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 95372c74d59a7988263c14c3cb8ac2851bdc2fe27b870f863d4ccabe96564142
                              • Instruction ID: 7b8f8c464dc8bea1bc1bb5473d8080d0328cc55cd31554f88e42f0a2697ef7df
                              • Opcode Fuzzy Hash: 95372c74d59a7988263c14c3cb8ac2851bdc2fe27b870f863d4ccabe96564142
                              • Instruction Fuzzy Hash: 2751D171A0864D8FDB55EFA8C865AEE7BF0FF94310F0402BAE419D72A6DE34A544CB40
                              Function 00007FFD9B7A031D Relevance: .1, Instructions: 149COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782843240.00007FFD9B7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b7a0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 98d94e51c27bb88cbd47e71a7ad1879ce4362c7428f94c5967973214bcb37310
                              • Instruction ID: a31af143b2557e3040ce5ba03271b2a5c892edefe9bb3619c094b983979cd1ee
                              • Opcode Fuzzy Hash: 98d94e51c27bb88cbd47e71a7ad1879ce4362c7428f94c5967973214bcb37310
                              • Instruction Fuzzy Hash: 57414631B0EB894FD7A5A66C88A96757BD1EF56720B0906FFD04DC71F3C919AC028381
                              Function 00007FFD9B6D0A52 Relevance: .1, Instructions: 112COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782258396.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b6d0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 060b1884bc39201415b6d2acb11c299cb89f209dc9136a2a124554f0a7b152ab
                              • Instruction ID: bb7396dac7c3ec297768ec5ef722936a2ed825f2f216f4464fab8feb58836c64
                              • Opcode Fuzzy Hash: 060b1884bc39201415b6d2acb11c299cb89f209dc9136a2a124554f0a7b152ab
                              • Instruction Fuzzy Hash: 59418271E58A4C8FE784CF58D8A87A97FE1FBA5704F9001AAD109D73DADB756404CB40
                              Function 00007FFD9B6D2CBD Relevance: .1, Instructions: 112COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782258396.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b6d0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bf47bc9de849edaea0cb5dd65b375d442e349d91913bec59861243c77e6a7d49
                              • Instruction ID: a0c849a84847ce38e0d17ac30b2697ef540a0efc96d30a3e8b5da7e8c2bddc48
                              • Opcode Fuzzy Hash: bf47bc9de849edaea0cb5dd65b375d442e349d91913bec59861243c77e6a7d49
                              • Instruction Fuzzy Hash: AC312C71A0FACD5FDB659BA8CC691A87FA0FF91300F4502FAD458CA0A2DA25B948C701
                              Function 00007FFD9B6D30D0 Relevance: .1, Instructions: 88COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782258396.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b6d0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 19be1bd9bc06ca9db04dde20de8f4b63a6dcbb9e1947f18aa061dd499deb9956
                              • Instruction ID: 4c6a99dac0c3b3551057fb53f3cb6d5f91de01393215b99e199aa1acb3888f30
                              • Opcode Fuzzy Hash: 19be1bd9bc06ca9db04dde20de8f4b63a6dcbb9e1947f18aa061dd499deb9956
                              • Instruction Fuzzy Hash: BF21E032E09A4D4FEBA4DF9C8C642AD7BF2EFC8310F14426AE41DE7291DB3469018781
                              Function 00007FFD9B6D2742 Relevance: .1, Instructions: 80COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782258396.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b6d0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3a5ab93b3bd2a89140eaeefb6be68945373b862369db221f598a51af333e952f
                              • Instruction ID: cdbfb8ebc1bf6f6980badc0350439d6294222d52cc3070960d8b3f5a3a362ed8
                              • Opcode Fuzzy Hash: 3a5ab93b3bd2a89140eaeefb6be68945373b862369db221f598a51af333e952f
                              • Instruction Fuzzy Hash: 9D21D571B1A58E4FF7A4EBA8CC665B9B790FF94300F8106B9E42DCA0E2DD2475408B41
                              Function 00007FFD9B6D225D Relevance: .1, Instructions: 77COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782258396.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b6d0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d5430b4d165e92bf65e2beccbdd485f7336735b0749b34cd197122bba5deda3f
                              • Instruction ID: 60651f5158b0c3ee45dc18f845b39bb413941282b24c6a728a190745f23edb1b
                              • Opcode Fuzzy Hash: d5430b4d165e92bf65e2beccbdd485f7336735b0749b34cd197122bba5deda3f
                              • Instruction Fuzzy Hash: A8212E74A0994D8FDB94EF98C898AA97BF0FF59300F0545A9E429C72A1D770AA54CB00
