Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1504335
MD5:49fbbdd3bd005ded23aeadf895b316ed
SHA1:5ddb0f409cce64e5859c0e6f1b4186469f71914d
SHA256:b6e0fe385b4c96a6b9ce87315989e949e47d1835efa1cc037e5c00238e6e2a42
Tags:exe
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Suricata IDS alerts for network traffic
Yara detected RedLine Stealer
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Installs new ROOT certificates
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops certificate files (DER)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7588 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 49FBBDD3BD005DED23AEADF895B316ED)
    • conhost.exe (PID: 7596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 7688 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "147.45.47.36:30035", "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000003.00000002.1468172849.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.1326352449.0000000004375000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Process Memory Space: file.exe PID: 7588JoeSecurity_RedLineYara detected RedLine StealerJoe Security
                Click to see the 2 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.file.exe.4375570.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  3.2.RegAsm.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    0.2.file.exe.4375570.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                      Sigma Signatures

                      No Sigma rule has matched

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-04T19:28:06.698820+020020432341A Network Trojan was detected147.45.47.3630035192.168.2.949711TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-04T19:28:06.504712+020020432311A Network Trojan was detected192.168.2.949711147.45.47.3630035TCP
                      2024-09-04T19:28:11.748834+020020432311A Network Trojan was detected192.168.2.949711147.45.47.3630035TCP
                      2024-09-04T19:28:12.266722+020020432311A Network Trojan was detected192.168.2.949711147.45.47.3630035TCP
                      2024-09-04T19:28:12.557580+020020432311A Network Trojan was detected192.168.2.949711147.45.47.3630035TCP
                      2024-09-04T19:28:12.815172+020020432311A Network Trojan was detected192.168.2.949711147.45.47.3630035TCP
                      2024-09-04T19:28:13.038636+020020432311A Network Trojan was detected192.168.2.949711147.45.47.3630035TCP
                      2024-09-04T19:28:13.320504+020020432311A Network Trojan was detected192.168.2.949711147.45.47.3630035TCP
                      2024-09-04T19:28:13.559527+020020432311A Network Trojan was detected192.168.2.949711147.45.47.3630035TCP
                      2024-09-04T19:28:13.758238+020020432311A Network Trojan was detected192.168.2.949711147.45.47.3630035TCP
                      2024-09-04T19:28:14.022617+020020432311A Network Trojan was detected192.168.2.949711147.45.47.3630035TCP
                      2024-09-04T19:28:14.319036+020020432311A Network Trojan was detected192.168.2.949711147.45.47.3630035TCP
                      2024-09-04T19:28:14.565778+020020432311A Network Trojan was detected192.168.2.949711147.45.47.3630035TCP
                      2024-09-04T19:28:14.612223+020020432311A Network Trojan was detected192.168.2.949711147.45.47.3630035TCP
                      2024-09-04T19:28:14.623744+020020432311A Network Trojan was detected192.168.2.949711147.45.47.3630035TCP
                      2024-09-04T19:28:15.455847+020020432311A Network Trojan was detected192.168.2.949711147.45.47.3630035TCP
                      2024-09-04T19:28:15.657215+020020432311A Network Trojan was detected192.168.2.949711147.45.47.3630035TCP
                      2024-09-04T19:28:16.019173+020020432311A Network Trojan was detected192.168.2.949711147.45.47.3630035TCP
                      2024-09-04T19:28:16.230168+020020432311A Network Trojan was detected192.168.2.949711147.45.47.3630035TCP
                      2024-09-04T19:28:16.493868+020020432311A Network Trojan was detected192.168.2.949711147.45.47.3630035TCP
                      2024-09-04T19:28:16.734549+020020432311A Network Trojan was detected192.168.2.949711147.45.47.3630035TCP
                      2024-09-04T19:28:17.961728+020020432311A Network Trojan was detected192.168.2.949711147.45.47.3630035TCP
                      2024-09-04T19:28:18.160741+020020432311A Network Trojan was detected192.168.2.949711147.45.47.3630035TCP
                      2024-09-04T19:28:18.359371+020020432311A Network Trojan was detected192.168.2.949711147.45.47.3630035TCP
                      2024-09-04T19:28:18.557466+020020432311A Network Trojan was detected192.168.2.949711147.45.47.3630035TCP
                      2024-09-04T19:28:18.787756+020020432311A Network Trojan was detected192.168.2.949711147.45.47.3630035TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-04T19:28:11.952398+020020460561A Network Trojan was detected147.45.47.3630035192.168.2.949711TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-04T19:28:06.504712+020020460451A Network Trojan was detected192.168.2.949711147.45.47.3630035TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 00000000.00000002.1326352449.0000000004375000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "147.45.47.36:30035", "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.9:49711 -> 147.45.47.36:30035
                      Source: Network trafficSuricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.9:49711 -> 147.45.47.36:30035
                      Source: Network trafficSuricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 147.45.47.36:30035 -> 192.168.2.9:49711
                      Source: Network trafficSuricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 147.45.47.36:30035 -> 192.168.2.9:49711
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: 147.45.47.36:30035
                      Source: global trafficTCP traffic: 192.168.2.9:49711 -> 147.45.47.36:30035
                      Source: Joe Sandbox ViewIP Address: 147.45.47.36 147.45.47.36
                      Source: Joe Sandbox ViewASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                      Source: RegAsm.exe, 00000003.00000002.1468679556.00000000012FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adp/1.0/
                      Source: RegAsm.exe, 00000003.00000002.1468679556.00000000012FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.exif/1:
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000032BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000032BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000032BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000032BD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000032BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                      Source: RegAsm.exe, 00000003.00000002.1470218861.0000000003228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                      Source: file.exe, 00000000.00000002.1326352449.0000000004375000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1468172849.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp23FB.tmpJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp240B.tmpJump to dropped file

                      System Summary

                      barindex
                      .NET source code contains very large array initializations
                      Source: file.exe, MoveAngles.csLarge array initialization: MoveAngles: array initializer size 311296
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_02F3DC743_2_02F3DC74
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_057069483_2_05706948
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_05700AFC3_2_05700AFC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_05707C203_2_05707C20
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_057000403_2_05700040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_057000073_2_05700007
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_05700AF93_2_05700AF9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_05707C103_2_05707C10
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_05701FF03_2_05701FF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06AB67D83_2_06AB67D8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06ABA3E83_2_06ABA3E8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06ABA3E13_2_06ABA3E1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06AB6FE83_2_06AB6FE8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06AB6FF83_2_06AB6FF8
                      Source: file.exe, 00000000.00000002.1323973758.000000000148E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
                      Source: file.exe, 00000000.00000002.1326352449.00000000043B8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePennants.exe8 vs file.exe
                      Source: file.exeBinary or memory string: OriginalFilenamesecinitj% vs file.exe
                      Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/6@0/1
                      Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7596:120:WilError_03
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp23FB.tmpJump to behavior
                      Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Program Files (x86)\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000036D9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1470218861.000000000362F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1470218861.000000000379A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1470218861.0000000003644000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1470218861.0000000003784000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1470218861.00000000036EF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: esdsip.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: linkinfo.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
                      Source: Google Chrome.lnk.3.drLNK file: ..\..\..\Program Files\Google\Chrome\Application\chrome.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0570E090 push es; ret 3_2_0570E0A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0570C9C0 push es; ret 3_2_0570C9D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06ABC71B push es; ret 3_2_06ABC720
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06ABD413 push es; ret 3_2_06ABD420
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06ABD538 pushad ; retn 0006h3_2_06ABD539
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06ABD021 pushad ; retn 0006h3_2_06ABD022
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06ABE069 push es; ret 3_2_06ABE070
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06ABCE88 pushad ; retn 0006h3_2_06ABCE8A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06ABCED1 pushad ; retn 0006h3_2_06ABCED2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06ABECF2 push eax; ret 3_2_06ABED01
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06ABBC5F push esi; retn 0006h3_2_06ABBC62
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06ABDA70 pushfd ; retn 0006h3_2_06ABDA71
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06ABD9E0 push eax; retn 0006h3_2_06ABD9E1
                      Source: file.exeStatic PE information: section name: .text entropy: 7.996132371262729

                      Persistence and Installation Behavior

                      barindex
                      Installs new ROOT certificates
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 BlobJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: 3120000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: 3370000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: 31A0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2EF0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 3140000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2F50000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 493Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 1868Jump to behavior
                      Source: C:\Users\user\Desktop\file.exe TID: 7680Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7968Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7708Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: RegAsm.exe, 00000003.00000002.1474313836.00000000046A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696497155
                      Source: RegAsm.exe, 00000003.00000002.1474313836.00000000046A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000035BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696497155x
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000035BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000035BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696497155h
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000035BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696497155d
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000035BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000035BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696497155
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000035BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696497155s
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000035BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696497155f
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000035BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696497155
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000035BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696497155x
                      Source: RegAsm.exe, 00000003.00000002.1474313836.00000000046A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696497155x
                      Source: RegAsm.exe, 00000003.00000002.1474313836.00000000046A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696497155
                      Source: RegAsm.exe, 00000003.00000002.1474313836.00000000046A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
                      Source: RegAsm.exe, 00000003.00000002.1474313836.00000000046A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
                      Source: RegAsm.exe, 00000003.00000002.1474313836.00000000046A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696497155d
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000035BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
                      Source: RegAsm.exe, 00000003.00000002.1474313836.00000000046A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155x
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000035BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000035BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696497155t
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000035BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696497155t
                      Source: RegAsm.exe, 00000003.00000002.1474313836.00000000046A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155}
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000035BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696497155}
                      Source: RegAsm.exe, 00000003.00000002.1474313836.00000000046A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
                      Source: RegAsm.exe, 00000003.00000002.1474313836.00000000046A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696497155u
                      Source: RegAsm.exe, 00000003.00000002.1474313836.00000000046A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696497155f
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000035BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696497155u
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000035BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
                      Source: RegAsm.exe, 00000003.00000002.1474313836.00000000046A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696497155
                      Source: RegAsm.exe, 00000003.00000002.1474313836.00000000046A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
                      Source: RegAsm.exe, 00000003.00000002.1474313836.00000000046A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696497155s
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000035BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696497155
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000035BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
                      Source: RegAsm.exe, 00000003.00000002.1474313836.00000000046A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000035BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696497155
                      Source: RegAsm.exe, 00000003.00000002.1474313836.00000000046A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696497155j
                      Source: RegAsm.exe, 00000003.00000002.1474313836.00000000046A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696497155t
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000035BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696497155j
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000035BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696497155o
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000035BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000035BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
                      Source: RegAsm.exe, 00000003.00000002.1474313836.00000000046A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696497155]
                      Source: RegAsm.exe, 00000003.00000002.1474313836.00000000046A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
                      Source: RegAsm.exe, 00000003.00000002.1474313836.00000000046A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696497155o
                      Source: RegAsm.exe, 00000003.00000002.1474313836.00000000046A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155
                      Source: RegAsm.exe, 00000003.00000002.1474313836.00000000046A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
                      Source: RegAsm.exe, 00000003.00000002.1483862437.0000000005AEB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: RegAsm.exe, 00000003.00000002.1474313836.00000000046A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696497155h
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000035BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696497155]
                      Source: RegAsm.exe, 00000003.00000002.1474313836.00000000046A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696497155
                      Source: RegAsm.exe, 00000003.00000002.1474313836.00000000046A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696497155
                      Source: RegAsm.exe, 00000003.00000002.1474313836.00000000046A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696497155
                      Source: RegAsm.exe, 00000003.00000002.1474313836.00000000046A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000035BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155}
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000035BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000035BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000035BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155x
                      Source: RegAsm.exe, 00000003.00000002.1474313836.00000000046A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696497155t
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000035BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696497155
                      Source: RegAsm.exe, 00000003.00000002.1474313836.00000000046A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696497155}
                      Source: RegAsm.exe, 00000003.00000002.1470218861.00000000035BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696497155
                      Source: RegAsm.exe, 00000003.00000002.1474313836.00000000046A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696497155x
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Allocates memory in foreign processes
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Contains functionality to inject code into remote processes
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_03372129 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,0_2_03372129
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                      Writes to foreign memory regions
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 432000Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: E04008Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: file.exe, 00000000.00000002.1323973758.00000000014C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avp.exe
                      Source: file.exe, 00000000.00000002.1323973758.00000000014C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AVP.exe
                      Source: RegAsm.exe, 00000003.00000002.1487399073.0000000007995000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1469052988.000000000157D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1487311549.000000000797B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.file.exe.4375570.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.4375570.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.1468172849.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1326352449.0000000004375000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: file.exe PID: 7588, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7688, type: MEMORYSTR
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqliteJump to behavior
                      Tries to steal Crypto Currency Wallets
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                      Source: Yara matchFile source: 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7688, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.file.exe.4375570.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.4375570.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.1468172849.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1326352449.0000000004375000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: file.exe PID: 7588, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7688, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		411
                      Process Injection                      		1
                      Masquerading                      		1
                      OS Credential Dumping                      		231
                      Security Software Discovery                      		Remote Services1
                      Archive Collected Data                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		LSASS Memory1
                      Process Discovery                      		Remote Desktop Protocol2
                      Data from Local System                      		1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                      Virtualization/Sandbox Evasion                      		Security Account Manager241
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared Drive1
                      Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook411
                      Process Injection                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                      Obfuscated Files or Information                      		LSA Secrets1
                      File and Directory Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Install Root Certificate                      		Cached Domain Credentials113
                      System Information Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                      Software Packing                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      No Antivirus matches

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/02/sc/sct0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk0%URL Reputationsafe
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha10%URL Reputationsafe
                      http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap0%URL Reputationsafe
                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret0%URL Reputationsafe
                      http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/fault0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat0%URL Reputationsafe
                      http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey0%URL Reputationsafe
                      https://api.ip.sb/ip0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/04/sc0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel0%URL Reputationsafe
                      http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA10%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA10%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/04/trust0%URL Reputationsafe
                      http://tempuri.org/Entity/Id14ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id12Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id90%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id21Response0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse0%URL Reputationsafe
                      http://tempuri.org/Entity/Id2Response0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel0%URL Reputationsafe
                      147.45.47.36:300350%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id23ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id80%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce0%URL Reputationsafe
                      http://tempuri.org/0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id6ResponseD0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/Renew0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey0%URL Reputationsafe
                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.00%URL Reputationsafe
                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2006/02/addressingidentity0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey0%URL Reputationsafe
                      http://tempuri.org/Entity/Id60%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id40%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id19Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id70%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id50%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id5ResponseD0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp90%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id13ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id15Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id6Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id9Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id1ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id200%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id220%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id210%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id240%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id230%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id24Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id1Response0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary0%Avira URL Cloudsafe
                      http://ns.adp/1.0/0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id110%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id100%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id21ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id120%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id10ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id16Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id130%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id140%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id150%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id160%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id5Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id170%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id190%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id180%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id15ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id11ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id10Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id8Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id17ResponseD0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/soap/envelope/0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id8ResponseD0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      147.45.47.36:30035true
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/sc/sctRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id14ResponseDRegAsm.exe, 00000003.00000002.1470218861.0000000003228000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id23ResponseDRegAsm.exe, 00000003.00000002.1470218861.00000000032BD000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id12ResponseRegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id2ResponseRegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id21ResponseRegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id9RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id8RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id6ResponseDRegAsm.exe, 00000003.00000002.1470218861.0000000003228000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id5RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id4RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id7RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id6RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id19ResponseRegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceRegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id13ResponseDRegAsm.exe, 00000003.00000002.1470218861.0000000003228000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/faultRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsatRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id15ResponseRegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id5ResponseDRegAsm.exe, 00000003.00000002.1470218861.0000000003228000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000003.00000002.1470218861.0000000003228000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id6ResponseRegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://api.ip.sb/ipfile.exe, 00000000.00000002.1326352449.0000000004375000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1468172849.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/scRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id1ResponseDRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id9ResponseRegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id20RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id21RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id22RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id23RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id24RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id24ResponseRegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id1ResponseRegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedRegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id21ResponseDRegAsm.exe, 00000003.00000002.1470218861.0000000003228000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/08/addressingRegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://ns.adp/1.0/RegAsm.exe, 00000003.00000002.1468679556.00000000012FE000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/trustRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id10RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id11RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id10ResponseDRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id12RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id16ResponseRegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id13RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id14RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id15RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id16RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/NonceRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id17RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id18RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id5ResponseRegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id19RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsRegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id15ResponseDRegAsm.exe, 00000003.00000002.1470218861.0000000003228000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id10ResponseRegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RenewRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id11ResponseDRegAsm.exe, 00000003.00000002.1470218861.00000000032BD000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id8ResponseRegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0RegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2006/02/addressingidentityRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id17ResponseDRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/soap/envelope/RegAsm.exe, 00000003.00000002.1470218861.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id8ResponseDRegAsm.exe, 00000003.00000002.1470218861.0000000003228000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyRegAsm.exe, 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      147.45.47.36
                      		unknownRussian Federation
                      		2895FREE-NET-ASFREEnetEUtrue

