Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1505083
MD5:e600b6015b0312b52214f459fcc6f3c2
SHA1:0e763e33524e467b46d27e5f0603cd2165c47fed
SHA256:65bb6281d63ad091f8b6b4d0c460d9d6c1631fe141fe15b23dc6d23a41e094ad
Tags:exe
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Suricata IDS alerts for network traffic
Yara detected RedLine Stealer
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops certificate files (DER)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 1360 cmdline: "C:\Users\user\Desktop\file.exe" MD5: E600B6015B0312B52214F459FCC6F3C2)
    • conhost.exe (PID: 5596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 1964 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "147.45.47.36:30035", "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000002.00000002.2171722834.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.2006781657.0000000003AF5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Process Memory Space: file.exe PID: 1360JoeSecurity_RedLineYara detected RedLine StealerJoe Security
                Click to see the 2 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.file.exe.3af5570.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  2.2.RegAsm.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    0.2.file.exe.3af5570.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                      Sigma Signatures

                      No Sigma rule has matched

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-05T18:38:55.239834+020020432341A Network Trojan was detected147.45.47.3630035192.168.2.549704TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-05T18:38:55.047106+020020432311A Network Trojan was detected192.168.2.549704147.45.47.3630035TCP
                      2024-09-05T18:39:00.287156+020020432311A Network Trojan was detected192.168.2.549704147.45.47.3630035TCP
                      2024-09-05T18:39:00.916736+020020432311A Network Trojan was detected192.168.2.549704147.45.47.3630035TCP
                      2024-09-05T18:39:01.199601+020020432311A Network Trojan was detected192.168.2.549704147.45.47.3630035TCP
                      2024-09-05T18:39:01.492078+020020432311A Network Trojan was detected192.168.2.549704147.45.47.3630035TCP
                      2024-09-05T18:39:01.685615+020020432311A Network Trojan was detected192.168.2.549704147.45.47.3630035TCP
                      2024-09-05T18:39:02.495326+020020432311A Network Trojan was detected192.168.2.549704147.45.47.3630035TCP
                      2024-09-05T18:39:02.704807+020020432311A Network Trojan was detected192.168.2.549704147.45.47.3630035TCP
                      2024-09-05T18:39:02.904579+020020432311A Network Trojan was detected192.168.2.549704147.45.47.3630035TCP
                      2024-09-05T18:39:03.117574+020020432311A Network Trojan was detected192.168.2.549704147.45.47.3630035TCP
                      2024-09-05T18:39:03.349446+020020432311A Network Trojan was detected192.168.2.549704147.45.47.3630035TCP
                      2024-09-05T18:39:03.668603+020020432311A Network Trojan was detected192.168.2.549704147.45.47.3630035TCP
                      2024-09-05T18:39:03.673695+020020432311A Network Trojan was detected192.168.2.549704147.45.47.3630035TCP
                      2024-09-05T18:39:04.498787+020020432311A Network Trojan was detected192.168.2.549704147.45.47.3630035TCP
                      2024-09-05T18:39:04.696185+020020432311A Network Trojan was detected192.168.2.549704147.45.47.3630035TCP
                      2024-09-05T18:39:04.892361+020020432311A Network Trojan was detected192.168.2.549704147.45.47.3630035TCP
                      2024-09-05T18:39:05.157040+020020432311A Network Trojan was detected192.168.2.549704147.45.47.3630035TCP
                      2024-09-05T18:39:05.392443+020020432311A Network Trojan was detected192.168.2.549704147.45.47.3630035TCP
                      2024-09-05T18:39:05.628938+020020432311A Network Trojan was detected192.168.2.549704147.45.47.3630035TCP
                      2024-09-05T18:39:05.969776+020020432311A Network Trojan was detected192.168.2.549704147.45.47.3630035TCP
                      2024-09-05T18:39:05.991356+020020432311A Network Trojan was detected192.168.2.549704147.45.47.3630035TCP
                      2024-09-05T18:39:06.867533+020020432311A Network Trojan was detected192.168.2.549704147.45.47.3630035TCP
                      2024-09-05T18:39:07.172858+020020432311A Network Trojan was detected192.168.2.549704147.45.47.3630035TCP
                      2024-09-05T18:39:07.782260+020020432311A Network Trojan was detected192.168.2.549704147.45.47.3630035TCP
                      2024-09-05T18:39:08.169907+020020432311A Network Trojan was detected192.168.2.549704147.45.47.3630035TCP
                      2024-09-05T18:39:08.383022+020020432311A Network Trojan was detected192.168.2.549704147.45.47.3630035TCP
                      2024-09-05T18:39:08.871682+020020432311A Network Trojan was detected192.168.2.549704147.45.47.3630035TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-05T18:39:00.792876+020020460561A Network Trojan was detected147.45.47.3630035192.168.2.549704TCP
                      2024-09-05T18:39:00.792961+020020460561A Network Trojan was detected147.45.47.3630035192.168.2.549704TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-05T18:38:55.047106+020020460451A Network Trojan was detected192.168.2.549704147.45.47.3630035TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 00000000.00000002.2006781657.0000000003AF5000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "147.45.47.36:30035", "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for sample
                      Source: file.exeJoe Sandbox ML: detected
                      Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: AVP.pdb source: file.exe