                              Function 00007FFD9B6D21F9 Relevance: .1, Instructions: 76COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782258396.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b6d0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8902a7372049429954f2c12a75f1ed6eccff51ad859867c963ece9fd4a04d081
                              • Instruction ID: 7066274066c4567479d668431935279fce7a6f5d864c401df0b4f737102a7cfe
                              • Opcode Fuzzy Hash: 8902a7372049429954f2c12a75f1ed6eccff51ad859867c963ece9fd4a04d081
                              • Instruction Fuzzy Hash: 8D219571A0994D8FDF91EF58C855AADBBB0FF55300F0546EAE42CC71A6DB34A941CB40
                              Function 00007FFD9B7A2119 Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782843240.00007FFD9B7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b7a0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 73674750bab1d69777459d792801d416ae33dfbdf73daa00116c1287eaa47424
                              • Instruction ID: 0c6051cc1d94e56ea08ba8eb04551296c4ffc97576479cd1a148efb5994ca0de
                              • Opcode Fuzzy Hash: 73674750bab1d69777459d792801d416ae33dfbdf73daa00116c1287eaa47424
                              • Instruction Fuzzy Hash: B2119362B0EA894FE7E5979C88A51347BD2EF99750F1901BEE08DC72F3DD29AC418301
                              Function 00007FFD9B7A04FD Relevance: .1, Instructions: 71COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782843240.00007FFD9B7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b7a0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: af5e6fece16f536b9a2531e26a4d105b8dc89e17c3ce0f0a0e85544a55129907
                              • Instruction ID: e6dae4470db4eb9d8f79b62a3f0b9df8b76a36146bc9f48fdea8e08d5dc49c98
                              • Opcode Fuzzy Hash: af5e6fece16f536b9a2531e26a4d105b8dc89e17c3ce0f0a0e85544a55129907
                              • Instruction Fuzzy Hash: 9911E761B0EB890FE7E5971C8474A3477D1EF99B50B1907BAE04DC32F2DE18AC418705
                              Function 00007FFD9B7A06E0 Relevance: .1, Instructions: 69COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782843240.00007FFD9B7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b7a0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0c165a7d6a0a55f6229e67a63c50698c59165856c1b70137f22d98e0d7d61734
                              • Instruction ID: d743f061192641795c92ddf7b2eb1139f5ea859a70e96d353eafa6fee0f5d76b
                              • Opcode Fuzzy Hash: 0c165a7d6a0a55f6229e67a63c50698c59165856c1b70137f22d98e0d7d61734
                              • Instruction Fuzzy Hash: 56113662B0EB894FE7A4975C846552877D1FF94B50B1A07BAE08DC32F2DD39BD018705
                              Function 00007FFD9B6D2835 Relevance: .1, Instructions: 66COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782258396.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b6d0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: af5c51c3c44a2d18af64d04a8e7204ac2744f71889129b2cd4b8713161e86472
                              • Instruction ID: 72309979b9935760a8976569a1e13c55267b53a6eea31d98162edf4f4a8019b1
                              • Opcode Fuzzy Hash: af5c51c3c44a2d18af64d04a8e7204ac2744f71889129b2cd4b8713161e86472
                              • Instruction Fuzzy Hash: B011D672F0954D4FDB64DB98CCA55E97BA1EFD5300F0102B6E028CB0A2DD24B5448741
                              Function 00007FFD9B6D323D Relevance: .1, Instructions: 61COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782258396.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b6d0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 34ada1d75689a9d766749f516510657d6da543ce1eb78997650e33e21a85e581
                              • Instruction ID: 82b6a745c01cd789558c20003b8950f0aaa3e1443886070153e4e5b9bf93265c
                              • Opcode Fuzzy Hash: 34ada1d75689a9d766749f516510657d6da543ce1eb78997650e33e21a85e581
                              • Instruction Fuzzy Hash: 1E11B131F5A54E4FE764EB94DCA11A87760FFC4300F8102B9E02CC60E6DE29BA45C741
                              Function 00007FFD9B6D0D01 Relevance: .1, Instructions: 54COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782258396.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b6d0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 459ef80821608c9e0cab7f4d3947aee56ed559d040734e47941761346f5e039e
                              • Instruction ID: f62c74d57bda3ae57762a43ec3894d70b363b959f8969cfbc1484707e1eec4a2
                              • Opcode Fuzzy Hash: 459ef80821608c9e0cab7f4d3947aee56ed559d040734e47941761346f5e039e
                              • Instruction Fuzzy Hash: 0901A561E0E54D5FE7A5AB6888366F97BA1EF94600F4506BBE418CA0E2ED287540C701