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1504335
                      Start date and time:2024-09-04 19:27:11 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 4m 50s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:13
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:file.exe
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@4/6@0/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 99%
                      • Number of executed functions: 93
                      • Number of non-executed functions: 5
                      Cookbook Comments:
                      • Found application associated with file extension: .exe

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe, UsoClient.exe
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, settings-win.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                      • VT rate limit hit for: file.exe

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      13:28:16API Interceptor13x Sleep call for process: RegAsm.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      147.45.47.36FileApp.exeGet hashmaliciousLummaC, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig, zgRATBrowse
                        file.exeGet hashmaliciousRedLineBrowse
                          file.exeGet hashmaliciousRedLineBrowse
                            bj6NsBOOyE.exeGet hashmaliciousRedLineBrowse
                              file.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                file.exeGet hashmaliciousRedLineBrowse
                                  file.exeGet hashmaliciousRedLineBrowse
                                    file.exeGet hashmaliciousRedLineBrowse
                                      file.exeGet hashmaliciousRedLineBrowse
                                        file.exeGet hashmaliciousRedLineBrowse

                                          Domains

                                          No context

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          FREE-NET-ASFREEnetEUFileApp.exeGet hashmaliciousLummaC, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig, zgRATBrowse
                                          • 147.45.47.36
                                          file.exeGet hashmaliciousRedLineBrowse
                                          • 147.45.47.36
                                          file.exeGet hashmaliciousStealcBrowse
                                          • 147.45.47.137
                                          Selenium.exeGet hashmaliciousLummaCBrowse
                                          • 147.45.44.131
                                          Kpmg.exeGet hashmaliciousLummaCBrowse
                                          • 147.45.44.131
                                          file.exeGet hashmaliciousClipboard Hijacker, Stealc, VidarBrowse
                                          • 147.45.47.137
                                          file.exeGet hashmaliciousLummaC, VidarBrowse
                                          • 147.45.68.138
                                          file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                          • 147.45.68.138
                                          file.exeGet hashmaliciousLummaC, VidarBrowse
                                          • 147.45.68.138
                                          file.exeGet hashmaliciousRedLineBrowse
                                          • 147.45.47.36

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\Public\Desktop\Google Chrome.lnk

                                          Download File
                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Thu Oct 5 08:16:11 2023, atime=Wed Sep 27 08:36:54 2023, length=3242272, window=hide
                                          Category:dropped
                                          Size (bytes):2104
                                          Entropy (8bit):3.457771726436173
                                          Encrypted:false
                                          SSDEEP:48:8S6dYT5H0lRYrnvPdAKRkdAGdAKRFdAKRz:8Stx7
                                          MD5:CFC952154F54922BC2D8FD8CBB508037
                                          SHA1:50B4DC7AAFA25058F671653D4A01DA0CAC56B0CE
                                          SHA-256:31F34AB7220D598720CBF08F859E8AB962C666A35B5475F78082048F4473C029
                                          SHA-512:BAD9E686CC66E6EFBF79406A75F56272D7F2424AB5C0622E173685F692A95830695059DA21ADAB8C69B91F1F02F59AAB97072C7981EEB4CDBD2A6870DEBB09D4
                                          Malicious:false
                                          Reputation:low
                                          Preview:L..................F.@.. ......,........l....X.&&... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....EW.I..PROGRA~1..t......O.IEW.I....B...............J.....\...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VEW.F....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.F..Chrome..>......CW.VEW.F....M......................O..C.h.r.o.m.e.....`.1.....EW.F..APPLIC~1..H......CW.VEW.F.............................A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.L .chrome.exe..F......CW.VEW.I..........................l...c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.!.-.-.p.r.o.x.y.-.s.e.r.v.e.r

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

                                          Download File
                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):3274
                                          Entropy (8bit):5.3318368586986695
                                          Encrypted:false
                                          SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlqY
                                          MD5:0B2E58EF6402AD69025B36C36D16B67F
                                          SHA1:5ECC642327EF5E6A54B7918A4BD7B46A512BF926
                                          SHA-256:4B0FB8EECEAD6C835CED9E06F47D9021C2BCDB196F2D60A96FEE09391752C2D7
                                          SHA-512:1464106CEC5E264F8CEA7B7FF03C887DA5192A976FBC9369FC60A480A7B9DB0ED1956EFCE6FFAD2E40A790BD51FD27BB037256964BC7B4B2DA6D4D5C6B267FA1
                                          Malicious:false
                                          Reputation:moderate, very likely benign file
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

                                          Download File
                                          Process:C:\Users\user\Desktop\file.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):42
                                          Entropy (8bit):4.0050635535766075
                                          Encrypted:false
                                          SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                                          MD5:84CFDB4B995B1DBF543B26B86C863ADC
                                          SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                                          SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                                          SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                                          Malicious:false
                                          Reputation:high, very likely benign file
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..

                                          C:\Users\user\AppData\Local\Temp\Tmp23FB.tmp

                                          Download File
                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):2662
                                          Entropy (8bit):7.8230547059446645
                                          Encrypted:false
                                          SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                          MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                          SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                          SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                          SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                          Malicious:false
                                          Reputation:moderate, very likely benign file
                                          Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                          C:\Users\user\AppData\Local\Temp\Tmp240B.tmp

                                          Download File
                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):2662
                                          Entropy (8bit):7.8230547059446645
                                          Encrypted:false
                                          SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                          MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                          SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                          SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                          SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                          Malicious:false
                                          Reputation:moderate, very likely benign file
                                          Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                          C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

                                          Download File
                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):2251
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:3::
                                          MD5:0158FE9CEAD91D1B027B795984737614
                                          SHA1:B41A11F909A7BDF1115088790A5680AC4E23031B
                                          SHA-256:513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
                                          SHA-512:C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
                                          Malicious:false
                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          Static File Info

                                          General

                                          File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.986315153668413
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          File name:file.exe
                                          File size:320'512 bytes
                                          MD5:49fbbdd3bd005ded23aeadf895b316ed
                                          SHA1:5ddb0f409cce64e5859c0e6f1b4186469f71914d
                                          SHA256:b6e0fe385b4c96a6b9ce87315989e949e47d1835efa1cc037e5c00238e6e2a42
                                          SHA512:cff67060ed809bff241b5ecec681d2960cbed94000ce1b2558069ab20a63e77767c3c38a512ee5f363aabef9e6d228f6c9997e6483db24ab1324f7de5c655a1c
                                          SSDEEP:6144:j6ulq0zUqahs0Tm9yNmxtXRHGXXtDlpxvaKV7LXAzfB6y3cq:20q0Ins0Tm9Um7JGHtDAKV7rq
                                          TLSH:D66423D7DE0BE7B1CD3609F290B98EAC2575E3F9447F8C482646833AC9E591C097A874
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M`.f................................. ........@.. .......................@............`................................

                                          File Icon

                                          Icon Hash:00928e8e8686b000

                                          Static PE Info

                                          General

                                          Entrypoint:0x44f6de
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows cui
                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x66D8604D [Wed Sep 4 13:27:41 2024 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x4f6900x4b.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x500000x602.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x520000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x4f5580x1c.text
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000x4d6e40x4d800ef43b908c20ffb64d440bb83ce926c6bFalse0.9940492691532258data7.996132371262729IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rsrc0x500000x6020x8009639fa6120fd371837905935aa41ec17False0.34619140625data3.469016537160503IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x520000xc0x200ccc8c3241508cfaa5c8a5493ebb495f9False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_VERSION0x500a00x378dataEnglishUnited States0.4560810810810811
                                          RT_MANIFEST0x504180x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Possible Origin

                                          Language of compilation systemCountry where language is spokenMap
                                          EnglishUnited States

                                          Network Behavior

                                          Suricata IDS Alerts

                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                          2024-09-04T19:28:06.504712+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949711147.45.47.3630035TCP
                                          2024-09-04T19:28:06.504712+02002046045ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)1192.168.2.949711147.45.47.3630035TCP
                                          2024-09-04T19:28:06.698820+02002043234ET MALWARE Redline Stealer TCP CnC - Id1Response1147.45.47.3630035192.168.2.949711TCP
                                          2024-09-04T19:28:11.748834+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949711147.45.47.3630035TCP
                                          2024-09-04T19:28:11.952398+02002046056ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)1147.45.47.3630035192.168.2.949711TCP
                                          2024-09-04T19:28:12.266722+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949711147.45.47.3630035TCP
                                          2024-09-04T19:28:12.557580+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949711147.45.47.3630035TCP
                                          2024-09-04T19:28:12.815172+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949711147.45.47.3630035TCP
                                          2024-09-04T19:28:13.038636+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949711147.45.47.3630035TCP
                                          2024-09-04T19:28:13.320504+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949711147.45.47.3630035TCP
                                          2024-09-04T19:28:13.559527+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949711147.45.47.3630035TCP
                                          2024-09-04T19:28:13.758238+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949711147.45.47.3630035TCP
                                          2024-09-04T19:28:14.022617+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949711147.45.47.3630035TCP
                                          2024-09-04T19:28:14.319036+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949711147.45.47.3630035TCP
                                          2024-09-04T19:28:14.565778+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949711147.45.47.3630035TCP
                                          2024-09-04T19:28:14.612223+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949711147.45.47.3630035TCP
                                          2024-09-04T19:28:14.623744+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949711147.45.47.3630035TCP
                                          2024-09-04T19:28:15.455847+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949711147.45.47.3630035TCP
                                          2024-09-04T19:28:15.657215+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949711147.45.47.3630035TCP
                                          2024-09-04T19:28:16.019173+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949711147.45.47.3630035TCP
                                          2024-09-04T19:28:16.230168+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949711147.45.47.3630035TCP
                                          2024-09-04T19:28:16.493868+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949711147.45.47.3630035TCP
                                          2024-09-04T19:28:16.734549+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949711147.45.47.3630035TCP
                                          2024-09-04T19:28:17.961728+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949711147.45.47.3630035TCP
                                          2024-09-04T19:28:18.160741+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949711147.45.47.3630035TCP
                                          2024-09-04T19:28:18.359371+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949711147.45.47.3630035TCP
                                          2024-09-04T19:28:18.557466+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949711147.45.47.3630035TCP
                                          2024-09-04T19:28:18.787756+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949711147.45.47.3630035TCP

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Sep 4, 2024 19:28:05.796370983 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:05.801362038 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:05.801490068 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:05.811198950 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:05.816060066 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:06.462352991 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:06.503246069 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:06.504712105 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:06.509641886 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:06.698820114 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:06.753434896 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:11.748833895 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:11.753895998 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:11.952223063 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:11.952240944 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:11.952259064 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:11.952301025 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:11.952398062 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:11.952409983 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:11.952470064 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:12.003252983 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:12.266721964 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:12.271912098 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:12.462858915 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:12.518919945 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:12.557579994 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:12.562540054 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:12.750284910 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:12.800122023 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:12.815171957 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:12.820056915 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:13.009001970 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:13.038635969 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:13.044222116 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:13.319529057 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:13.320503950 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:13.325788975 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:13.522247076 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:13.559526920 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:13.565774918 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:13.753861904 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:13.758238077 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:13.763600111 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:13.951550961 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.003267050 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.022617102 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.027787924 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.027803898 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.027877092 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.027895927 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.027906895 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.027928114 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.027936935 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.028050900 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.028060913 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.028068066 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.028072119 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.028079987 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.033200026 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.033452034 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.033462048 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.033516884 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.312194109 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.319036007 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.324306965 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.324321985 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.324330091 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.324503899 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.324515104 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.324522972 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.324534893 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.324546099 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.525510073 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.565778017 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.612222910 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.621557951 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.621576071 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.621639013 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.623642921 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.623655081 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.623662949 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.623672962 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.623682976 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.623744011 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.623830080 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.626621008 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.626631021 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.626638889 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.626647949 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.626701117 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.626765013 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.626774073 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.626782894 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.626808882 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.626817942 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.626817942 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.626854897 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.626872063 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.626941919 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.626992941 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.627135992 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.627145052 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.627155066 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.627165079 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.627194881 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.627223015 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.631524086 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.631577969 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.631606102 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.631623983 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.631634951 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.631649971 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.631655931 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.631705999 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.631736994 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.631808996 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.631819010 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.631836891 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.631845951 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.631855011 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.631864071 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.631865025 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.631880045 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.631917953 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.632045031 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.632184982 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.632302046 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.632311106 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.632349968 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.632848024 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.632857084 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.632869959 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.632880926 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.632891893 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.632900953 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.632909060 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.632919073 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.632926941 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.632936001 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.632945061 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.632956028 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.632966042 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.632981062 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.632988930 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.632997036 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.633006096 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.633013964 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.633023977 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.633033037 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.633042097 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.633052111 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.633060932 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.633071899 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.633162975 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.636288881 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.636298895 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.636307001 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.636353970 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.636384010 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.636456966 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.636466980 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.636478901 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.636493921 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.636503935 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.636512995 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.636522055 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.636531115 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.636540890 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.636657953 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.636729002 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.636739016 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.636746883 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.636785984 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.636795044 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.636830091 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.636914968 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.637001991 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.637011051 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.637020111 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.637099981 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.637219906 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.637229919 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.637238026 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.637680054 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.637689114 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.637697935 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.637706041 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.637716055 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.637728930 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.637737989 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.637747049 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.637758017 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.637767076 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.637775898 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.637784004 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.637793064 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.637800932 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.638017893 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.638094902 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.638266087 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.638278008 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.638334990 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.638385057 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.638567924 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.638576984 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.638612986 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.638622999 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.638631105 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.638638973 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.638701916 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.638729095 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.638745070 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.638752937 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.638762951 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.638772011 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.638868093 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.638930082 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.638940096 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.639287949 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.639297009 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.639305115 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.639313936 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.639322042 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.639331102 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.639341116 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.639349937 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.639358044 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.639365911 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.639374018 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.639384985 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.639394045 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.639404058 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.641143084 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.641160965 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.641251087 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.641259909 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.641319036 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.641328096 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.641446114 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.641454935 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.641472101 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.641480923 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.641514063 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.641522884 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.641531944 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.641582966 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.641592979 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.641601086 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.641668081 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.641678095 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.641959906 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.641968966 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.641978025 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.642175913 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.642239094 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.642996073 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.643048048 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.643129110 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.643137932 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.643146038 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.643156052 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.643163919 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.643198013 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.643366098 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.643376112 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.643384933 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.643393040 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.643402100 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.643413067 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.643421888 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.643471003 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.643480062 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.643487930 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.643497944 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.643507004 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.643516064 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.643526077 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.643630981 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.643639088 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.643646955 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.643656015 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.643665075 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.643673897 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.643867016 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.643877983 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.643891096 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.643901110 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.643909931 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.643919945 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.643930912 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.643940926 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.643949986 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.643959045 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.643968105 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.644002914 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.644012928 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.644021988 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.644031048 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.644040108 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.644047976 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.644057035 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.644066095 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.644076109 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.644084930 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.644092083 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.644100904 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.644367933 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.644376040 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.644385099 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.644582987 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.644640923 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.647250891 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.647260904 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.647269011 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.647387028 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.647396088 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.647404909 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.647416115 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.647424936 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.647434950 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.647443056 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.647599936 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.647609949 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.647618055 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.647625923 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.647660017 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.647669077 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.647676945 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.647687912 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.647696972 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.647706032 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.647869110 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.647878885 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.647890091 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.647898912 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.647907972 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.647967100 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.647974968 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.647984028 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.647993088 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.648108006 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.648122072 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.648129940 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.648140907 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.648188114 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.648197889 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.648205996 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.648211002 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.648215055 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.648377895 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.648387909 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.648396015 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.648405075 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.648415089 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.648418903 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.648427963 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.648437023 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.648446083 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.648456097 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.648464918 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.648474932 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.648493052 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.648504972 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.648514032 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.648524046 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.648699045 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.648768902 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.649535894 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.649600983 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.649610996 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.649859905 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.649869919 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.649879932 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.649936914 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.649946928 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.649955988 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.650042057 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.650053024 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.650207043 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.650216103 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.650255919 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.650265932 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.650274038 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.650284052 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.650399923 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.650408983 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.650418043 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.650427103 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.650578022 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.650587082 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.650595903 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.650605917 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.650614023 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.650696039 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.650705099 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.650713921 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.650722980 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.650732040 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.650779963 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.650789976 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.650798082 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.650808096 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.650820971 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.650830030 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.650840044 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.650850058 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.650859118 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.650866985 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.650875092 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.651143074 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.651150942 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.651159048 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.651168108 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.651176929 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.651185989 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.651195049 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.651204109 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.651212931 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.651221991 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.651231050 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.651240110 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.651402950 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.651489019 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.653831959 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.653841972 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.653851032 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.653861046 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.653939009 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.654016018 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.654023886 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.654033899 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.654042959 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.654159069 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.654167891 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.654304028 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.654313087 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.654316902 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.654445887 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.654625893 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.654634953 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.654644012 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.654654026 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.654763937 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.654773951 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.654783964 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.654793978 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.654802084 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.655149937 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.655158997 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.655168056 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.655177116 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.655185938 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.655194998 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.655204058 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.655214071 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.655222893 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.655368090 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.655376911 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.655385971 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.655395031 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.655404091 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.655412912 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.655421972 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.655436993 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.655447006 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.655457020 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.655466080 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.655476093 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.655484915 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.655495882 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.655513048 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.655522108 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.655529976 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.655783892 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.655793905 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.655802011 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.655811071 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.656048059 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.656126022 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.656476021 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.656621933 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.656630993 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.656753063 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.656763077 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.656771898 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.656785011 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.656790018 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.656794071 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.656801939 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.656965971 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.656976938 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.656985998 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.656996012 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.657103062 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.657111883 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.657120943 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.657135010 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.657144070 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.657152891 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.657160997 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.657170057 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.657179117 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.657187939 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.657206059 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.657215118 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.657223940 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.657233000 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.657243013 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.657253981 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.657263041 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.657273054 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.657283068 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.657320023 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.657464027 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.657473087 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.657480955 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.657490015 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.657499075 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.657507896 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.657579899 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.657588959 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.657598972 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.657608032 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.657617092 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.657625914 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.657629967 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.657802105 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.657809973 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.657814026 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.657821894 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.657830954 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.657840014 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.657850027 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.658051968 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.658126116 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.661000967 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.661026955 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.661158085 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.661228895 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.661237955 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.661247015 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.661258936 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.661267996 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.661344051 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.661353111 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.661360979 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.661381006 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.661391973 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.661401033 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.661410093 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.661540031 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.661550045 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.661556959 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.661566019 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.661575079 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.661583900 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.661592960 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.661654949 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.702497959 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:14.704113007 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:14.753793001 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:15.453211069 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:15.455847025 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:15.461420059 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:15.654294014 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:15.657215118 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:15.665642023 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:15.874351978 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:15.925148010 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:16.019172907 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:16.029392004 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:16.225857973 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:16.230168104 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:16.235430956 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:16.423384905 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:16.472084045 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:16.493868113 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:16.499010086 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:16.693003893 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:16.734549046 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:16.741089106 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:16.929035902 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:16.972059011 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:17.961728096 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:17.966722965 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:18.158312082 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:18.160741091 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:18.170274019 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:18.358908892 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:18.359370947 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:18.364257097 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:18.556668043 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:18.557466030 CEST4971130035192.168.2.9147.45.47.36
                                          Sep 4, 2024 19:28:18.568392038 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:18.757477045 CEST3003549711147.45.47.36192.168.2.9
                                          Sep 4, 2024 19:28:18.787755966 CEST4971130035192.168.2.9147.45.47.36