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.5:49704 -> 147.45.47.36:30035
                      Source: Network trafficSuricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.5:49704 -> 147.45.47.36:30035
                      Source: Network trafficSuricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 147.45.47.36:30035 -> 192.168.2.5:49704
                      Source: Network trafficSuricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 147.45.47.36:30035 -> 192.168.2.5:49704
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: 147.45.47.36:30035
                      Source: global trafficTCP traffic: 192.168.2.5:49704 -> 147.45.47.36:30035
                      Source: Joe Sandbox ViewIP Address: 147.45.47.36 147.45.47.36
                      Source: Joe Sandbox ViewASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
                      Source: unknownDNS traffic detected: query: 56.126.166.20.in-addr.arpa replaycode: Name error (3)
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.36
                      Source: global trafficDNS traffic detected: DNS query: 56.126.166.20.in-addr.arpa
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000031BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000031BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000031BC000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000033A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000031BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000031BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000031BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000031BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000031BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000031B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16V
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000031BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000031BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000031BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000031BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000031BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000033A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000033A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000031BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000031BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000031BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000031BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000031BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000034FC000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2176637606.000000000410B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2173973312.00000000035F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: file.exe, 00000000.00000002.2006781657.0000000003AF5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2171722834.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000034FC000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2176637606.000000000410B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2173973312.00000000035F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000034FC000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2176637606.000000000410B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2173973312.00000000035F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000034FC000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2176637606.000000000410B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2173973312.00000000035F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000034FC000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2176637606.000000000410B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2173973312.00000000035F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000034FC000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2176637606.000000000410B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000035F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabS
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000034FC000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2176637606.000000000410B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2173973312.00000000035F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000034FC000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2176637606.000000000410B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2173973312.00000000035F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                      Source: RegAsm.exe, 00000002.00000002.2173973312.00000000034FC000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2176637606.000000000410B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2173973312.00000000035F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp911D.tmpJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp914D.tmpJump to dropped file

                      System Summary

                      barindex
                      .NET source code contains very large array initializations
                      Source: file.exe, Hdjgt4QD24ZrUGf4jK.csLarge array initialization: Hdjgt4QD24ZrUGf4jK: array initializer size 311296
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0302DC742_2_0302DC74
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_055A69482_2_055A6948
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_055A7C202_2_055A7C20
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_055A00402_2_055A0040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_055A00062_2_055A0006
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_055A7C102_2_055A7C10
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_069F67D82_2_069F67D8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_069FA3E82_2_069FA3E8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_069F3F502_2_069F3F50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_069FA3D82_2_069FA3D8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_069F6FF82_2_069F6FF8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_069F6FE82_2_069F6FE8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07BFDEB82_2_07BFDEB8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07BFFCD82_2_07BFFCD8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07BF6C202_2_07BF6C20
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07BFAA282_2_07BFAA28
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07BF19E82_2_07BF19E8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07BF08A02_2_07BF08A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07BFE7D82_2_07BFE7D8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07BFE7C92_2_07BFE7C9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07BFA6F82_2_07BFA6F8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07BFFCD52_2_07BFFCD5
                      Source: file.exe, 00000000.00000002.2003923944.0000000000D6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
                      Source: file.exe, 00000000.00000000.2000959814.0000000000714000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVQP.exe\ vs file.exe
                      Source: file.exe, 00000000.00000002.2006781657.0000000003B38000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePennants.exe8 vs file.exe
                      Source: file.exeBinary or memory string: OriginalFilenameVQP.exe\ vs file.exe
                      Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/6@1/1
                      Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5596:120:WilError_03
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp911D.tmpJump to behavior
                      Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Program Files (x86)\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: esdsip.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: linkinfo.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
                      Source: Google Chrome.lnk.2.drLNK file: ..\..\..\Program Files\Google\Chrome\Application\chrome.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: AVP.pdb source: file.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_055AC9C0 push es; ret 2_2_055AC9D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_055AD871 push es; ret 2_2_055AD880
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_069FDFD1 push es; ret 2_2_069FDFE6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_069FECF2 push eax; ret 2_2_069FED01
                      Source: file.exeStatic PE information: section name: .text entropy: 7.978591296339034