                              Function 00007FFD9B7A07CE Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782843240.00007FFD9B7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b7a0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 48af3946dbdc52b4ca5045179863a9924cb45b03ba17964002917c630054c55f
                              • Instruction ID: a7eae6d2c3f43b5aee8ab4e596d2947669a969d3e31027ba4f852a6394968c18
                              • Opcode Fuzzy Hash: 48af3946dbdc52b4ca5045179863a9924cb45b03ba17964002917c630054c55f
                              • Instruction Fuzzy Hash: 3511733170EA898FDBA5D758C464E2877E1EF55700B1906ADD04DC71F2CA28BC80C785
                              Function 00007FFD9B6D1F71 Relevance: .0, Instructions: 49COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782258396.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b6d0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 569848bab3747f81be2acde8c62060ea1d4f246ee4e5f2557cc77a26ac8bc947
                              • Instruction ID: 5e11e0446bcfca82acd74fabb64c34bf65adee434bff12768de3847e7a18a407
                              • Opcode Fuzzy Hash: 569848bab3747f81be2acde8c62060ea1d4f246ee4e5f2557cc77a26ac8bc947
                              • Instruction Fuzzy Hash: F1119530A0961C8FCFA9DB18C894AA873B6FB59300F1042E9D00DE72A1CA71AE81CF40
                              Function 00007FFD9B6D0850 Relevance: .0, Instructions: 48COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782258396.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b6d0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 402bd15b364bc878bb2a2133e08da0875c554fe28e4d8663050307e14d51a39d
                              • Instruction ID: 9d4d4142ba96714e90000a74e91a5425247d3fc7496a51f73576501076280836
                              • Opcode Fuzzy Hash: 402bd15b364bc878bb2a2133e08da0875c554fe28e4d8663050307e14d51a39d
                              • Instruction Fuzzy Hash: A701A713F0F58E46EB2623ADAC751F97B50EF83624F4903B2E4AD890E3DD097516C191
                              Function 00007FFD9B6D3775 Relevance: .0, Instructions: 46COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782258396.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b6d0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c4397318de1bb81eed2c50e1f107f66b11cbf392fdad6d73e2d0eb0d83dae07b
                              • Instruction ID: 419f0912ef2185757dcb1e1b3a155a22c211331814d744d5f2bb79df2b485ecf
                              • Opcode Fuzzy Hash: c4397318de1bb81eed2c50e1f107f66b11cbf392fdad6d73e2d0eb0d83dae07b
                              • Instruction Fuzzy Hash: 19015E70908A4D8FDF84EF58C858AEE7BF0FF68300F0005AAD418C72A1D7309554CB81
                              Function 00007FFD9B6D2FA8 Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782258396.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b6d0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d85e1137e12c91c6f4a4a0786c9e81e2375c3ac3c72eaf1af0bce854be6d5cac
                              • Instruction ID: 54433c643ece6aa9f85c76b2c6c2e6fa812e6bf5d6271a273cd8721533ba895e
                              • Opcode Fuzzy Hash: d85e1137e12c91c6f4a4a0786c9e81e2375c3ac3c72eaf1af0bce854be6d5cac
                              • Instruction Fuzzy Hash: 2701DA70914A4D9FDF84EF58C849AEE77F0FB68305F10066AA41DD7264DB30E690CB81
                              Function 00007FFD9B6D2EE0 Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782258396.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b6d0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cf23ceb0855ef4bf928cf5d7ea7078f7fa2b3b76ffb53218ce513a5ce2d47097
                              • Instruction ID: d042fc1757a0f8dd13944bb6407db4dbcb56e27f35b11bffc7917f25bc33bdc6
                              • Opcode Fuzzy Hash: cf23ceb0855ef4bf928cf5d7ea7078f7fa2b3b76ffb53218ce513a5ce2d47097
                              • Instruction Fuzzy Hash: 0001DA70914A0D9FDF94EF58C849AEE77F0FB68305F11466AA419D7264DB70E590CB80
                              Function 00007FFD9B6D2F80 Relevance: .0, Instructions: 41COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782258396.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b6d0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a433395c0ca3c2814313b646fb42dcef7093a539a1945f688115d9acecfa5d99
                              • Instruction ID: dd0e986bff987ffa326cc535b603302af9b57a5c6c1d83c84afaa5093c829e46
                              • Opcode Fuzzy Hash: a433395c0ca3c2814313b646fb42dcef7093a539a1945f688115d9acecfa5d99
                              • Instruction Fuzzy Hash: 4B01BB7091494D8FDF94EF98C858AFE77F0FB68305F10456AA419D72A4DB30A690CB80