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:13:28:03
                                          Start date:04/09/2024
                                          Path:C:\Users\user\Desktop\file.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\file.exe"
                                          Imagebase:0xff0000
                                          File size:320'512 bytes
                                          MD5 hash:49FBBDD3BD005DED23AEADF895B316ED
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1326352449.0000000004375000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:1
                                          Start time:13:28:03
                                          Start date:04/09/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff70f010000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:3
                                          Start time:13:28:03
                                          Start date:04/09/2024
                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                          Imagebase:0xd90000
                                          File size:65'440 bytes
                                          MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.1468172849.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.1470218861.00000000031E7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:high
                                          Has exited:true

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:34.1%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:25%
                                            Total number of Nodes:24
                                            Total number of Limit Nodes:1
                                            execution_graph 373 3120988 374 31209a5 373->374 379 3120ad7 374->379 375 31209c9 377 31209f2 375->377 384 31204b0 375->384 380 3120b05 379->380 381 3120dab VirtualProtectEx 380->381 383 3120d42 380->383 382 3120deb 381->382 382->375 383->375 385 3120d60 VirtualProtectEx 384->385 387 3120deb 385->387 387->377 388 3120979 389 31209a5 388->389 393 3120ad7 VirtualProtectEx 389->393 390 31209c9 391 31204b0 VirtualProtectEx 390->391 392 31209f2 390->392 391->392 393->390 394 3372129 395 3372161 CreateProcessA VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 394->395 397 337233e WriteProcessMemory 395->397 398 3372383 397->398 399 33723c5 WriteProcessMemory Wow64SetThreadContext ResumeThread 398->399 400 3372388 WriteProcessMemory 398->400 400->398

                                            Callgraph

                                            • Executed
                                            • Not Executed
                                            • Opacity -> Relevance
                                            • Disassembly available
                                            callgraph 0 Function_03120090 1 Function_03120490 2 Function_033711B5 3 Function_03371D35 4 Function_03372635 5 Function_03120E14 38 Function_0312013C 5->38 6 Function_03371B31 7 Function_03371BBC 8 Function_03371B3A 9 Function_0312011C 10 Function_03371239 11 Function_033710B8 12 Function_03371A38 13 Function_03371227 14 Function_03120080 15 Function_03120100 16 Function_03120006 17 Function_03371BA1 18 Function_0337262F 19 Function_03120988 25 Function_031204B0 19->25 37 Function_031204BC 19->37 42 Function_031204A4 19->42 53 Function_03120AD7 19->53 20 Function_033719AC 21 Function_0312010C 22 Function_03372129 23 Function_03371BA8 24 Function_03120F32 26 Function_031200B0 27 Function_03371114 28 Function_03371B14 29 Function_03372E14 30 Function_03371C11 31 Function_03120F38 32 Function_03371A9D 33 Function_03371A1C 34 Function_03371B1B 35 Function_03120F3F 35->38 36 Function_031200BC 37->38 39 Function_031200A0 40 Function_03371B85 41 Function_03371F82 43 Function_03371001 44 Function_03371A00 45 Function_03371A80 46 Function_03371D0F 47 Function_03371A8C 48 Function_03371B8C 49 Function_0312012C 50 Function_03371209 51 Function_03120450 52 Function_03371BF4 54 Function_03371B72 55 Function_03120054 56 Function_031200D4 57 Function_03371A70 58 Function_031208D8 59 Function_03371BFC 60 Function_0312045D 61 Function_033719E4 62 Function_03120444 63 Function_03371BE0 64 Function_03372460 65 Function_03120848 66 Function_031200C8 67 Function_031204C8 68 Function_03120A49 69 Function_0312014C 70 Function_03371B69 71 Function_03120070 72 Function_031200F0 73 Function_03120471 74 Function_03371A54 75 Function_03371B53 76 Function_03371AD1 77 Function_03371E51 78 Function_03120475 79 Function_03120979 79->25 79->37 79->42 79->53 80 Function_03371BD9 81 Function_03120060 82 Function_03120461 83 Function_03371BC4 84 Function_031200E4 85 Function_03120465 86 Function_031208E8 87 Function_03371B4D 88 Function_03120469 89 Function_0312046D 90 Function_033719C8

                                            Executed Functions

                                            Function 03372129 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282threadinjectionmemoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,0337209B,0337208B), ref: 03372298
                                            • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 033722AB
                                            • Wow64GetThreadContext.KERNEL32(0000009C,00000000), ref: 033722C9
                                            • ReadProcessMemory.KERNELBASE(00000098,?,033720DF,00000004,00000000), ref: 033722ED
                                            • VirtualAllocEx.KERNELBASE(00000098,?,?,00003000,00000040), ref: 03372318
                                            • WriteProcessMemory.KERNELBASE(00000098,00000000,?,?,00000000,?), ref: 03372370
                                            • WriteProcessMemory.KERNELBASE(00000098,00400000,?,?,00000000,?,00000028), ref: 033723BB
                                            • WriteProcessMemory.KERNELBASE(00000098,05050F18,?,00000004,00000000), ref: 033723F9
                                            • Wow64SetThreadContext.KERNEL32(0000009C,03250000), ref: 03372435
                                            • ResumeThread.KERNELBASE(0000009C), ref: 03372444
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1325301350.0000000003371000.00000040.00000800.00020000.00000000.sdmp, Offset: 03371000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_3371000_file.jbxd
                                            Similarity
                                            • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
                                            • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
                                            • API String ID: 2687962208-1257834847
                                            • Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
                                            • Instruction ID: eb656cb76fbd38af85da25f8dc8332769aa85bb7cdb249706ae6c1318752da8e
                                            • Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
                                            • Instruction Fuzzy Hash: 35B1E77664024AAFDB60CF68CC80BDA77A9FF88714F158564EA0CEB341D774FA418B94
                                            Function 03120AD7 Relevance: 1.8, APIs: 1, Instructions: 262COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 23 3120ad7-3120b1a 26 3120b1c-3120b2d 23->26 28 3120b33-3120b4d 26->28 29 3120d4a-3120de9 VirtualProtectEx 26->29 28->29 30 3120b53-3120b5e 28->30 36 3120df0-3120e09 29->36 37 3120deb 29->37 30->29 31 3120b64-3120b6f 30->31 31->26 33 3120b71-3120b79 31->33 35 3120b7c-3120b84 33->35 35->29 38 3120b8a-3120b97 35->38 37->36 38->29 40 3120b9d-3120ba9 38->40 41 3120bb2-3120bbc 40->41 42 3120bab-3120bb1 40->42 41->29 43 3120bc2-3120bcc 41->43 42->41 43->29 44 3120bd2-3120bde 43->44 44->29 45 3120be4-3120bf1 44->45 45->35 46 3120bf3-3120c02 45->46 47 3120d42-3120d49 46->47 48 3120c08-3120c0f 46->48 49 3120c11-3120c18 48->49 50 3120c19-3120c24 48->50 49->50 50->29 51 3120c2a-3120c36 50->51 52 3120c38-3120c3e 51->52 53 3120c3f-3120c49 51->53 52->53 53->29 54 3120c4f-3120c59 53->54 54->29 55 3120c5f-3120c6b 54->55 55->29 56 3120c71-3120c92 55->56 57 3120c94-3120c9b 56->57 58 3120c9c-3120c9f 56->58 57->58 59 3120ca9-3120cca 58->59 63 3120cd9-3120ce0 59->63 64 3120ccc-3120cd1 59->64 63->29 65 3120ce2-3120ceb 63->65 64->63 65->29 66 3120ced-3120d01 65->66 67 3120d03-3120d08 66->67 68 3120d10-3120d17 66->68 67->68 68->29 69 3120d19-3120d21 68->69 69->29 70 3120d23-3120d3c 69->70 70->47 70->48
                                            APIs
                                            • VirtualProtectEx.KERNELBASE(?,04373590,?,?,?), ref: 03120DDC
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1324419446.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_3120000_file.jbxd
                                            Similarity
                                            • API ID: ProtectVirtual
                                            • String ID:
                                            • API String ID: 544645111-0
                                            • Opcode ID: 70bb7f42d38c6a51854c1ec60c0023ab3163f9c05e66f66137b12a17aa9986ee
                                            • Instruction ID: ca54b538cf6d31e76211750fc65e0b3037a49fa1209f303538ed2210865edac1
                                            • Opcode Fuzzy Hash: 70bb7f42d38c6a51854c1ec60c0023ab3163f9c05e66f66137b12a17aa9986ee
                                            • Instruction Fuzzy Hash: 1EB18F71A002698FCB15CB9DC890AEDFBF2FB4D314F1986A9D459AB351C334AD51CBA0
                                            Function 031204B0 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 71 31204b0-3120de9 VirtualProtectEx 74 3120df0-3120e09 71->74 75 3120deb 71->75 75->74
                                            APIs
                                            • VirtualProtectEx.KERNELBASE(?,04373590,?,?,?), ref: 03120DDC
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1324419446.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_3120000_file.jbxd
                                            Similarity
                                            • API ID: ProtectVirtual
                                            • String ID:
                                            • API String ID: 544645111-0
                                            • Opcode ID: 2f8dd6cf9b5530956ceb85149e1182ca5ba9c089b408e36c1f0bbdc9f67ac9dc
                                            • Instruction ID: 56e60d93ba90c457474bcc82bdd45c473e70d149c08bfeb5f9f72ce892ac3e8e
                                            • Opcode Fuzzy Hash: 2f8dd6cf9b5530956ceb85149e1182ca5ba9c089b408e36c1f0bbdc9f67ac9dc
                                            • Instruction Fuzzy Hash: 9321DEB590125DEBDB10DF9AD884BDEFFB4FB48310F50826AE918A7250C374A950CFA5