                      Persistence and Installation Behavior

                      barindex
                      Installs new ROOT certificates
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 BlobJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: 2850000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: 2AF0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: 2850000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2F40000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 30D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2F40000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 596Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 2920Jump to behavior
                      Source: C:\Users\user\Desktop\file.exe TID: 2460Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2508Thread sleep time: -11068046444225724s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5304Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004540000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004540000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004540000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004575000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004575000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004575000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                      Source: RegAsm.exe, 00000002.00000002.2173973312.0000000003426000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655LR]q4aB
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004575000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004540000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004540000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004575000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004540000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                      Source: RegAsm.exe, 00000002.00000002.2182552833.0000000005A0D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004540000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004575000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004575000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004575000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004575000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004540000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004575000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004575000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004540000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004540000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004575000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004540000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004575000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004575000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004540000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004575000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004540000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004575000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004540000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004540000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004540000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004575000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004540000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004575000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004540000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004575000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004575000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004575000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004575000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004575000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004575000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004575000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004540000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004575000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004575000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004540000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004540000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004575000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004540000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004575000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004575000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004540000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004540000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004540000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004540000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004540000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004540000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004540000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004540000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004575000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                      Source: RegAsm.exe, 00000002.00000002.2176637606.0000000004540000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Allocates memory in foreign processes
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Contains functionality to inject code into remote processes
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02AF5249 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,0_2_02AF5249
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                      Writes to foreign memory regions
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 432000Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: E9D008Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: file.exe, 00000000.00000002.2003923944.0000000000DA9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avp.exe
                      Source: file.exe, 00000000.00000002.2003923944.0000000000DA9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AVP.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.file.exe.3af5570.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.3af5570.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.2171722834.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2006781657.0000000003AF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: file.exe PID: 1360, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1964, type: MEMORYSTR
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                      Tries to steal Crypto Currency Wallets
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                      Source: Yara matchFile source: 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1964, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.file.exe.3af5570.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.3af5570.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.2171722834.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2006781657.0000000003AF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: file.exe PID: 1360, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1964, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		411
                      Process Injection                      		1
                      Masquerading                      		1
                      OS Credential Dumping                      		231
                      Security Software Discovery                      		Remote Services1
                      Archive Collected Data                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		LSASS Memory1
                      Process Discovery                      		Remote Desktop Protocol2
                      Data from Local System                      		1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                      Virtualization/Sandbox Evasion                      		Security Account Manager241
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared Drive1
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook411
                      Process Injection                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput Capture11
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                      Obfuscated Files or Information                      		LSA Secrets1
                      File and Directory Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Install Root Certificate                      		Cached Domain Credentials113
                      System Information Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                      Software Packing                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      file.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://schemas.xmlsoap.org/ws/2005/02/sc/sct0%Avira URL Cloudsafe
                      https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%Avira URL Cloudsafe
                      https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id23ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id12Response0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id14ResponseD0%Avira URL Cloudsafe
                      147.45.47.36:300350%Avira URL Cloudsafe
                      http://tempuri.org/0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id21Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id50%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id6ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id80%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id2Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id90%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha10%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id40%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id70%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id19Response0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id60%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id13ResponseD0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id5ResponseD0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/fault0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id15Response0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp90%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/sc0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id1ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id6Response0%Avira URL Cloudsafe