                              Function 00007FFD9B6D185F Relevance: .0, Instructions: 41COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782258396.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b6d0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f2b09c8f633d754bdf720e48de3c171c392e1e63e32fa012aa531555d91ffa39
                              • Instruction ID: 9a8b6acfc7cbfc2e024f8aa9c7bc3587982463014012916c017b0f4d21360a30
                              • Opcode Fuzzy Hash: f2b09c8f633d754bdf720e48de3c171c392e1e63e32fa012aa531555d91ffa39
                              • Instruction Fuzzy Hash: A0015C70A0965C8FDFA9DB58C894AA877B5FB55701F1011E9D01DE72A5CB71AE80CF40
                              Function 00007FFD9B6D2F08 Relevance: .0, Instructions: 41COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782258396.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b6d0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a1f7aa2d58b022493238e5e250c3431a18f35bb60031a19f3bfe8dc3c39fd2af
                              • Instruction ID: 7fd0f2113b23a933269c5870674858fb44917140925f8ccbede1072556e7d8a5
                              • Opcode Fuzzy Hash: a1f7aa2d58b022493238e5e250c3431a18f35bb60031a19f3bfe8dc3c39fd2af
                              • Instruction Fuzzy Hash: 6501B67091490D8FDF94EF98C858ABE7BF0FB68305F10466AA41DD72A4DB30A690CB80
                              Function 00007FFD9B6D3790 Relevance: .0, Instructions: 38COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782258396.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b6d0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5dbfee83474246972207ebef265887b5067b044547b592d02bb37c545ec936ef
                              • Instruction ID: 14adb26bd38b4d9e1f659f7350b801c57fb65a66fdf5c2a056ffd3ea24a47710
                              • Opcode Fuzzy Hash: 5dbfee83474246972207ebef265887b5067b044547b592d02bb37c545ec936ef
                              • Instruction Fuzzy Hash: AE01EC7091490D8FDF84EF58C848AEE7BF0FF68305F10456AE419D72A0DB70A694CB80
                              Function 00007FFD9B6D0D99 Relevance: .0, Instructions: 35COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782258396.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b6d0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 66ae3ba9e71f6569042e657a79866926145dd5545d55648ef97d699483bc0ab9
                              • Instruction ID: 95cf5a84f0b34b895ceda950973f14077a8fbe0f9c68d45474501f51f9fd2ec4
                              • Opcode Fuzzy Hash: 66ae3ba9e71f6569042e657a79866926145dd5545d55648ef97d699483bc0ab9
                              • Instruction Fuzzy Hash: 42F0FC7190F78C5FE7629B648C391D87FA0EF95210F4501E7D458CB0E3DA257584C301
                              Function 00007FFD9B6D2D70 Relevance: .0, Instructions: 31COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782258396.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b6d0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 855c8cd5258e1069d5d2ea526701914d03d9a58e4def025295c1b836c1a4d995
                              • Instruction ID: 81d043e72c83f0a83b4dd5f37f3ae4569d6305a593a61c61525e50ce178a03df
                              • Opcode Fuzzy Hash: 855c8cd5258e1069d5d2ea526701914d03d9a58e4def025295c1b836c1a4d995
                              • Instruction Fuzzy Hash: 0BF01C3091494C9FDF94EFA8C858AE9BBF0FF68305F4045AAE41DC71A4DB31A694CB40
                              Function 00007FFD9B6D0873 Relevance: .0, Instructions: 28COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782258396.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b6d0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d49600d95a4dd911cae6280ae9328bd7a33291565c3d45d4449af4aa2f5b0875
                              • Instruction ID: a44d6651ec868f2427b7a11d8574e203a4c608fa550ec298e8340d4144e81cd4
                              • Opcode Fuzzy Hash: d49600d95a4dd911cae6280ae9328bd7a33291565c3d45d4449af4aa2f5b0875
                              • Instruction Fuzzy Hash: BDF01261A0E7CD9EDB2367F55C751A47F30AF93204F4A06A3E4A8CA0E3D9186618C362

                              Non-executed Functions

                              Function 00007FFD9B6D20F4 Relevance: .1, Instructions: 130COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782258396.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ffd9b6d0000_QtON0L47XD.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 41d2a8db6dec85406ce0e955c83f5c89f531efb474decd840dcdbe758263219c
                              • Instruction ID: 88ac26f8bdde9275f4ee263601b6a872a719d2190de1bed69c5a10e62f116cac
                              • Opcode Fuzzy Hash: 41d2a8db6dec85406ce0e955c83f5c89f531efb474decd840dcdbe758263219c
                              • Instruction Fuzzy Hash: 0A41257190E6CE4FE7529FA0DC619E57FB0EF82324F0542F7E558CA0A3DA299946C341