                                            Execution Graph

                                            Execution Coverage:10.9%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:159
                                            Total number of Limit Nodes:10
                                            execution_graph 42377 2e6d01c 42378 2e6d034 42377->42378 42379 2e6d08e 42378->42379 42385 5701e98 42378->42385 42389 5701ea8 42378->42389 42393 5702c08 42378->42393 42402 5701ef7 42378->42402 42407 5700ad4 42378->42407 42386 5701ea8 42385->42386 42387 5701eef 42386->42387 42388 5700ad4 CallWindowProcW 42386->42388 42387->42379 42388->42387 42390 5701ece 42389->42390 42391 5701eef 42390->42391 42392 5700ad4 CallWindowProcW 42390->42392 42391->42379 42392->42391 42394 5702c18 42393->42394 42395 5702c79 42394->42395 42397 5702c69 42394->42397 42432 5700bfc 42395->42432 42416 5702d90 42397->42416 42421 5702da0 42397->42421 42426 5702e6c 42397->42426 42398 5702c77 42403 5701ee7 42402->42403 42405 5701f02 42402->42405 42404 5700ad4 CallWindowProcW 42403->42404 42406 5701eef 42404->42406 42405->42379 42406->42379 42408 5700adf 42407->42408 42409 5702c79 42408->42409 42411 5702c69 42408->42411 42410 5700bfc CallWindowProcW 42409->42410 42412 5702c77 42410->42412 42413 5702da0 CallWindowProcW 42411->42413 42414 5702d90 CallWindowProcW 42411->42414 42415 5702e6c CallWindowProcW 42411->42415 42413->42412 42414->42412 42415->42412 42418 5702da0 42416->42418 42417 5702e40 42417->42398 42436 5702e58 42418->42436 42439 5702e48 42418->42439 42423 5702db4 42421->42423 42422 5702e40 42422->42398 42424 5702e58 CallWindowProcW 42423->42424 42425 5702e48 CallWindowProcW 42423->42425 42424->42422 42425->42422 42427 5702e2a 42426->42427 42428 5702e7a 42426->42428 42430 5702e58 CallWindowProcW 42427->42430 42431 5702e48 CallWindowProcW 42427->42431 42429 5702e40 42429->42398 42430->42429 42431->42429 42433 5700c07 42432->42433 42434 570435a CallWindowProcW 42433->42434 42435 5704309 42433->42435 42434->42435 42435->42398 42437 5702e69 42436->42437 42443 5704291 42436->42443 42437->42417 42440 5702e58 42439->42440 42441 5702e69 42440->42441 42442 5704291 CallWindowProcW 42440->42442 42441->42417 42442->42441 42444 5700bfc CallWindowProcW 42443->42444 42445 57042aa 42444->42445 42445->42437 42245 2f3d0b8 42246 2f3d0fe 42245->42246 42250 2f3d289 42246->42250 42253 2f3d298 42246->42253 42247 2f3d1eb 42252 2f3d2c6 42250->42252 42256 2f3c9a0 42250->42256 42252->42247 42254 2f3c9a0 DuplicateHandle 42253->42254 42255 2f3d2c6 42254->42255 42255->42247 42257 2f3d300 DuplicateHandle 42256->42257 42258 2f3d396 42257->42258 42258->42252 42259 2f34668 42260 2f34684 42259->42260 42261 2f34696 42260->42261 42265 2f347a0 42260->42265 42270 2f33e10 42261->42270 42263 2f346b5 42266 2f347c5 42265->42266 42274 2f348a1 42266->42274 42278 2f348b0 42266->42278 42271 2f33e1b 42270->42271 42286 2f35c54 42271->42286 42273 2f36ff0 42273->42263 42276 2f348b0 42274->42276 42275 2f349b4 42275->42275 42276->42275 42282 2f34248 42276->42282 42279 2f348d7 42278->42279 42280 2f34248 CreateActCtxA 42279->42280 42281 2f349b4 42279->42281 42280->42281 42283 2f35940 CreateActCtxA 42282->42283 42285 2f35a03 42283->42285 42287 2f35c5f 42286->42287 42290 2f35c64 42287->42290 42289 2f3709d 42289->42273 42291 2f35c6f 42290->42291 42294 2f35c94 42291->42294 42293 2f3717a 42293->42289 42295 2f35c9f 42294->42295 42298 2f35cc4 42295->42298 42297 2f3726d 42297->42293 42299 2f35ccf 42298->42299 42301 2f38653 42299->42301 42305 2f3ad00 42299->42305 42300 2f38691 42300->42297 42301->42300 42309 2f3cde0 42301->42309 42314 2f3cdf0 42301->42314 42319 2f3ad38 42305->42319 42322 2f3ad28 42305->42322 42306 2f3ad16 42306->42301 42310 2f3ce11 42309->42310 42311 2f3ce35 42310->42311 42346 2f3cfa0 42310->42346 42350 2f3cf90 42310->42350 42311->42300 42315 2f3ce11 42314->42315 42316 2f3ce35 42315->42316 42317 2f3cfa0 3 API calls 42315->42317 42318 2f3cf90 3 API calls 42315->42318 42316->42300 42317->42316 42318->42316 42326 2f3ae30 42319->42326 42320 2f3ad47 42320->42306 42323 2f3ad38 42322->42323 42325 2f3ae30 2 API calls 42323->42325 42324 2f3ad47 42324->42306 42325->42324 42327 2f3ae41 42326->42327 42328 2f3ae64 42326->42328 42327->42328 42334 2f3b0c8 42327->42334 42338 2f3b0b8 42327->42338 42328->42320 42329 2f3ae5c 42329->42328 42330 2f3b068 GetModuleHandleW 42329->42330 42331 2f3b095 42330->42331 42331->42320 42335 2f3b0dc 42334->42335 42337 2f3b101 42335->42337 42342 2f3a870 42335->42342 42337->42329 42339 2f3b0dc 42338->42339 42340 2f3b101 42339->42340 42341 2f3a870 LoadLibraryExW 42339->42341 42340->42329 42341->42340 42343 2f3b2a8 LoadLibraryExW 42342->42343 42345 2f3b321 42343->42345 42345->42337 42347 2f3cfad 42346->42347 42348 2f3cfe7 42347->42348 42354 2f3c8d8 42347->42354 42348->42311 42351 2f3cfa0 42350->42351 42352 2f3c8d8 3 API calls 42351->42352 42353 2f3cfe7 42351->42353 42352->42353 42353->42311 42355 2f3c8e3 42354->42355 42357 2f3d8f8 42355->42357 42358 2f3ca04 42355->42358 42357->42357 42359 2f3ca0f 42358->42359 42360 2f35cc4 3 API calls 42359->42360 42361 2f3d967 42360->42361 42365 2f3f6c8 42361->42365 42371 2f3f6e0 42361->42371 42362 2f3d9a1 42362->42357 42367 2f3f711 42365->42367 42368 2f3f811 42365->42368 42366 2f3f71d 42366->42362 42367->42366 42369 5700dc8 CreateWindowExW 42367->42369 42370 5700db8 CreateWindowExW 42367->42370 42368->42362 42369->42368 42370->42368 42373 2f3f811 42371->42373 42374 2f3f711 42371->42374 42372 2f3f71d 42372->42362 42373->42362 42374->42372 42375 5700dc8 CreateWindowExW 42374->42375 42376 5700db8 CreateWindowExW 42374->42376 42375->42373 42376->42373