                      https://api.ip.sb/ip0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id9Response0%Avira URL Cloudsafe
                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id200%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id220%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id210%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA10%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id230%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id240%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA10%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id24Response0%Avira URL Cloudsafe
                      https://www.ecosia.org/newtab/0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id1Response0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id21ResponseD0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/08/addressing0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/trust0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id10ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id110%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id120%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id16Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id100%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id130%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id150%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id140%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id180%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id160%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id170%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id5Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id190%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id15ResponseD0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/Renew0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id8Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id11ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id10Response0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.00%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2006/02/addressingidentity0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id17ResponseD0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      56.126.166.20.in-addr.arpa
                      		unknown
                      		unknownfalse
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        147.45.47.36:30035true
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextRegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/sc/sctRegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://duckduckgo.com/chrome_newtabRegAsm.exe, 00000002.00000002.2173973312.00000000034FC000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2176637606.000000000410B000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkRegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://duckduckgo.com/ac/?q=RegAsm.exe, 00000002.00000002.2173973312.00000000034FC000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2176637606.000000000410B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2173973312.00000000035F5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id14ResponseDRegAsm.exe, 00000002.00000002.2173973312.00000000031BC000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id23ResponseDRegAsm.exe, 00000002.00000002.2173973312.00000000033A0000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryRegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id12ResponseRegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id2ResponseRegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id21ResponseRegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapRegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id9RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDRegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id8RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id6ResponseDRegAsm.exe, 00000002.00000002.2173973312.00000000031BC000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id5RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareRegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id4RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id7RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id6RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretRegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id19ResponseRegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseRegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueRegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedRegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceRegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id13ResponseDRegAsm.exe, 00000002.00000002.2173973312.00000000031BC000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/faultRegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsatRegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyRegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id15ResponseRegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id5ResponseDRegAsm.exe, 00000002.00000002.2173973312.00000000031BC000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000002.00000002.2173973312.00000000031BC000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewRegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterRegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id6ResponseRegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyRegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://api.ip.sb/ipfile.exe, 00000000.00000002.2006781657.0000000003AF5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2171722834.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/scRegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id1ResponseDRegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCRegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelRegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id9ResponseRegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RegAsm.exe, 00000002.00000002.2173973312.00000000034FC000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2176637606.000000000410B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2173973312.00000000035F5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id20RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id21RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id22RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id23RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id24RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueRegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id24ResponseRegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.ecosia.org/newtab/RegAsm.exe, 00000002.00000002.2173973312.00000000034FC000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2176637606.000000000410B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2173973312.00000000035F5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id1ResponseRegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedRegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyRegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayRegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoRegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryRegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCRegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyRegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id21ResponseDRegAsm.exe, 00000002.00000002.2173973312.00000000031BC000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/08/addressingRegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueRegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionRegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/trustRegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id10RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id11RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id10ResponseDRegAsm.exe, 00000002.00000002.2173973312.00000000031BC000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id12RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id16ResponseRegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseRegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelRegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id13RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id14RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id15RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id16RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/NonceRegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id17RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id18RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id5ResponseRegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id19RegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsRegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id15ResponseDRegAsm.exe, 00000002.00000002.2173973312.00000000031BC000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id10ResponseRegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RenewRegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id11ResponseDRegAsm.exe, 00000002.00000002.2173973312.00000000033A0000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id8ResponseRegAsm.exe, 00000002.00000002.2173973312.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyRegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0RegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDRegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTRegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2006/02/addressingidentityRegAsm.exe, 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id17ResponseDRegAsm.exe, 00000002.00000002.2173973312.00000000031BC000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        147.45.47.36
                        		unknownRussian Federation
                        		2895FREE-NET-ASFREEnetEUtrue