                                            Executed Functions

                                            Function 05706948 Relevance: .5, Instructions: 499COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1483532186.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5700000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 37b3590145b5b0f9c7d0cd9446689830c8b86362e99cebb3277ebb0d9a187f3f
                                            • Instruction ID: deddfff4d2bc3c99e49116b500d15d47c8cce36175ecf57fdbe8e99303442f30
                                            • Opcode Fuzzy Hash: 37b3590145b5b0f9c7d0cd9446689830c8b86362e99cebb3277ebb0d9a187f3f
                                            • Instruction Fuzzy Hash: F9220274900228DFDB65DF64C958BE9BBB2FF4A300F0094E9D509AB2A0DB359E84DF51
                                            Function 06AB67D8 Relevance: .4, Instructions: 424COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f1bc92cb9b88a13affd3d745f5dc67bf26365f4e9f4ad3fedeb9a2c216965222
                                            • Instruction ID: b9903482961b49ba9d62692de8a245fcee2d0418e728c8c9992593f678093ad9
                                            • Opcode Fuzzy Hash: f1bc92cb9b88a13affd3d745f5dc67bf26365f4e9f4ad3fedeb9a2c216965222
                                            • Instruction Fuzzy Hash: 0BF19F30A003199FDB45EF68D840BDEBBF6EF89310F159569E505AB2A2DB30ED45CB90
                                            Function 06ABA3E1 Relevance: .3, Instructions: 292COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5a9886a20670b1fc806df2a6ec8429daf40eee2c89358c7941fe6c062cfa6767
                                            • Instruction ID: 20bd48d11f5f4f84cd8edd3dd1f81b9e69eeb14f32e5095f24fc95a9039a2bf3
                                            • Opcode Fuzzy Hash: 5a9886a20670b1fc806df2a6ec8429daf40eee2c89358c7941fe6c062cfa6767
                                            • Instruction Fuzzy Hash: 1AD1E470D00218CFCB58EFB5D954A9DBBB2FF8A301F1085ADD50AAB254DB359986CF21
                                            Function 06ABA3E8 Relevance: .3, Instructions: 289COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ab31556b8047233ae622e1a2fd270296cb3b6752b4900afb1a4f727379c61eaa
                                            • Instruction ID: de64eae515052de0f16f8c06605dcdcc85302c177097cdd046f810f5288e6988
                                            • Opcode Fuzzy Hash: ab31556b8047233ae622e1a2fd270296cb3b6752b4900afb1a4f727379c61eaa
                                            • Instruction Fuzzy Hash: F0D1D470D00218CFCB58EFB5D954A9DBBB2FF8A301F1085ADD50AAB254DB359986CF21
                                            Function 05707C20 Relevance: .3, Instructions: 279COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1483532186.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5700000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9497911521bf56c21272cb31cb17a91141ca8f79a5b07f514072db80e7ea88eb
                                            • Instruction ID: a8fd9f614216b6f1f777f25b926b6cf28d95c20fd121cdb08cc5996c5ba629a2
                                            • Opcode Fuzzy Hash: 9497911521bf56c21272cb31cb17a91141ca8f79a5b07f514072db80e7ea88eb
                                            • Instruction Fuzzy Hash: 1FC19374E04218CFDB14DFA6D884A9EBBF2FF89300F10D1A9D809AB255DB346986CF55
                                            Function 05700AFC Relevance: .3, Instructions: 253COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1483532186.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5700000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a9f0b3b2e9db6b66ae2d25752eec5023f36751e517524d3b24b9a8237aa12df8
                                            • Instruction ID: 6a2feb752e8b9b7abc8c4123d08e80fef3ea96f552607fc86ea3b2b85e18b6a5
                                            • Opcode Fuzzy Hash: a9f0b3b2e9db6b66ae2d25752eec5023f36751e517524d3b24b9a8237aa12df8
                                            • Instruction Fuzzy Hash: 2BA17275E10319CFCB04DBA4C8549DDFBFAFF89310F158216E416AB2A1DB30A945EB60
                                            Function 05700AF9 Relevance: .2, Instructions: 218COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1483532186.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5700000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c38a9f5c334f532c2753e84493c17e40412a07cac71caf80347791fbba4c8ce9
                                            • Instruction ID: 88ecd8acee38b3780b1a23a65193a69dbc3a53b5ac72abe4cc779ece424e65ab
                                            • Opcode Fuzzy Hash: c38a9f5c334f532c2753e84493c17e40412a07cac71caf80347791fbba4c8ce9
                                            • Instruction Fuzzy Hash: 05917075E10319DFCB04DBA4D8449DDFBFAFF89310F158216E516AB2A1DB30A941EBA0
                                            Function 05701FF0 Relevance: .2, Instructions: 217COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1483532186.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5700000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0e4f7109d51e767410428a2e42d2c306d459dc1597e3e7919bb379ff8f2032a3
                                            • Instruction ID: 53ea43ff7e626e76ee636b2a54513787c6065718efa6f2b9d01e6be8a51d0edf
                                            • Opcode Fuzzy Hash: 0e4f7109d51e767410428a2e42d2c306d459dc1597e3e7919bb379ff8f2032a3
                                            • Instruction Fuzzy Hash: AA917075E10319DFCB04DBA4D8449DDFBFAFF89310F158216E516AB2A0DB30A945EBA0
                                            Function 05707C10 Relevance: .1, Instructions: 126COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1483532186.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5700000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f1d08cbdd02f62a4c59bc44b2791d86e60d1e2cee62c5487e7bbaec6f6dee861
                                            • Instruction ID: 907ced5ec5a7277ed347074ab2da93338b703eac2d9e299b5eeb8a465dfbc847
                                            • Opcode Fuzzy Hash: f1d08cbdd02f62a4c59bc44b2791d86e60d1e2cee62c5487e7bbaec6f6dee861
                                            • Instruction Fuzzy Hash: 9751A674E00618CBEB18DFAAD844B9EBBB3BFC8300F14C1A9D81DAB255DB3459859F54
                                            Function 06AB0040 Relevance: 9.3, Strings: 5, Instructions: 3078COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 6ab0040-6ab354f 696 6ab3599-6ab35a0 0->696 697 6ab35a2-6ab35a7 696->697 698 6ab3551-6ab3568 696->698 699 6ab356a-6ab3573 698->699 700 6ab35a8-6ab35da 698->700 702 6ab3579-6ab3596 699->702 702->696
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (:<t$09<t$H;<t$Ld<t$:<t
                                            • API String ID: 0-3123518023
                                            • Opcode ID: 2c641f0c834cb4cdff8fbcbf46e05112cede8dd8034121d601f1a7e43eca6ae1
                                            • Instruction ID: 4fdedbfd77bfc87a716028904b2d6c76800fde636d4e6fcbabf7a70784ac8f4d
                                            • Opcode Fuzzy Hash: 2c641f0c834cb4cdff8fbcbf46e05112cede8dd8034121d601f1a7e43eca6ae1
                                            • Instruction Fuzzy Hash: 83536F31A40318AFEB269B90DC15BED77B6FF89700F1040D9E60A6B6D0CA765E84CF59
                                            Function 06A90597 Relevance: 1.7, Strings: 1, Instructions: 462COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 705 6a90597-6a905c7 707 6a905cd-6a905fd 705->707 708 6a90ad7-6a90d2e 705->708 715 6a90138-6a90145 707->715 719 6a9014b-6a90160 715->719 720 6a9076a-6a90774 715->720 719->715 723 6a90162 719->723 725 6a90169-6a9018c 723->725 726 6a903aa-6a903cd 723->726 727 6a9049a-6a904bd 723->727 728 6a901de 723->728 729 6a90251-6a9027f 723->729 730 6a90422-6a90445 723->730 731 6a90512-6a90535 723->731 732 6a902c4-6a902f2 723->732 733 6a90337 723->733 777 6a90192-6a90196 725->777 778 6a90777-6a907a6 725->778 779 6a90819-6a90848 726->779 780 6a903d3-6a903d7 726->780 781 6a9095d-6a9098c 727->781 782 6a904c3-6a904c7 727->782 738 6a901e8-6a90204 728->738 754 6a90281-6a90287 729->754 755 6a90297-6a902bf 729->755 784 6a908bb-6a908ea 730->784 785 6a9044b-6a9044f 730->785 786 6a9053b-6a9053f 731->786 787 6a909ff-6a90a2e 731->787 761 6a9030a-6a90332 732->761 762 6a902f4-6a902fa 732->762 741 6a90341-6a9035d 733->741 748 6a9020a-6a9020c 738->748 751 6a90363-6a90365 741->751 756 6a9020e-6a90214 748->756 757 6a90224-6a9024c 748->757 759 6a9037d-6a903a5 751->759 760 6a90367-6a9036d 751->760 763 6a90289 754->763 764 6a9028b-6a9028d 754->764 755->715 770 6a90218-6a9021a 756->770 771 6a90216 756->771 757->715 759->715 774 6a9036f 760->774 775 6a90371-6a90373 760->775 761->715 768 6a902fc 762->768 769 6a902fe-6a90300 762->769 763->755 764->755 768->761 769->761 770->757 771->757 774->759 775->759 791 6a9019c-6a901a6 777->791 792 6a907e3-6a90812 777->792 804 6a907ad-6a907dc 778->804 807 6a9084f-6a9087e 779->807 793 6a903dd-6a903e7 780->793 794 6a90885-6a908b4 780->794 809 6a90993-6a909c2 781->809 795 6a909c9-6a909f8 782->795 796 6a904cd-6a904d7 782->796 813 6a908f1-6a90920 784->813 797 6a90455-6a9045f 785->797 798 6a90927-6a90956 785->798 799 6a90a6b-6a90ad0 786->799 800 6a90545-6a9054f 786->800 815 6a90a35-6a90a64 787->815 791->804 805 6a901ac-6a901d9 791->805 792->779 806 6a903ed-6a9041d 793->806 793->807 794->784 795->787 808 6a904dd-6a9050d 796->808 796->809 797->813 814 6a90465-6a90495 797->814 798->781 799->708 800->815 816 6a90555-6a90585 800->816 804->792 805->715 806->715 807->794 808->715 809->795 813->798 814->715 815->799 816->715
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485031236.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a90000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: olPj
                                            • API String ID: 0-336650015
                                            • Opcode ID: 2f694211c4a08dc26bf426fa28fc666dc7cdf4810092cd9d596190956de7e3ee
                                            • Instruction ID: b0c0a886ed408db85c4b2837e9893755badc8a1fcbc2e6653634e9ef8e2cc02b
                                            • Opcode Fuzzy Hash: 2f694211c4a08dc26bf426fa28fc666dc7cdf4810092cd9d596190956de7e3ee
                                            • Instruction Fuzzy Hash: 1602A930B007148FDB64AB64D894A6E77F2BF8A704F50855CD6029B3A1CF79ED05CBA6
                                            Function 02F3AE30 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 912 2f3ae30-2f3ae3f 913 2f3ae41-2f3ae4e call 2f39838 912->913 914 2f3ae6b-2f3ae6f 912->914 920 2f3ae50 913->920 921 2f3ae64 913->921 916 2f3ae83-2f3aec4 914->916 917 2f3ae71-2f3ae7b 914->917 923 2f3aed1-2f3aedf 916->923 924 2f3aec6-2f3aece 916->924 917->916 970 2f3ae56 call 2f3b0c8 920->970 971 2f3ae56 call 2f3b0b8 920->971 921->914 925 2f3af03-2f3af05 923->925 926 2f3aee1-2f3aee6 923->926 924->923 931 2f3af08-2f3af0f 925->931 928 2f3aef1 926->928 929 2f3aee8-2f3aeef call 2f3a814 926->929 927 2f3ae5c-2f3ae5e 927->921 930 2f3afa0-2f3afb7 927->930 933 2f3aef3-2f3af01 928->933 929->933 945 2f3afb9-2f3b018 930->945 934 2f3af11-2f3af19 931->934 935 2f3af1c-2f3af23 931->935 933->931 934->935 938 2f3af30-2f3af39 call 2f3a824 935->938 939 2f3af25-2f3af2d 935->939 943 2f3af46-2f3af4b 938->943 944 2f3af3b-2f3af43 938->944 939->938 946 2f3af69-2f3af76 943->946 947 2f3af4d-2f3af54 943->947 944->943 963 2f3b01a-2f3b060 945->963 954 2f3af99-2f3af9f 946->954 955 2f3af78-2f3af96 946->955 947->946 948 2f3af56-2f3af66 call 2f3a834 call 2f3a844 947->948 948->946 955->954 965 2f3b062-2f3b065 963->965 966 2f3b068-2f3b093 GetModuleHandleW 963->966 965->966 967 2f3b095-2f3b09b 966->967 968 2f3b09c-2f3b0b0 966->968 967->968 970->927 971->927
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 02F3B086
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1469751574.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_2f30000_RegAsm.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 4f7d2bdcd4318afebd375442127e4dfbee8b09d40343ee938430ced0bc29ecf1
                                            • Instruction ID: 77f40cfe7d6b104e32f972b0e084cfab4565098e369d97bc6697ae357a2e1f2c
                                            • Opcode Fuzzy Hash: 4f7d2bdcd4318afebd375442127e4dfbee8b09d40343ee938430ced0bc29ecf1
                                            • Instruction Fuzzy Hash: 3F7156B1A00B058FD725DF2AD44079ABBF1FF88754F00892DD18ADBA50D774E845CB91
                                            Function 05700AA8 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 972 5700aa8-5701d56 974 5701d61-5701d68 972->974 975 5701d58-5701d5e 972->975 976 5701d73-5701e12 CreateWindowExW 974->976 977 5701d6a-5701d70 974->977 975->974 979 5701e14-5701e1a 976->979 980 5701e1b-5701e53 976->980 977->976 979->980 984 5701e60 980->984 985 5701e55-5701e58 980->985 986 5701e61 984->986 985->984 986->986
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05701E02
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1483532186.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5700000_RegAsm.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 3ae3d66decf42a46dc9a3166d53905345ba68bdb08c9400d7efbd117f1a4fc5c
                                            • Instruction ID: 4622d611b19d0e8dfd292ab360373cfe207d288cbfbbf5593b70757b2164d951
                                            • Opcode Fuzzy Hash: 3ae3d66decf42a46dc9a3166d53905345ba68bdb08c9400d7efbd117f1a4fc5c
                                            • Instruction Fuzzy Hash: 8251CFB1D00349DFDB14CFA9C984ADEBBF6BF48710F64812AE819AB250D7709885CF90
                                            Function 05701CE4 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 987 5701ce4-5701d56 990 5701d61-5701d68 987->990 991 5701d58-5701d5e 987->991 992 5701d73-5701dab 990->992 993 5701d6a-5701d70 990->993 991->990 994 5701db3-5701e12 CreateWindowExW 992->994 993->992 995 5701e14-5701e1a 994->995 996 5701e1b-5701e53 994->996 995->996 1000 5701e60 996->1000 1001 5701e55-5701e58 996->1001 1002 5701e61 1000->1002 1001->1000 1002->1002
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05701E02
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1483532186.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5700000_RegAsm.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: c8aca1f5a593dbdcffb95eda52c5c97d0f54a28099e96592fb31f1c7153f2ca8
                                            • Instruction ID: 3b17c426d69596a6e056af920e6f5b14e568be8dec678083ad65d82f72de65aa
                                            • Opcode Fuzzy Hash: c8aca1f5a593dbdcffb95eda52c5c97d0f54a28099e96592fb31f1c7153f2ca8
                                            • Instruction Fuzzy Hash: E851BEB1D00359DFDB14CFA9C984ADEBBF5BF48710F64812AE819AB250D7B09985CF90
                                            Function 05700BFC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1003 5700bfc-57042fc 1006 5704302-5704307 1003->1006 1007 57043ac-57043cc call 5700ad4 1003->1007 1009 5704309-5704340 1006->1009 1010 570435a-5704392 CallWindowProcW 1006->1010 1014 57043cf-57043dc 1007->1014 1017 5704342-5704348 1009->1017 1018 5704349-5704358 1009->1018 1011 5704394-570439a 1010->1011 1012 570439b-57043aa 1010->1012 1011->1012 1012->1014 1017->1018 1018->1014
                                            APIs
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 05704381
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1483532186.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5700000_RegAsm.jbxd
                                            Similarity
                                            • API ID: CallProcWindow
                                            • String ID:
                                            • API String ID: 2714655100-0
                                            • Opcode ID: 366319622b25572e68f933b14e09c04f7b3bb6051c35b9c1bfac38c072c08ac6
                                            • Instruction ID: 99a59a9d8278279e7a543463740ba284b0374b9e8137c1c7b80e13f1df6598f6
                                            • Opcode Fuzzy Hash: 366319622b25572e68f933b14e09c04f7b3bb6051c35b9c1bfac38c072c08ac6
                                            • Instruction Fuzzy Hash: 834129B5900309DFCB14CF99C848AAAFBF6FF88314F249559E519AB360D770A845CBA0
                                            Function 02F34248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1020 2f34248-2f35a01 CreateActCtxA 1023 2f35a03-2f35a09 1020->1023 1024 2f35a0a-2f35a64 1020->1024 1023->1024 1031 2f35a73-2f35a77 1024->1031 1032 2f35a66-2f35a69 1024->1032 1033 2f35a79-2f35a85 1031->1033 1034 2f35a88-2f35ab8 1031->1034 1032->1031 1033->1034 1038 2f35a6a 1034->1038 1039 2f35aba-2f35b3c 1034->1039 1038->1031
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 02F359F1
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1469751574.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_2f30000_RegAsm.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: f3ea1c9975c8a5676b1f8073187872e417ef497a3a9dea0d84fa979c06e93527
                                            • Instruction ID: 2bc7c565cb54f239e4ae06af64ef0fead1c3cd9e3db603fa728896910fb5e30e
                                            • Opcode Fuzzy Hash: f3ea1c9975c8a5676b1f8073187872e417ef497a3a9dea0d84fa979c06e93527
                                            • Instruction Fuzzy Hash: FF41C171D0071CCBDB25CFA9C884B9EBBB5BF48704F64806AD508AB250DBB5694ACF90
                                            Function 02F35935 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1041 2f35935-2f3593c 1042 2f35944-2f35a01 CreateActCtxA 1041->1042 1044 2f35a03-2f35a09 1042->1044 1045 2f35a0a-2f35a64 1042->1045 1044->1045 1052 2f35a73-2f35a77 1045->1052 1053 2f35a66-2f35a69 1045->1053 1054 2f35a79-2f35a85 1052->1054 1055 2f35a88-2f35ab8 1052->1055 1053->1052 1054->1055 1059 2f35a6a 1055->1059 1060 2f35aba-2f35b3c 1055->1060 1059->1052
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 02F359F1
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1469751574.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_2f30000_RegAsm.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: b490649481ce3a048163a332cc97057bd1bc7b044879b29a1ca01c52909da86d
                                            • Instruction ID: 66d31a7fadd597db9f37735b8a52f8459d56c1d77697c3221efa8042020f6c01
                                            • Opcode Fuzzy Hash: b490649481ce3a048163a332cc97057bd1bc7b044879b29a1ca01c52909da86d
                                            • Instruction Fuzzy Hash: A541D171D00718CFDB25CFA9C884BCEBBB5BF48304F24806AD508AB250DBB5694ACF50
                                            Function 02F3C9A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1062 2f3c9a0-2f3d394 DuplicateHandle 1064 2f3d396-2f3d39c 1062->1064 1065 2f3d39d-2f3d3ba 1062->1065 1064->1065
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02F3D2C6,?,?,?,?,?), ref: 02F3D387
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1469751574.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_2f30000_RegAsm.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 1ef5caca74d5a6828e5618560a575ed684c626eaf3ec5ff0754729362475e408
                                            • Instruction ID: 4183be4049b8d1ec338a5958a311e4823b270a2f7552c13690d8519c257861a6
                                            • Opcode Fuzzy Hash: 1ef5caca74d5a6828e5618560a575ed684c626eaf3ec5ff0754729362475e408
                                            • Instruction Fuzzy Hash: DB21E5B5900348DFDB11CF9AD984AEEBBF4EB48314F14845AE914A7310D374A954CFA5
                                            Function 02F3D2F9 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1068 2f3d2f9-2f3d394 DuplicateHandle 1069 2f3d396-2f3d39c 1068->1069 1070 2f3d39d-2f3d3ba 1068->1070 1069->1070
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02F3D2C6,?,?,?,?,?), ref: 02F3D387
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1469751574.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_2f30000_RegAsm.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: f6d23746a559d7e87b0eb759d79a151383657038775cf0933ea7496a9804a1b8
                                            • Instruction ID: 51b17f8f3c44450e3201311a426f44c0eea58df477298b780fc08a42a20cb76d
                                            • Opcode Fuzzy Hash: f6d23746a559d7e87b0eb759d79a151383657038775cf0933ea7496a9804a1b8
                                            • Instruction Fuzzy Hash: 2A21E3B6D00348DFDB11CFA9D985AEEBBF4AB48324F14841AE958A7210C374A944CF64
                                            Function 02F3B2A0 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1073 2f3b2a0-2f3b2e8 1075 2f3b2f0-2f3b31f LoadLibraryExW 1073->1075 1076 2f3b2ea-2f3b2ed 1073->1076 1077 2f3b321-2f3b327 1075->1077 1078 2f3b328-2f3b345 1075->1078 1076->1075 1077->1078
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02F3B101,00000800,00000000,00000000), ref: 02F3B312
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1469751574.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_2f30000_RegAsm.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: f0430381d2f43253688618d13872d6964f9d2f5c69245bd7cb20d9e4986edd2e
                                            • Instruction ID: 70fa851a1c701a77836b20bbcb51e77fde28e869ea97e572ecd65285ef4f3f4b
                                            • Opcode Fuzzy Hash: f0430381d2f43253688618d13872d6964f9d2f5c69245bd7cb20d9e4986edd2e
                                            • Instruction Fuzzy Hash: 671114B6C003498FDB21CF9AC884BDEFBF4EB48724F14842AE919A7600C374A545CFA5
                                            Function 02F3A870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1081 2f3a870-2f3b2e8 1083 2f3b2f0-2f3b31f LoadLibraryExW 1081->1083 1084 2f3b2ea-2f3b2ed 1081->1084 1085 2f3b321-2f3b327 1083->1085 1086 2f3b328-2f3b345 1083->1086 1084->1083 1085->1086
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02F3B101,00000800,00000000,00000000), ref: 02F3B312
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1469751574.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_2f30000_RegAsm.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 26ebcb4a098e78aec6d23f047c9a17745152153720986683f04df2bfb822e127
                                            • Instruction ID: 90e73b7e164d8dfca9acb2ef926c9bc50861c549050dfeb9ead5b3868feef3d6
                                            • Opcode Fuzzy Hash: 26ebcb4a098e78aec6d23f047c9a17745152153720986683f04df2bfb822e127
                                            • Instruction Fuzzy Hash: 371114B6D003498FDB21CF9AC844BDEFBF4EB48714F14842AE919A7200C374A545CFA5
                                            Function 02F3B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1089 2f3b020-2f3b060 1090 2f3b062-2f3b065 1089->1090 1091 2f3b068-2f3b093 GetModuleHandleW 1089->1091 1090->1091 1092 2f3b095-2f3b09b 1091->1092 1093 2f3b09c-2f3b0b0 1091->1093 1092->1093
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 02F3B086
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1469751574.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_2f30000_RegAsm.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 0c7ace647ed23d9e54e7406467c2a0a15c6c1f046f4d50e47769d04461d9e3d8
                                            • Instruction ID: bc077d793f30701987b0db306f33a99c8ede530588bfc2df37ad88fce609bfa8
                                            • Opcode Fuzzy Hash: 0c7ace647ed23d9e54e7406467c2a0a15c6c1f046f4d50e47769d04461d9e3d8
                                            • Instruction Fuzzy Hash: ED110FB6C003498FCB20CF9AC844BDEFBF4AB88628F14842AD568B7210C375A545CFA1
                                            Function 06A91BA0 Relevance: 1.4, Instructions: 1353COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1132 6a91ba0-6a91bc3 1133 6a91bd1-6a91c2d 1132->1133 1134 6a91bc5-6a91bc7 1132->1134 1139 6a91c33-6a91c69 1133->1139 1140 6a92056-6a92071 1133->1140 1134->1133 1139->1140 1155 6a91c6f-6a91ca5 1139->1155 1143 6a92073-6a9209e 1140->1143 1144 6a92024-6a92039 1140->1144 1146 6a920a0-6a920a6 1143->1146 1147 6a920b6-6a92119 1143->1147 1144->1140 1156 6a9203b-6a92053 1144->1156 1149 6a920a8 1146->1149 1150 6a920aa-6a920b4 1146->1150 1168 6a9211f-6a92139 1147->1168 1169 6a92ea1-6a92ec5 1147->1169 1149->1147 1150->1147 1155->1140 1164 6a91cab-6a91ce2 1155->1164 1164->1140 1175 6a91ce8-6a91d1e 1164->1175 1168->1169 1173 6a9213f-6a9216f 1168->1173 1182 6a92189-6a921d5 1173->1182 1183 6a92171-6a92187 1173->1183 1175->1140 1184 6a91d24-6a91d5a 1175->1184 1191 6a921dc-6a921f9 1182->1191 1183->1191 1184->1140 1196 6a91d60-6a91d9e 1184->1196 1191->1169 1197 6a921ff-6a92235 1191->1197 1196->1140 1204 6a91da4-6a91ded 1196->1204 1205 6a9224f-6a9229b 1197->1205 1206 6a92237-6a9224d 1197->1206 1204->1140 1222 6a91df3-6a91e29 1204->1222 1213 6a922a2-6a922bf 1205->1213 1206->1213 1213->1169 1217 6a922c5-6a922fb 1213->1217 1227 6a922fd-6a92313 1217->1227 1228 6a92315-6a92361 1217->1228 1222->1140 1232 6a91e2f-6a91e65 1222->1232 1235 6a92368-6a92385 1227->1235 1228->1235 1232->1140 1243 6a91e6b-6a91ea1 1232->1243 1235->1169 1241 6a9238b-6a923c1 1235->1241 1249 6a923db-6a92427 1241->1249 1250 6a923c3-6a923d9 1241->1250 1243->1140 1252 6a91ea7-6a91edd 1243->1252 1258 6a9242e-6a9244b 1249->1258 1250->1258 1252->1140 1265 6a91ee3-6a91efa 1252->1265 1258->1169 1263 6a92451-6a92487 1258->1263 1272 6a92489-6a9249f 1263->1272 1273 6a924a1-6a924f9 1263->1273 1265->1140 1269 6a91f00-6a91f32 1265->1269 1279 6a91f5c-6a91f9e 1269->1279 1280 6a91f34-6a91f5a 1269->1280 1282 6a92500-6a9251d 1272->1282 1273->1282 1297 6a91fbc-6a91fc8 1279->1297 1298 6a91fa0-6a91fb6 1279->1298 1294 6a91fce-6a92001 1280->1294 1282->1169 1290 6a92523-6a92559 1282->1290 1301 6a9255b-6a92571 1290->1301 1302 6a92573-6a925d1 1290->1302 1294->1140 1307 6a92003-6a92020 1294->1307 1297->1294 1298->1297 1311 6a925d8-6a925f5 1301->1311 1302->1311 1307->1144 1311->1169 1315 6a925fb-6a92631 1311->1315 1319 6a9264b-6a926a9 1315->1319 1320 6a92633-6a92649 1315->1320 1325 6a926b0-6a926cd 1319->1325 1320->1325 1325->1169 1328 6a926d3-6a92709 1325->1328 1333 6a9270b-6a92721 1328->1333 1334 6a92723-6a92781 1328->1334 1339 6a92788-6a927a5 1333->1339 1334->1339 1339->1169 1343 6a927ab-6a927c5 1339->1343 1343->1169 1345 6a927cb-6a927fb 1343->1345 1349 6a927fd-6a92813 1345->1349 1350 6a92815-6a92873 1345->1350 1355 6a9287a-6a92897 1349->1355 1350->1355 1355->1169 1359 6a9289d-6a928b7 1355->1359 1359->1169 1361 6a928bd-6a928ed 1359->1361 1365 6a928ef-6a92905 1361->1365 1366 6a92907-6a92965 1361->1366 1371 6a9296c-6a92989 1365->1371 1366->1371 1371->1169 1374 6a9298f-6a929a9 1371->1374 1374->1169 1377 6a929af-6a929df 1374->1377 1381 6a929f9-6a92a57 1377->1381 1382 6a929e1-6a929f7 1377->1382 1387 6a92a5e-6a92a7b 1381->1387 1382->1387 1387->1169 1391 6a92a81-6a92ab7 1387->1391 1395 6a92ab9-6a92acf 1391->1395 1396 6a92ad1-6a92b2f 1391->1396 1401 6a92b36-6a92b53 1395->1401 1396->1401 1401->1169 1405 6a92b59-6a92b8f 1401->1405 1409 6a92ba9-6a92c07 1405->1409 1410 6a92b91-6a92ba7 1405->1410 1415 6a92c0e-6a92c2b 1409->1415 1410->1415 1415->1169 1418 6a92c31-6a92c67 1415->1418 1423 6a92c69-6a92c7f 1418->1423 1424 6a92c81-6a92cdf 1418->1424 1429 6a92ce6-6a92d03 1423->1429 1424->1429 1429->1169 1433 6a92d09-6a92d3f 1429->1433 1437 6a92d59-6a92db7 1433->1437 1438 6a92d41-6a92d57 1433->1438 1443 6a92dbe-6a92ddb 1437->1443 1438->1443 1443->1169 1446 6a92de1-6a92e13 1443->1446 1451 6a92e2d-6a92e82 1446->1451 1452 6a92e15-6a92e2b 1446->1452 1457 6a92e89-6a92e9e 1451->1457 1452->1457
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485031236.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a90000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7f738e9732cd05fabe624210a89a52a3d402afee744a6448a9bc401b5dc4328e
                                            • Instruction ID: c120b25aab266f683e47f10dba53cdcb9b54edbdb9d4939561ec52401294bac8
                                            • Opcode Fuzzy Hash: 7f738e9732cd05fabe624210a89a52a3d402afee744a6448a9bc401b5dc4328e
                                            • Instruction Fuzzy Hash: 3FC25E30B102189FDF54DB64C954BEDB7B2BF89304F118099E60AAB3A1DB719E85CF61
                                            Function 06A93838 Relevance: 1.0, Instructions: 1020COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485031236.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a90000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bce0136d1f93ea0fdc61434644f3dcfa4717a3b7f8e9ac44a44483c02fc0c23a
                                            • Instruction ID: 36ef378724a1e291d8a306626b48a5e02c6717d70954ed57dadf0e473040aaca
                                            • Opcode Fuzzy Hash: bce0136d1f93ea0fdc61434644f3dcfa4717a3b7f8e9ac44a44483c02fc0c23a
                                            • Instruction Fuzzy Hash: 46824A74B002049FDB44DF68C998EAABBF6FF89704F158099E506DB3A1DA71ED41CB60
                                            Function 06A900D8 Relevance: .7, Instructions: 676COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485031236.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a90000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ccc7c41bb8e353adf342657e1ba907e336c834466028a68aabc868472f3f1615
                                            • Instruction ID: 1966654dfda3a8157bced0fa2d1cf97fd217a03fd75e83531edb1df8a1afdb98
                                            • Opcode Fuzzy Hash: ccc7c41bb8e353adf342657e1ba907e336c834466028a68aabc868472f3f1615
                                            • Instruction Fuzzy Hash: FD428930B007298FDB64AF64E49466EB7F2FFC6614B504A4CD5039B390CB79ED058BA6
                                            Function 06AB48A8 Relevance: .5, Instructions: 509COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1f9f6532ef53d50c5bc80cbbcb7220683de72fc55f5ab7464041176c5ab44ccd
                                            • Instruction ID: 4a7ffe8e8528c934cf28f95e2c481e192ac43d047b126e11b468dea277d27446
                                            • Opcode Fuzzy Hash: 1f9f6532ef53d50c5bc80cbbcb7220683de72fc55f5ab7464041176c5ab44ccd
                                            • Instruction Fuzzy Hash: 13123674B006058FDB54EF29C984AAABBF6FF89710B1584A9E506CB767DB30EC41CB50
                                            Function 06A9060F Relevance: .4, Instructions: 447COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485031236.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a90000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a4d0300bb76ad235c4d9d8934b8b3594f8a08a3ab6e26741d5591c5d9cc992ef
                                            • Instruction ID: f69599ac823ca223a6c3230461e557c745a800badd235a0f4ab8ec46093e3d48
                                            • Opcode Fuzzy Hash: a4d0300bb76ad235c4d9d8934b8b3594f8a08a3ab6e26741d5591c5d9cc992ef
                                            • Instruction Fuzzy Hash: 4BF1AA30B103148FDB64AB64D898A6A77F2BF8A704F50855DD6029B3A1CF79DD05CBA2
                                            Function 06AB3F50 Relevance: .4, Instructions: 397COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a48dc35e17588eb6a759e5044d0c76f4a60fa0dd4b93ffa6ee31337a5e5afd99
                                            • Instruction ID: 853b034514843cfceeaeb60822deac7cda10bcdfa8e9ad997df369cd5d8f5738
                                            • Opcode Fuzzy Hash: a48dc35e17588eb6a759e5044d0c76f4a60fa0dd4b93ffa6ee31337a5e5afd99
                                            • Instruction Fuzzy Hash: 96E13B34F002158FDB54EF69D894AAEB7F6FF88610B149169D906EB366DB31DC01CBA0
                                            Function 06A90687 Relevance: .4, Instructions: 389COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485031236.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a90000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6937f937e086e4cff3789bfaba26931cbf686241821b67e4ad78e32a6c66997f
                                            • Instruction ID: c5bc87dd029cfbc1cdc4172072536ec77fd73e8df13d25e17ef877a436bef4f1
                                            • Opcode Fuzzy Hash: 6937f937e086e4cff3789bfaba26931cbf686241821b67e4ad78e32a6c66997f
                                            • Instruction Fuzzy Hash: 37E18C30B103148FDF54AB64D898B6977F2BF8A704F608459E6029B3A1CF79DD45CBA2
                                            Function 06A906FF Relevance: .4, Instructions: 354COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485031236.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a90000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 115a57a7be18988d523bd914e2e4a4d847f4a0916b19572d5b2d41e6db721911
                                            • Instruction ID: a933163887376297793cd7bf65486c741c695dbb6e38911dfe0c046a8368572b
                                            • Opcode Fuzzy Hash: 115a57a7be18988d523bd914e2e4a4d847f4a0916b19572d5b2d41e6db721911
                                            • Instruction Fuzzy Hash: A9D16F30B103049FEF54AB64C898B6977F6BF8A705F608059E6029B3A1CF75DD45CB62
                                            Function 06A900B7 Relevance: .3, Instructions: 338COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485031236.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a90000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 815c20a7efe526a1ba2094818a092a78f4b1ed6445d0a150321bbda9864bd490
                                            • Instruction ID: 90f3885d14ab2584b2421ac475284efe52c4414c39ab4c2f41fd3c6e47d09e55
                                            • Opcode Fuzzy Hash: 815c20a7efe526a1ba2094818a092a78f4b1ed6445d0a150321bbda9864bd490
                                            • Instruction Fuzzy Hash: 03C16F30B103049FDF449B64C999B697BF6BF8A744F20805AEA069B3A1CF75DC45CB62
                                            Function 06A91582 Relevance: .3, Instructions: 336COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485031236.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a90000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 08f369d2e346d37b47985ef7495d37cda9c872e9149dccc84bf9070f05a8756c
                                            • Instruction ID: 9e344e3d02b0c3b3c79bd1765ebcc6df267a1fd27cd39979d962e115f2736fb6
                                            • Opcode Fuzzy Hash: 08f369d2e346d37b47985ef7495d37cda9c872e9149dccc84bf9070f05a8756c
                                            • Instruction Fuzzy Hash: E4C1B330B043029FEF55ABA5C894A6E77F6AF8A704F208459D5039B392DF75DC06CB61
                                            Function 06A91073 Relevance: .3, Instructions: 297COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485031236.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a90000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bc5ac2375d45bd7721a6999f5c2e7a2897a9f02726ee3bdf97296d5c6f2bc678
                                            • Instruction ID: aa78203c0c92ca9a8f226d4d865bed7e0857f172fe7baab0ec9e9170df2e378a
                                            • Opcode Fuzzy Hash: bc5ac2375d45bd7721a6999f5c2e7a2897a9f02726ee3bdf97296d5c6f2bc678
                                            • Instruction Fuzzy Hash: 96B1B430B002029FDF55AB69D894A6A77F6EFCA704F218469E516DB3A1CF70DC01CB61
                                            Function 06A91298 Relevance: .2, Instructions: 196COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485031236.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a90000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 627f4ae36dccfbd61531d4a98b59b4c6613de11c555912e1f73e46d54b99b284
                                            • Instruction ID: ca708c40fd8f999e1ab9f8e43ec859730b7e0ccdf384e412bd6eeb4c276b457c
                                            • Opcode Fuzzy Hash: 627f4ae36dccfbd61531d4a98b59b4c6613de11c555912e1f73e46d54b99b284
                                            • Instruction Fuzzy Hash: A061C870B043029FEF55ABA5D894B7A77F6BFC9618B208065E6029B392DF71DC01CB61
                                            Function 06AB7D58 Relevance: .1, Instructions: 147COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 006abcbac70e181c0e74cc5744b0b6834a746b28f5c520121617e3bd397c348f
                                            • Instruction ID: 8ea748bd7d3ddfad53b3b846fb2b44ce28f77a185d4c92c7638d626caf5f207f
                                            • Opcode Fuzzy Hash: 006abcbac70e181c0e74cc5744b0b6834a746b28f5c520121617e3bd397c348f
                                            • Instruction Fuzzy Hash: E9513871E00358CFDB55DFA9D880BEEBBF6AF88700F14842AE415AB240DBB49941CF80
                                            Function 06A934D8 Relevance: .1, Instructions: 143COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485031236.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a90000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 73d7f827c3a921c0b862099b3cd394a4f30468dafb5e4ab7a2e5ff19375d0bad
                                            • Instruction ID: 682996d8ef59361edc5d86a6d1ec7eb9c1c7fe9cd8ef1de84fab2d9fc8073a77
                                            • Opcode Fuzzy Hash: 73d7f827c3a921c0b862099b3cd394a4f30468dafb5e4ab7a2e5ff19375d0bad
                                            • Instruction Fuzzy Hash: A2514835B106159FCF44DF69C88499ABBF2EF8D314B118069E906EB361DB30EC45CB60
                                            Function 06AB7D4C Relevance: .1, Instructions: 129COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: df370c2e030fcb715fcf1d5921364fd85c380799046c640124b07dd46fd6a5ab
                                            • Instruction ID: f555e9d13a4a36c35f13f711fb021ebd69cc75155043780cb11bb017ee29f362
                                            • Opcode Fuzzy Hash: df370c2e030fcb715fcf1d5921364fd85c380799046c640124b07dd46fd6a5ab
                                            • Instruction Fuzzy Hash: 94515A70D00358DFDB55DFA9C985BDEBBF6AF88700F14842AE415AB241D7B49841CF90
                                            Function 06AB3DE0 Relevance: .1, Instructions: 114COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1005a2a6337c0f1372c3a52e78ee76cf0bb4e12bf6c7f2a5d41a881c926ad86b
                                            • Instruction ID: 26f4e560eacb333f1e10b5261e64bd53376f788322f5c267518f6b3df427e668
                                            • Opcode Fuzzy Hash: 1005a2a6337c0f1372c3a52e78ee76cf0bb4e12bf6c7f2a5d41a881c926ad86b
                                            • Instruction Fuzzy Hash: D331F2317057518FC72AB778A8505AE77EADFCA62030548AAE04ACF781CE35EC47C7A5
                                            Function 06AB5579 Relevance: .1, Instructions: 108COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e4c4810a9c46cfca0303be4617b271a6253d9cfe3d0c439abbe2305493f2525a
                                            • Instruction ID: c818d20f329d3a1cfcb919e66d5c1fc3ce93b34538059ab9a8b49204f73f6738
                                            • Opcode Fuzzy Hash: e4c4810a9c46cfca0303be4617b271a6253d9cfe3d0c439abbe2305493f2525a
                                            • Instruction Fuzzy Hash: DA318D35B01210AFCB45DF34D8949AEBBB6BF89610B058569E905CF352DB71ED05CBA0
                                            Function 06AB84C8 Relevance: .1, Instructions: 100COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8f91e3ebe025293e1351abcb9867d5dbb654fc98b0a18b6e5db9eeee8f3c31e0
                                            • Instruction ID: 2001fb7ff2b7d61d81fc659a57caf2a72c5887ad057ad2310a1dbfe38ca1e52f
                                            • Opcode Fuzzy Hash: 8f91e3ebe025293e1351abcb9867d5dbb654fc98b0a18b6e5db9eeee8f3c31e0
                                            • Instruction Fuzzy Hash: 4431AF35B002148FDB09EB7CA5642AE77E7EBCD210B14453AC606DB381DE38DD0687A5
                                            Function 06AB5588 Relevance: .1, Instructions: 96COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 67001abb18decab323d755f245189660e29310560d094cc48b9f95b96f06d415
                                            • Instruction ID: 248b8b5194c0815311d0b0ddcf83eb4a8576b0dab8a870a062ee5825a5469f9e
                                            • Opcode Fuzzy Hash: 67001abb18decab323d755f245189660e29310560d094cc48b9f95b96f06d415
                                            • Instruction Fuzzy Hash: 24319A35B012119FDB49DF34D8849AEBBB6FF89210B018469EA06CF356DB71ED01CB90
                                            Function 06AB87A0 Relevance: .1, Instructions: 93COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 30054c1b6a41d045d65a98d618d3463a7e4e2ed5332fb2024988e4debc0bad83
                                            • Instruction ID: 3deec4565663f4f1951f31bb454403905f04eb1d9a6be629de1f9019514b2b9d
                                            • Opcode Fuzzy Hash: 30054c1b6a41d045d65a98d618d3463a7e4e2ed5332fb2024988e4debc0bad83
                                            • Instruction Fuzzy Hash: BC41E271D01248DFDB54DFEAD940ADEFBBAAF88310F14802AE415AB250DB35A945CF90
                                            Function 06A92ECB Relevance: .1, Instructions: 83COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485031236.0000000006A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A90000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6a90000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 99eefcd642c4160dc3199a466741f6685ae829dc396ffe05145d02a25466eec3
                                            • Instruction ID: 2d3827a1881b3bad8620ae12a33927b489ba638322fb57827c6c00f32272aba1
                                            • Opcode Fuzzy Hash: 99eefcd642c4160dc3199a466741f6685ae829dc396ffe05145d02a25466eec3
                                            • Instruction Fuzzy Hash: 0A312A35E206199FCB44DFA9D4849DEB7F6FF88310B21816AE815BB310EB70A905CB60
                                            Function 06AB8796 Relevance: .1, Instructions: 79COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 83bfc2394a2f42e1dfc89238ecc710d92d1b20e24c3345c83cf95dcdc868b98a
                                            • Instruction ID: 55bd88b9d7cb265d09f1cbdbc8f87cb4f833b3dad30311ccb054e45b45983cfd
                                            • Opcode Fuzzy Hash: 83bfc2394a2f42e1dfc89238ecc710d92d1b20e24c3345c83cf95dcdc868b98a
                                            • Instruction Fuzzy Hash: D331F2B1D01248DFDB54DFAAC944BDEBFBAAF48310F14802AE415AB290DB755945CF90
                                            Function 06AB8A98 Relevance: .1, Instructions: 77COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0946ce9194ac5437695d16a7cb8341047defa0fc2ae659bb45af4f9a890b0fca
                                            • Instruction ID: cb5dadf5bc8cde328014d4d3017f264f9ba39a1023a3e2e9c25cfe81f49e973e
                                            • Opcode Fuzzy Hash: 0946ce9194ac5437695d16a7cb8341047defa0fc2ae659bb45af4f9a890b0fca
                                            • Instruction Fuzzy Hash: 2331E2B1D01258DFDF54DFA9D894BDEBBB9AF48310F24842AE405A7241C778A945CB90
                                            Function 06AB6E72 Relevance: .1, Instructions: 76COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ac969bf764b08ed9cfffeb7b5151fb5edcd07936db56309a7f00709bd6eeb8f3
                                            • Instruction ID: 516981d2398a4f0583736229f536e26b454a5681f7e297f2a5c67a84b68b6671
                                            • Opcode Fuzzy Hash: ac969bf764b08ed9cfffeb7b5151fb5edcd07936db56309a7f00709bd6eeb8f3
                                            • Instruction Fuzzy Hash: 8511E63220D2D52FC7564B695C60CEB7FEDDE8A250308419BF9C6C7183C428C961D7B1
                                            Function 0132D3D8 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1468843024.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_132d000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: eb391e40089bff5e6a97f84a759adbe4c32c9771e14e182bfa7bbc08cbec2826
                                            • Instruction ID: 5e9fa7493c746b2dd0d36c11768b4c6e137cff4743cd4b4760e53299645c526c
                                            • Opcode Fuzzy Hash: eb391e40089bff5e6a97f84a759adbe4c32c9771e14e182bfa7bbc08cbec2826
                                            • Instruction Fuzzy Hash: 9D216771504304EFEB05EF94D9C0B66BBA5FB84328F20C16DE9091F206C736E446CBA2
                                            Function 02E6D01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1469441046.0000000002E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E6D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_2e6d000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bf9b27b34d7c93f78c620764a37821be85734f31f5710b1e725c71e6c1a2a6ae
                                            • Instruction ID: 2e8cd377d93687b0310dc69f656a5fffe32961c93d3f0cc9e78c43b83468c018
                                            • Opcode Fuzzy Hash: bf9b27b34d7c93f78c620764a37821be85734f31f5710b1e725c71e6c1a2a6ae
                                            • Instruction Fuzzy Hash: DD212571684344DFDB54DF10D988B26BBA6EB84318F64C56DE8094B242C336D447CA61
                                            Function 06AB8F42 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 533cae44fcaefe99241a6c2b01d2072c881b5a5fbf5609a65803ccc4300702fb
                                            • Instruction ID: cb2b10004a5af2aeb2b0e44d847abe5a3bcc65a531de7bc2cd38781ebffd76e4
                                            • Opcode Fuzzy Hash: 533cae44fcaefe99241a6c2b01d2072c881b5a5fbf5609a65803ccc4300702fb
                                            • Instruction Fuzzy Hash: 8E211574D0425ADFCF40DFA8D5846EEBBB5FF09311F1050AAE415AB392D7385A81CB90
                                            Function 06AB8A8C Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f769f0fcebd3eca8d1cdcf2f237f4ce22eb77bced207839bd481c18463073f0d
                                            • Instruction ID: d2006051da6893ae30433304826ef967c7606d8d0ca82f163b2895c06fb6c21b
                                            • Opcode Fuzzy Hash: f769f0fcebd3eca8d1cdcf2f237f4ce22eb77bced207839bd481c18463073f0d
                                            • Instruction Fuzzy Hash: CC2115B1D01348DFDB14DFA9C894BDEBFF9AF08710F14842AE405A7241C7749945CBA0
                                            Function 02E6D005 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1469441046.0000000002E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E6D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_2e6d000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d6b211bd9499a7c8e5b0b1a481ca705789aeadeddc278f585f98a0b4e6edb5f0
                                            • Instruction ID: ae23dc64dea4bae149998ea441182dbfcccb4dccd470a9db797dee6a10fb982f
                                            • Opcode Fuzzy Hash: d6b211bd9499a7c8e5b0b1a481ca705789aeadeddc278f585f98a0b4e6edb5f0
                                            • Instruction Fuzzy Hash: 9321A4755493C08FCB12CF20D994715BF72EF46218F28C5EAD8498F667C33A980ACB62
                                            Function 06AB8C58 Relevance: .1, Instructions: 57COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 010e84faecef0e10c7a1947d0542a11e67b98c2959be10e9578c780217559a02