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1505083
                        Start date and time:2024-09-05 18:38:04 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 3m 14s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:5
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:file.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@4/6@1/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 99%
                        • Number of executed functions: 109
                        • Number of non-executed functions: 19
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Stop behavior analysis, all processes terminated

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                        • VT rate limit hit for: file.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        12:39:05API Interceptor20x Sleep call for process: RegAsm.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        147.45.47.36file.exeGet hashmaliciousRedLineBrowse
                          FileApp.exeGet hashmaliciousLummaC, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig, zgRATBrowse
                            file.exeGet hashmaliciousRedLineBrowse
                              file.exeGet hashmaliciousRedLineBrowse
                                bj6NsBOOyE.exeGet hashmaliciousRedLineBrowse
                                  file.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                    file.exeGet hashmaliciousRedLineBrowse
                                      file.exeGet hashmaliciousRedLineBrowse
                                        file.exeGet hashmaliciousRedLineBrowse
                                          file.exeGet hashmaliciousRedLineBrowse

                                            Domains

                                            No context

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            FREE-NET-ASFREEnetEUfile.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                            • 147.45.68.138
                                            file.exeGet hashmaliciousLummaC, VidarBrowse
                                            • 147.45.68.138
                                            SecuriteInfo.com.Win32.PWSX-gen.13539.31213.exeGet hashmaliciousStealcBrowse
                                            • 147.45.41.134
                                            Kpmg.exeGet hashmaliciousLummaCBrowse
                                            • 147.45.44.131
                                            file.exeGet hashmaliciousRedLineBrowse
                                            • 147.45.47.36
                                            FileApp.exeGet hashmaliciousLummaC, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig, zgRATBrowse
                                            • 147.45.47.36
                                            file.exeGet hashmaliciousRedLineBrowse
                                            • 147.45.47.36
                                            file.exeGet hashmaliciousStealcBrowse
                                            • 147.45.47.137
                                            Selenium.exeGet hashmaliciousLummaCBrowse
                                            • 147.45.44.131
                                            Kpmg.exeGet hashmaliciousLummaCBrowse
                                            • 147.45.44.131

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\Public\Desktop\Google Chrome.lnk

                                            Download File
                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 13:16:53 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide
                                            Category:dropped
                                            Size (bytes):2104
                                            Entropy (8bit):3.451582224594359
                                            Encrypted:false
                                            SSDEEP:48:8SOl2dfTXd3RYrnvPdAKRkdAGdAKRFdAKRE:8SOlOw
                                            MD5:542B88DC1A6B3BCA4638598B553C6A8C
                                            SHA1:C1F4F690430EFFF6101423881348826CCE765C07
                                            SHA-256:CECFFC30D255EF46A4C91745482124E4760439871D69EA8625A691D67D84B241
                                            SHA-512:0207F218F3843A8ACFE579D1A887A9DED27FAC16CC2981639259E93DA61422F4EA6ED81062ACB0F1453235245E706A80E4F3ED8B1376AA3D32522BC96030A387
                                            Malicious:false
                                            Reputation:low
                                            Preview:L..................F.@.. ......,.....&.l.......q.... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IDW.r....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VDWUl....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VDWUl....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VDWUl..........................."&.A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.+ .chrome.exe..F......CW.VDW.r..........................,.6.c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.!.-.-.p.r.o.x.y.-.s.e.r.v.e.r

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

                                            Download File
                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):3274
                                            Entropy (8bit):5.3318368586986695
                                            Encrypted:false
                                            SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlqY
                                            MD5:0B2E58EF6402AD69025B36C36D16B67F
                                            SHA1:5ECC642327EF5E6A54B7918A4BD7B46A512BF926
                                            SHA-256:4B0FB8EECEAD6C835CED9E06F47D9021C2BCDB196F2D60A96FEE09391752C2D7
                                            SHA-512:1464106CEC5E264F8CEA7B7FF03C887DA5192A976FBC9369FC60A480A7B9DB0ED1956EFCE6FFAD2E40A790BD51FD27BB037256964BC7B4B2DA6D4D5C6B267FA1
                                            Malicious:false
                                            Reputation:moderate, very likely benign file
                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

                                            Download File
                                            Process:C:\Users\user\Desktop\file.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):42
                                            Entropy (8bit):4.0050635535766075
                                            Encrypted:false
                                            SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                                            MD5:84CFDB4B995B1DBF543B26B86C863ADC
                                            SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                                            SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                                            SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                                            Malicious:true
                                            Reputation:high, very likely benign file
                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..

                                            C:\Users\user\AppData\Local\Temp\Tmp911D.tmp

                                            Download File
                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):2662
                                            Entropy (8bit):7.8230547059446645
                                            Encrypted:false
                                            SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                            MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                            SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                            SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                            SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                            Malicious:false
                                            Reputation:moderate, very likely benign file
                                            Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                            C:\Users\user\AppData\Local\Temp\Tmp914D.tmp

                                            Download File
                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):2662
                                            Entropy (8bit):7.8230547059446645
                                            Encrypted:false
                                            SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                            MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                            SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                            SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                            SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                            Malicious:false
                                            Reputation:moderate, very likely benign file
                                            Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                            C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

                                            Download File
                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):2251
                                            Entropy (8bit):0.0
                                            Encrypted:false
                                            SSDEEP:3::
                                            MD5:0158FE9CEAD91D1B027B795984737614
                                            SHA1:B41A11F909A7BDF1115088790A5680AC4E23031B
                                            SHA-256:513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
                                            SHA-512:C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
                                            Malicious:false
                                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            Static File Info

                                            General

                                            File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):7.964230381568243
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            • DOS Executable Generic (2002/1) 0.01%
                                            File name:file.exe
                                            File size:331'776 bytes
                                            MD5:e600b6015b0312b52214f459fcc6f3c2
                                            SHA1:0e763e33524e467b46d27e5f0603cd2165c47fed
                                            SHA256:65bb6281d63ad091f8b6b4d0c460d9d6c1631fe141fe15b23dc6d23a41e094ad
                                            SHA512:b1c1a68128c2cd75df9cb1d890358fd6bb85d9a62288468a19db3295cc25e6cb97c05fa0b5bc3b1dd2b88bd39b343ce5cd1494ca8ab56352c1e375e88fe7e464
                                            SSDEEP:6144:sPP5QJyXEJZq77hQ8ed1oBj32nQumiUdfg+CYnDNMhXYGenCnaW1qMJyky:cGJyX2EdQ8ed1K+Yfg+DDGYn4aW1TJyD
                                            TLSH:2264121AF363263ACE1A5BF594540D00C3BEEB3C7E135ADBFD9806599F95A060742B32
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f............................."... ...@....@.. ....................................`................................

                                            File Icon

                                            Icon Hash:00928e8e8686b000

                                            Static PE Info

                                            General

                                            Entrypoint:0x4522de
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows cui
                                            Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x66D9DCC4 [Thu Sep 5 16:31:00 2024 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x522900x4b.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x540000x614.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x560000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x5224c0x1c.text
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000x502e40x504004a87c615584d5bfa88120685b104945cFalse0.9756528670171339data7.978591296339034IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rsrc0x540000x6140x800fe5ecc4b2e3bbff42730cbe7a097d641False0.34375data3.4504417414588056IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0x560000xc0x200d5b902e1e7907226d81bfea7588cdad1False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_VERSION0x540a00x388data0.44026548672566373
                                            RT_MANIFEST0x544280x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Network Behavior

                                            Suricata IDS Alerts

                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                            2024-09-05T18:38:55.047106+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.549704147.45.47.3630035TCP
                                            2024-09-05T18:38:55.047106+02002046045ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)1192.168.2.549704147.45.47.3630035TCP
                                            2024-09-05T18:38:55.239834+02002043234ET MALWARE Redline Stealer TCP CnC - Id1Response1147.45.47.3630035192.168.2.549704TCP
                                            2024-09-05T18:39:00.287156+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.549704147.45.47.3630035TCP
                                            2024-09-05T18:39:00.792876+02002046056ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)1147.45.47.3630035192.168.2.549704TCP
                                            2024-09-05T18:39:00.792961+02002046056ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)1147.45.47.3630035192.168.2.549704TCP
                                            2024-09-05T18:39:00.916736+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.549704147.45.47.3630035TCP
                                            2024-09-05T18:39:01.199601+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.549704147.45.47.3630035TCP
                                            2024-09-05T18:39:01.492078+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.549704147.45.47.3630035TCP
                                            2024-09-05T18:39:01.685615+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.549704147.45.47.3630035TCP
                                            2024-09-05T18:39:02.495326+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.549704147.45.47.3630035TCP
                                            2024-09-05T18:39:02.704807+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.549704147.45.47.3630035TCP
                                            2024-09-05T18:39:02.904579+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.549704147.45.47.3630035TCP
                                            2024-09-05T18:39:03.117574+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.549704147.45.47.3630035TCP
                                            2024-09-05T18:39:03.349446+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.549704147.45.47.3630035TCP
                                            2024-09-05T18:39:03.668603+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.549704147.45.47.3630035TCP
                                            2024-09-05T18:39:03.673695+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.549704147.45.47.3630035TCP
                                            2024-09-05T18:39:04.498787+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.549704147.45.47.3630035TCP
                                            2024-09-05T18:39:04.696185+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.549704147.45.47.3630035TCP
                                            2024-09-05T18:39:04.892361+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.549704147.45.47.3630035TCP
                                            2024-09-05T18:39:05.157040+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.549704147.45.47.3630035TCP
                                            2024-09-05T18:39:05.392443+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.549704147.45.47.3630035TCP
                                            2024-09-05T18:39:05.628938+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.549704147.45.47.3630035TCP
                                            2024-09-05T18:39:05.969776+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.549704147.45.47.3630035TCP
                                            2024-09-05T18:39:05.991356+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.549704147.45.47.3630035TCP
                                            2024-09-05T18:39:06.867533+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.549704147.45.47.3630035TCP
                                            2024-09-05T18:39:07.172858+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.549704147.45.47.3630035TCP
                                            2024-09-05T18:39:07.782260+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.549704147.45.47.3630035TCP
                                            2024-09-05T18:39:08.169907+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.549704147.45.47.3630035TCP
                                            2024-09-05T18:39:08.383022+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.549704147.45.47.3630035TCP
                                            2024-09-05T18:39:08.871682+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.549704147.45.47.3630035TCP