                                            • Instruction ID: fed0a5d24c0db92f120a97e9a8eba7b1d28839254ca43e8937bc230f3235db77
                                            • Opcode Fuzzy Hash: 010e84faecef0e10c7a1947d0542a11e67b98c2959be10e9578c780217559a02
                                            • Instruction Fuzzy Hash: 0E21D375E012189FCB48DFA9E8486DDBBF5BF89300F10512AE405B3350DB381945CB54
                                            Function 0132D3D3 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1468843024.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_132d000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d6a0fc9ea90b81d590695a3b1a0d9a1954ef52919f9a685501d906818d82db64
                                            • Instruction ID: 38022cfc23c1d547a1875c2dca636dc01b138e454b2c349b55d4d13cf4e8ec15
                                            • Opcode Fuzzy Hash: d6a0fc9ea90b81d590695a3b1a0d9a1954ef52919f9a685501d906818d82db64
                                            • Instruction Fuzzy Hash: DE110372404280CFDB12DF44D9C4B56BF71FB84328F24C6A9D8095B617C33AE456CBA1
                                            Function 06AB8350 Relevance: .0, Instructions: 50COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9a9ed82257e99a4063963fef84ba1e089e84174a7b6d1d6f4efb337da4e2e129
                                            • Instruction ID: b641e54f785b2735399748353cd64658414bdc849dd55cad46968b50a94997d3
                                            • Opcode Fuzzy Hash: 9a9ed82257e99a4063963fef84ba1e089e84174a7b6d1d6f4efb337da4e2e129
                                            • Instruction Fuzzy Hash: 9B017131B001199BDB10EAA9AC44AAFF7FEFB88651B144036E605D3240DB30AD1687A1
                                            Function 06ABBC6B Relevance: .0, Instructions: 48COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 194f74657b367ea669c1db0b5498b56ce15a75aa2fc680526faf2cee30a93d06
                                            • Instruction ID: bee9b1945b28fca322ca048fa6145ffc0b9f8408d93a58b51cf07bd7ccc1a6a9
                                            • Opcode Fuzzy Hash: 194f74657b367ea669c1db0b5498b56ce15a75aa2fc680526faf2cee30a93d06
                                            • Instruction Fuzzy Hash: 6801DF353502069FC684F738E4546AE37E3FFC4168314882CD3079BA40CE38BD4A8BAA
                                            Function 06ABBC70 Relevance: .0, Instructions: 46COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6303467bd0b1b02a873ed30dc97c1b43b8009d52c4d8c4e62015336084bf4ea5
                                            • Instruction ID: 447018c0fe6ac4b67b2450a6f9262285ef81d2423baad3a102dde1e5c2777049
                                            • Opcode Fuzzy Hash: 6303467bd0b1b02a873ed30dc97c1b43b8009d52c4d8c4e62015336084bf4ea5
                                            • Instruction Fuzzy Hash: 9201BC3534020A5BC684F738E4546AE37E3FEC4168344882CD3078B600DE38BC4A8BAA
                                            Function 0132DAC5 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1468843024.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_132d000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5d042bbf7ff2d1dec59bddbac112667bb1b06da26898d732f129dae814d5db0b
                                            • Instruction ID: 16193df145d2142e23b2040b81ce6d0f4a4e2fe95b8da93526a7642cc6b7b524
                                            • Opcode Fuzzy Hash: 5d042bbf7ff2d1dec59bddbac112667bb1b06da26898d732f129dae814d5db0b
                                            • Instruction Fuzzy Hash: CA012B31108354AFF7205B55CDD4B67BBDCDF41239F18C46AED080E642C3749440CAB1
                                            Function 06ABC4A3 Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2da3a329f514f4faf958343b351945156988f2c89fd0bfbaa47adb82d89190b9
                                            • Instruction ID: 2f97a08e8c1171c1e4200bd62ec270aa04138dfd1603ff9867120ce4812b6694
                                            • Opcode Fuzzy Hash: 2da3a329f514f4faf958343b351945156988f2c89fd0bfbaa47adb82d89190b9
                                            • Instruction Fuzzy Hash: 390192352006048BD324EF65E44876E77E3FFC9325B148A28D54B87A44CF78AC0A8FA6
                                            Function 06ABC4A8 Relevance: .0, Instructions: 42COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e1d2da6d347973d8a975597f1af00e72da078cfb0e6555d81ad2be8304d58671
                                            • Instruction ID: 4fef2837f53b77c041a694bdaa0b8a8b9f462410ce8e91f5d1d3a5123877f72a
                                            • Opcode Fuzzy Hash: e1d2da6d347973d8a975597f1af00e72da078cfb0e6555d81ad2be8304d58671
                                            • Instruction Fuzzy Hash: 64019E352007088BD324EF65D44866E77E7FFC9725B148A28D14B87A44CF78AC0A8FA6
                                            Function 06AB5508 Relevance: .0, Instructions: 42COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 57217e70dff079090328e17f683371f617cb331938f739ebf2bfcf51c7089b0e
                                            • Instruction ID: 87a36c3775d967f4dfb2c9df0d42566091d9fa011036286f5bb0887ea4407669
                                            • Opcode Fuzzy Hash: 57217e70dff079090328e17f683371f617cb331938f739ebf2bfcf51c7089b0e
                                            • Instruction Fuzzy Hash: 5F01D630E01301CFD7A5AF35E4006A773FBBF84216704993CD0038A906DA71E480CF94
                                            Function 06AB67C8 Relevance: .0, Instructions: 38COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 001a86884ee969add72febf99aac04269f4485241cf93d6d07e1512daff37f27
                                            • Instruction ID: c290e347bae212711509194ec3220b364ee6e561b58e0fdd2592b0eb75d8eae2
                                            • Opcode Fuzzy Hash: 001a86884ee969add72febf99aac04269f4485241cf93d6d07e1512daff37f27
                                            • Instruction Fuzzy Hash: CEF02B317443006FC7209BA8AC40FD67FDA9B82B20F049125F210CF1E2D7B1E8458790
                                            Function 06AB8F50 Relevance: .0, Instructions: 37COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 73f14f07fe7ad4138bf4c201c7cd3c380d4b64c04550871606988b0573a8ce04
                                            • Instruction ID: f098a2ee96d54c7f4648cf1f403500aca164e08bd4ebd680fc61965cd0fdb7ce
                                            • Opcode Fuzzy Hash: 73f14f07fe7ad4138bf4c201c7cd3c380d4b64c04550871606988b0573a8ce04
                                            • Instruction Fuzzy Hash: 970104B4D04209DFCB44DFA9D5446EEBBF9BF48300F1090AAD414A3341E7380A40CF91
                                            Function 0132DAC4 Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1468843024.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_132d000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 37ee60db07b9b44bc0ce2e959fd60ac75103f0df6bb6f3a103fe625c8b64b42d
                                            • Instruction ID: 15085036955913ce47b97a7183bf51396bbadc4a19486482f45d9d89fe082c1e
                                            • Opcode Fuzzy Hash: 37ee60db07b9b44bc0ce2e959fd60ac75103f0df6bb6f3a103fe625c8b64b42d
                                            • Instruction Fuzzy Hash: 9FF06272408354AEE7218E1ADDC4B62FFD8EF41639F28C55AED485B686C3789844CAB1
                                            Function 06AB3EC8 Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 60eadc5960fb3cd0af89064b663dcff10b8bbe104e4c694929ce7392f0c00147
                                            • Instruction ID: cf9d04512bbb71e4cf573d707a942353b432b47f5f0d8cb8bda42a3c2d598008
                                            • Opcode Fuzzy Hash: 60eadc5960fb3cd0af89064b663dcff10b8bbe104e4c694929ce7392f0c00147
                                            • Instruction Fuzzy Hash: 44F090303002155BDA1AF769F450AAE73EBEBC96203108929D00A9B740EF74ED4687A9
                                            Function 06AB6EA0 Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2b43561884e565f37b10378753587b17a6c4376f04d23e07de70db000e7404c1
                                            • Instruction ID: dda6e3eb6be17967ba2038b98dfe2d9a9235efc9a64616fd2f283e51e904e05a
                                            • Opcode Fuzzy Hash: 2b43561884e565f37b10378753587b17a6c4376f04d23e07de70db000e7404c1
                                            • Instruction Fuzzy Hash: F2F037722041E83F8B555E9A5C10CFB7FEDDA8E1617084156FFD9D2241C42DC921ABB0
                                            Function 06ABB365 Relevance: .0, Instructions: 34COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4b9eeaa6d96b172e40cf4027f74a8d6fe8f98fedb646ad66ed8da99060a9e34e
                                            • Instruction ID: 3f639b26bcdcd85bd515ec39a5848a6305e75712fb1134873b33aea7026957ae
                                            • Opcode Fuzzy Hash: 4b9eeaa6d96b172e40cf4027f74a8d6fe8f98fedb646ad66ed8da99060a9e34e
                                            • Instruction Fuzzy Hash: F5011D78901219EFCB04EFB8E4546EC7BF2FB84214B1445A9D846E7710DB345E84CB55
                                            Function 06AB8341 Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2d9d6fd658aa4936ef043bcaff8fc37c599ac41f22e690623e90ab0fc0e4f15a
                                            • Instruction ID: c88a46918a3f4c83c1a382316a32a1b6d217801785fe8171d79475c029595da1
                                            • Opcode Fuzzy Hash: 2d9d6fd658aa4936ef043bcaff8fc37c599ac41f22e690623e90ab0fc0e4f15a
                                            • Instruction Fuzzy Hash: 10F0A772F001158B9B10AAACAC486FEBBAEAB882507090037D614D7100F734881A83B0
                                            Function 06AB8FC0 Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e7b7fd379afd9e458c0a2fd75e09a667ab67be84d18cc171ed1c9e895bf4f9de
                                            • Instruction ID: c8cbd8e7e072d722396a0ce190c8ff7e1c74f67718b51b358a903e26f00a933e
                                            • Opcode Fuzzy Hash: e7b7fd379afd9e458c0a2fd75e09a667ab67be84d18cc171ed1c9e895bf4f9de
                                            • Instruction Fuzzy Hash: F5F0A9B5C08149DFDB40DBB4C8051EEBFB8EF1A201F0051DAE406E7352E6394A41DB51
                                            Function 06ABACB8 Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 50302e0f684af2112cd03071265f80d73e35b99a1a82c57a3de0505c98c18398
                                            • Instruction ID: 7fd843f31610bb21e8aafe90303d439caa64890f3341fd879feb82db1b6a4d1d
                                            • Opcode Fuzzy Hash: 50302e0f684af2112cd03071265f80d73e35b99a1a82c57a3de0505c98c18398
                                            • Instruction Fuzzy Hash: F9F0E2B27091B05FD756276868240AD3BB6E9C766130840DFD287CB262CA288907C7B5
                                            Function 06ABB368 Relevance: .0, Instructions: 32COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 76e535f094b0ed1cb7f427629435d61717bfb7ec94d514b88a54b727c2fc6a97
                                            • Instruction ID: 20be62386e4a973833592c8456e932d34f090873de4804a2095c796c13a817ea
                                            • Opcode Fuzzy Hash: 76e535f094b0ed1cb7f427629435d61717bfb7ec94d514b88a54b727c2fc6a97
                                            • Instruction Fuzzy Hash: 58F03C78A01209EFCB04EFB8E4546AC7BF2FB84214F1485A9D846E7710DB345E84CB55
                                            Function 06ABADF1 Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f5be64b8c9be7109453f85ab63dca8d49e1a12db41f1905d18c87a6bac523dc1
                                            • Instruction ID: 1850e037ac7e60cef12bb31d1df3c8995183e6667c96a63fba199d6586f461f8
                                            • Opcode Fuzzy Hash: f5be64b8c9be7109453f85ab63dca8d49e1a12db41f1905d18c87a6bac523dc1
                                            • Instruction Fuzzy Hash: 0BE02272300011AFC7106B69A958AEF7BDBEBCE361B00443CE20FD3240CA28180587B4
                                            Function 06ABC11B Relevance: .0, Instructions: 28COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7f1d4328382c67c343a994c692a8371ba52d8c02de85be0e4f8d13114a60dc9a
                                            • Instruction ID: 9958e0a8e3d6ff1a5efc81f4a13b7a6ec44ecdbb90425ef3cd26f786acbf783d
                                            • Opcode Fuzzy Hash: 7f1d4328382c67c343a994c692a8371ba52d8c02de85be0e4f8d13114a60dc9a
                                            • Instruction Fuzzy Hash: 5AF0A7302047649FC311EB69E4047EF7FEADF85664F08051EE186C7A41DBA5AC458BA6
                                            Function 06ABC17B Relevance: .0, Instructions: 28COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 828f41077a484ff310877c45883b1453c4176bc40ce8f09549405c0e98e232d9
                                            • Instruction ID: 5f09a0915633d5c21fe0e2f2c579e186fd38a75f6975d9d24383676726c491e0
                                            • Opcode Fuzzy Hash: 828f41077a484ff310877c45883b1453c4176bc40ce8f09549405c0e98e232d9
                                            • Instruction Fuzzy Hash: A8F06279901701CFD725DF26D508666BBF7FB88301700861EE48B82A10DB34A549CF84
                                            Function 06ABADF8 Relevance: .0, Instructions: 28COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: af697d4f410b9070e73ce7e672ff89336d0b50ce2f15753b2afa9b71279077bc
                                            • Instruction ID: c27f1d71bcac02c615c6dd07e224a52575cda1cab8283ec1a3a917c8a9362ede
                                            • Opcode Fuzzy Hash: af697d4f410b9070e73ce7e672ff89336d0b50ce2f15753b2afa9b71279077bc
                                            • Instruction Fuzzy Hash: B7E092713041116BC7106B6AA448AAE7BDEEBCE665B10443CE20FD3241CA69580587B9
                                            Function 06AB5698 Relevance: .0, Instructions: 27COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7446f22745e2e1ae55a779bdd960fc6ef6f5817fed4c4a1a49d11e508d52f506
                                            • Instruction ID: 5519f891a3f9419c304960394e8750695fda57d633dbac08a238419018005a6e
                                            • Opcode Fuzzy Hash: 7446f22745e2e1ae55a779bdd960fc6ef6f5817fed4c4a1a49d11e508d52f506
                                            • Instruction Fuzzy Hash: 0FE06DB250D310AFC345DB24AC04897BBADEB91220B06886EE484CB181E671D840CBA5
                                            Function 06ABC180 Relevance: .0, Instructions: 27COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a85596c3e09579f045beb3dbc5546a9f29e4176a492b8f5977d325df59183021
                                            • Instruction ID: 5012275859d3bb3d02122ea1e15ee9e185d734669b23bc7a4c8ef1fe4697abc8
                                            • Opcode Fuzzy Hash: a85596c3e09579f045beb3dbc5546a9f29e4176a492b8f5977d325df59183021
                                            • Instruction Fuzzy Hash: 95F09078900B01CFD715DF26E408662BBFAFF88310700C62EE48A83A10DB74A589CF84
                                            Function 06ABB500 Relevance: .0, Instructions: 25COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f7d023e4098d277309505232d58c1ef32dc55c950c7030ed91b9b5c0bb6cf3dc
                                            • Instruction ID: 062edadf890e61217e20b0506709abb78aad3028e170005a221fde6f56900272
                                            • Opcode Fuzzy Hash: f7d023e4098d277309505232d58c1ef32dc55c950c7030ed91b9b5c0bb6cf3dc
                                            • Instruction Fuzzy Hash: BDF03935D0120DEFCB01DFB4D9589DDBFB9EB48200F1442A6D885E3254EB309B89CB80
                                            Function 06ABC120 Relevance: .0, Instructions: 25COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4024bcb09e1eea1c5eedd61b9ed8aed28c63ddd915fdaa8c17faf77c0f1a08d8
                                            • Instruction ID: f64c9cda3ee492aeb9e6f4f24f313181aade1d8e2bc8594a0749c4f2598cee63
                                            • Opcode Fuzzy Hash: 4024bcb09e1eea1c5eedd61b9ed8aed28c63ddd915fdaa8c17faf77c0f1a08d8
                                            • Instruction Fuzzy Hash: D0E065302007559FC711E769E4087AE7BEADF85624F08052DD287C7A41DBA6AC458BA6
                                            Function 06ABE280 Relevance: .0, Instructions: 23COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 91cb793b06638e10c3f4d56f2889bc25035ecf196f5960e91775311995a8e467
                                            • Instruction ID: 4bca50b4ff54661f892fd8cc7b85fbac2a82cc5a0073a804348f91851d6e07e1
                                            • Opcode Fuzzy Hash: 91cb793b06638e10c3f4d56f2889bc25035ecf196f5960e91775311995a8e467
                                            • Instruction Fuzzy Hash: 1FE026392016415FD749B721BD116863BA2E7CA210F1240A2D40A8BBE1C63C4EC787E3
                                            Function 06ABE1FF Relevance: .0, Instructions: 22COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2956572c98f29daadfb2b4bc27bf13a07b4c4cfe895b1218b740ea255bf3677f
                                            • Instruction ID: 102403eb05fe73313dd05868090d35506cfaccc5166acf3d8cf388ad2517bb2f
                                            • Opcode Fuzzy Hash: 2956572c98f29daadfb2b4bc27bf13a07b4c4cfe895b1218b740ea255bf3677f
                                            • Instruction Fuzzy Hash: 5AE04871A09259FFCB01DB64A84059D77B1DA8621472046D6D809D7291D6744F158761
                                            Function 06ABAC80 Relevance: .0, Instructions: 20COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: da06aa1ab7456d9dae45ce341202acd19acc4aee7a63b82aa632166bbcc928dd
                                            • Instruction ID: bb3c440f2eccd0740aa78b5f4aed5366f1e7a8eddeca57b933afe9591489f0bc
                                            • Opcode Fuzzy Hash: da06aa1ab7456d9dae45ce341202acd19acc4aee7a63b82aa632166bbcc928dd
                                            • Instruction Fuzzy Hash: CBD05B71300139578A453769B4584AE77ABEBC7671304442DE607C3240CE655D0287F9
                                            Function 06ABB510 Relevance: .0, Instructions: 19COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c386f417474a305a13667e7c2cb9ada0d3e64b3eedc2b6b19f24ea4f301ce241
                                            • Instruction ID: d92f40a45c4e98daafaa75e5decdedadfc9fe88b24cae065cfd2e91ffdc24c1f
                                            • Opcode Fuzzy Hash: c386f417474a305a13667e7c2cb9ada0d3e64b3eedc2b6b19f24ea4f301ce241
                                            • Instruction Fuzzy Hash: 2AE09279D0020CEFCB40DFE4E9459DDBBB9EB48200F1482AAD909E3200EB306B55DF80
                                            Function 06ABCC43 Relevance: .0, Instructions: 18COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c258959ea6f9ef73718c4069f4da90d4273abd65bed8b4ff253c1afc157a8acd
                                            • Instruction ID: be62f0e27def7d60fa0286ca801c330b1b4e98f02c1fc88155f59ae06e914782
                                            • Opcode Fuzzy Hash: c258959ea6f9ef73718c4069f4da90d4273abd65bed8b4ff253c1afc157a8acd
                                            • Instruction Fuzzy Hash: 54D012392015659BC651EA16F401AD93395E7C5225F208124D00E97B80CA385CC78BE6
                                            Function 06ABCE93 Relevance: .0, Instructions: 17COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 14dd13f2e5d176409542a17cb51012b049cacdafad76e3d3e6a7581560b32380
                                            • Instruction ID: 2edacce3ed5cb5ffe2c1ea64fbc2c119f91a3d46af9411a177f07fe8abce1c88
                                            • Opcode Fuzzy Hash: 14dd13f2e5d176409542a17cb51012b049cacdafad76e3d3e6a7581560b32380
                                            • Instruction Fuzzy Hash: E3E01278101265DBD650FB15F544ACA37A5EBC5228B204524DC4A97B80C7389C878B95
                                            Function 06ABE210 Relevance: .0, Instructions: 16COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a0361baabfb2e8d61b151df20e2b8ac818107eeabfb4dd8123895e6af01d55d4
                                            • Instruction ID: 8c89ea722efba135484d95f71b85af185c3998edc672eeda13e222aada0f635b
                                            • Opcode Fuzzy Hash: a0361baabfb2e8d61b151df20e2b8ac818107eeabfb4dd8123895e6af01d55d4
                                            • Instruction Fuzzy Hash: 00D05EB1A0120CFFCB40EFA9E94099DB7F9EB84214B2085A9D50DE3300EA316F009BA5
                                            Function 06ABF8E0 Relevance: .0, Instructions: 15COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f262060e76b7427880a01d6581fa933e7110083d09a6a8fbc4655f99b436c03f
                                            • Instruction ID: 11f8326cb52f7d3b7882d2a88c6c334f279ef91c549f8e0afd71e504dad41ef5
                                            • Opcode Fuzzy Hash: f262060e76b7427880a01d6581fa933e7110083d09a6a8fbc4655f99b436c03f
                                            • Instruction Fuzzy Hash: 04D0225BB4402007C306729C702023C6AC3E3D81C7BC2412ED607C7388CC264C220381
                                            Function 06AB3721 Relevance: .0, Instructions: 13COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e88d66e8973bdafe8873781e15630a67b506cb9766ea3c69ae8e65a839ce6d41
                                            • Instruction ID: c7927f7e00149018e5a5c2c770055434761f47006ccf8819604c60fab7f85a69
                                            • Opcode Fuzzy Hash: e88d66e8973bdafe8873781e15630a67b506cb9766ea3c69ae8e65a839ce6d41
                                            • Instruction Fuzzy Hash: CFC0123100A3803FC70206202C01EE73E265B92B00B060282B2859B49282A2166892B2
                                            Function 06ABE8FF Relevance: .0, Instructions: 10COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d36f17fd7fa6a840becd3b9a84ff69c85cac95a788e14cd928148a7d764544a9
                                            • Instruction ID: ee4be670ae167bba4c0f301e616e6d87d5a45ff5996e51e49b8dcd1474b2f83d
                                            • Opcode Fuzzy Hash: d36f17fd7fa6a840becd3b9a84ff69c85cac95a788e14cd928148a7d764544a9
                                            • Instruction Fuzzy Hash: F2D0C939254104EFC741EF50D6548643B66BF99210744448EF5894F671C632D925DB00
                                            Function 06ABE908 Relevance: .0, Instructions: 10COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bf81d6e8626c98955923d90005f7ec899d15137b314f5ea82be49f64a0b67b62
                                            • Instruction ID: 9fe68578960da7fa5beda8faa40f395ae2f4455b935a7dd9edeae13dbd261aa1
                                            • Opcode Fuzzy Hash: bf81d6e8626c98955923d90005f7ec899d15137b314f5ea82be49f64a0b67b62
                                            • Instruction Fuzzy Hash: 3AC00236260208EFCB41EF99D844C557BB9BF59B147509099FA454F631C732E921EB50
                                            Function 06ABDFD1 Relevance: .0, Instructions: 8COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8b0b4e6e5bfbf8e60625d4089aaa17128fea72ff402e09e6a469819cb27ad8fe
                                            • Instruction ID: b348f83d54839a27632c695de785a35f9d0b122575e2f9d5f6c3dc44bbcb4597
                                            • Opcode Fuzzy Hash: 8b0b4e6e5bfbf8e60625d4089aaa17128fea72ff402e09e6a469819cb27ad8fe
                                            • Instruction Fuzzy Hash: 15C04C3554B2E08AEB12AB60C81D5447F31AF9661576501CAA6858B076D6254419C751