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Sep 5, 2024 18:38:54.354057074 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:38:54.358877897 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:38:54.358967066 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:38:54.368570089 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:38:54.373446941 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:38:55.013776064 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:38:55.047106028 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:38:55.052767038 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:38:55.239834070 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:38:55.282254934 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:00.287156105 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:00.294567108 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:00.792699099 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:00.792717934 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:00.792728901 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:00.792733908 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:00.792740107 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:00.792807102 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:00.792876005 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:00.792926073 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:00.792960882 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:00.793004036 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:00.916735888 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:00.921627045 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:01.108812094 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:01.157241106 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:01.199600935 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:01.204547882 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:01.204574108 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:01.204586983 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:01.204611063 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:01.204622030 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:01.204632998 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:01.204683065 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:01.204689026 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:01.204709053 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:01.204719067 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:01.204726934 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:01.209155083 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:01.209506035 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:01.209521055 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:01.209527969 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:01.209583998 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:01.209595919 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:01.209650993 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:01.209660053 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:01.487214088 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:01.492078066 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:01.496948957 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:01.682909966 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:01.685615063 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:01.690421104 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:01.878061056 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:01.922883034 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:02.495326042 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:02.500232935 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:02.687287092 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:02.704807043 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:02.709788084 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:02.896091938 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:02.904578924 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:02.909523010 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.095733881 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.117573977 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.122697115 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.308881998 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.349446058 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.354429960 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.540643930 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.594738007 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.668602943 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.673626900 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.673641920 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.673650980 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.673655033 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.673660040 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.673695087 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.673722029 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.673727989 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.673732996 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.673743963 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.673753977 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.673774004 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.673785925 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.673815012 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.673835039 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.673883915 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.678232908 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.678241968 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.678255081 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.678263903 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.678287983 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.678313017 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.678332090 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.678342104 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.678354979 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.678386927 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.678412914 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.678447962 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.678466082 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.678498030 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.678522110 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.678523064 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.678565979 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.678577900 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.678607941 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.678613901 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.678668022 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.678756952 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.678805113 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.678960085 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.679003000 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.683693886 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.683753014 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.683762074 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.683768988 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.683886051 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.684045076 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.684093952 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.684106112 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.684114933 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.684123039 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.684133053 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.684140921 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.684149027 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.684150934 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.684160948 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.684170961 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.684180021 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.684180021 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.684190989 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.684212923 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.684226990 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.684252977 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.687840939 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.687850952 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.687858105 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.687860966 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.687903881 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.687903881 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.687916040 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.687921047 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.687927008 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.687937021 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.687947035 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.687958956 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.687980890 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.687999010 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.689022064 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.689888954 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.689913034 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.689932108 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.689941883 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.689958096 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.689985037 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.689995050 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690040112 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690057039 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690064907 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690073013 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690083981 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690093040 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690154076 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690164089 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690172911 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690176964 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690242052 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690251112 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690258980 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690268040 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690279007 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690290928 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690299988 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690309048 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690335035 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690342903 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690351963 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690360069 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690427065 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690438986 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690479994 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690489054 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690496922 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690507889 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690521002 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690530062 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690537930 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.690568924 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690579891 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690587997 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690598011 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690603018 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.690639973 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690650940 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690658092 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690666914 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690696955 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690706968 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690716028 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690723896 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690732002 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690819025 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690828085 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690834999 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690843105 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.690845966 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.693665028 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.693675041 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.693694115 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.693703890 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.693742990 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.693928003 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.693937063 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.695034981 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.695044041 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.695054054 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.695120096 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.695128918 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.695138931 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.695147991 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.695188046 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.695230961 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.695240974 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.695373058 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.695507050 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.695648909 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.695708036 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.697115898 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.697171926 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.697201014 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.697309971 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.697319031 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.697329044 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.697397947 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.697438955 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.697695017 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.697705030 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.697772026 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.697825909 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.698044062 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.698052883 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.698102951 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.698112011 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.698303938 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.698312998 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.698322058 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.698331118 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.698338985 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.698348045 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.699346066 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.699354887 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.699362993 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.699371099 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.699379921 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.699388027 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.699398994 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.699407101 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.699417114 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.699425936 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.699434042 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.699443102 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.699450016 