                                            Non-executed Functions

                                            Function 06AB6FE8 Relevance: .8, Instructions: 787COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cc57570608525279deaf474e5d1b0c664b24cc3cfe4f68b7ce3d8c2ac96e99e8
                                            • Instruction ID: fee6a7ec36521135c7b14c5431080b4603cf4d27c8bec441a3b128f05cfe3c1b
                                            • Opcode Fuzzy Hash: cc57570608525279deaf474e5d1b0c664b24cc3cfe4f68b7ce3d8c2ac96e99e8
                                            • Instruction Fuzzy Hash: 036222B06002019FE749EF19D45475ABBD6EF88308F24C55CC10A9F396DBBAD90B8F99
                                            Function 06AB6FF8 Relevance: .8, Instructions: 780COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1485055432.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_6ab0000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 15e612c7975de73dabd1cc308f7125071abcb091bc19debc1c4c0e5bfc5249f5
                                            • Instruction ID: b4fa2be02416cb365fa75142d2efcd68d500cab5cc013d40dea22c2299b72736
                                            • Opcode Fuzzy Hash: 15e612c7975de73dabd1cc308f7125071abcb091bc19debc1c4c0e5bfc5249f5
                                            • Instruction Fuzzy Hash: 616222B06002019FE749EF19D45475ABBD6EF88308F24C45CC10A9F396DBBAD90B8F99
                                            Function 05700040 Relevance: .3, Instructions: 315COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1483532186.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5700000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 11c2670758ea90c216842151e27676bfd57b2ce7bc0386711e66c38116ff6098
                                            • Instruction ID: f99e1b5f892a66f04026f5ec941a66637c2602c7d6f4deea81e11d7aafeb8e96
                                            • Opcode Fuzzy Hash: 11c2670758ea90c216842151e27676bfd57b2ce7bc0386711e66c38116ff6098
                                            • Instruction Fuzzy Hash: D71270B04127458FE320EF69ED4D2897BB1BBC6728F904209D2656F2E9DBBC154ACF44
                                            Function 02F3DC74 Relevance: .3, Instructions: 264COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1469751574.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_2f30000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e9efa5c0dc907ebaa1c8ac0d35143698f8444a10ae467d30d303835d884a7260
                                            • Instruction ID: 0d51e28dadcd6c5491ec0088d78873580ad0f4870b978b2a42221d34a3517279
                                            • Opcode Fuzzy Hash: e9efa5c0dc907ebaa1c8ac0d35143698f8444a10ae467d30d303835d884a7260
                                            • Instruction Fuzzy Hash: 6DA16C32E00209CFCF06DFB5C98059EB7B2FF84350B15456AEA06AB265DB75E955CF80
                                            Function 05700007 Relevance: .2, Instructions: 239COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.1483532186.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_5700000_RegAsm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cc1df0e98bd7884df388df649e0446700dde9df0290666fbff6e40daeb2c1b3e
                                            • Instruction ID: 15be0115fd94e712bb2f64b3ccc812324b39479ac9c6ee3ca3519e85b1ab679f
                                            • Opcode Fuzzy Hash: cc1df0e98bd7884df388df649e0446700dde9df0290666fbff6e40daeb2c1b3e
                                            • Instruction Fuzzy Hash: 2CC1F4B08127458FD720EF68EC4928A7BB1FBC6728F554209D1616F2E9DBBC148ACF44