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.699456930 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.699462891 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.699465990 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.699475050 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.699484110 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.699491978 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.699505091 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.699512959 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.699520111 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.699532032 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.699541092 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.699552059 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.699562073 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.699572086 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.699579954 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.699589014 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.699596882 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.699605942 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.699614048 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.699758053 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.699815989 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.703475952 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.703532934 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.703573942 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.703583956 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.703592062 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.703603983 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.703650951 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.703660011 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.703670025 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.703679085 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.703686953 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.703695059 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.703753948 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.703763008 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.703772068 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.703778982 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.703845978 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.703855038 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.703869104 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.703877926 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.703886032 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.703896046 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.703903913 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.703912973 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.704526901 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.704535961 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.704539061 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.704545975 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.704555035 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.704562902 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.704571962 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.704580069 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.704588890 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.704596996 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.704606056 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.704615116 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.704622030 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.704632044 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.704639912 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.704648972 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.704657078 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.704664946 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.704673052 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.704682112 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.704690933 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.704699039 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.704709053 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.704716921 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.704726934 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.704735994 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.704745054 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.704754114 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.704761982 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.704771042 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.704924107 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.704993963 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.707557917 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.707576036 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.707586050 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.707618952 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.707629919 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.707645893 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.707670927 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.707681894 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.707690001 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.707699060 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.707740068 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.707747936 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.707756996 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.707767963 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.707776070 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.707787037 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.707794905 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.707803011 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.707887888 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.707896948 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.707900047 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.707904100 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.707911968 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.707921028 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.709464073 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.709474087 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.709481955 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.709495068 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.709503889 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.709511995 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.709522009 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.709528923 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.709537029 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.709546089 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.709553957 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.709561110 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.709568977 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.709577084 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.709589958 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.709599972 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.709609032 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.709618092 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.709625959 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.709634066 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.709642887 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.709651947 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.709660053 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.709662914 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.709672928 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.709681988 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.709691048 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.709701061 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.709709883 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.709718943 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.709847927 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.709908962 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.712414980 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.712425947 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.712534904 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.712543964 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.712553024 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.712560892 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.712569952 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.712583065 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.712795973 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.712806940 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.712814093 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.712831974 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.712841034 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.712847948 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.712857008 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.713078976 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.713088989 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.713095903 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.713102102 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.713262081 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.713272095 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.713282108 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.713289976 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.713298082 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.713300943 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.715235949 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.715245962 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.715249062 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.715253115 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.715255976 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.715265036 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.715274096 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.715281963 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.715291977 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.715298891 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.715307951 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.715316057 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.715325117 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.715333939 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.715342999 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.715352058 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.715361118 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.715368986 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.715377092 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.715385914 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.715394974 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.715403080 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.715410948 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.715423107 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.715434074 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.715442896 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.715456963 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.715465069 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.715471983 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:03.715615988 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:03.715682983 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.016861916 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.151928902 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.151987076 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.152143002 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.152260065 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.152271986 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.152407885 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.152568102 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.152576923 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.152623892 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.152848959 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.152859926 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.152908087 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.153132915 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.153165102 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.153184891 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.153208971 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.153299093 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.153307915 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.153346062 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.153351068 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.153400898 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.153431892 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.153441906 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.153445959 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.153456926 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.153466940 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.153496981 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.153505087 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.153512955 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.153553963 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.153556108 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.153565884 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.153573990 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.153601885 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.153604984 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.153616905 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.153657913 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.153711081 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.153721094 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.153723955 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.153732061 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.153740883 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.153753042 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.153772116 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.153793097 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.153804064 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.153830051 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.153841019 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.153847933 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.153881073 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.153898001 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.153985977 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.153995991 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.154000044 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.154042959 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.154047966 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.154052973 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.154062033 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.154073954 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.154082060 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.154089928 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.154126883 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.154376030 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.154386044 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.154390097 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.154397964 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.154407978 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.154417038 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.154426098 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.154438972 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.154443026 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.154453993 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.154462099 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.154469967 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.154470921 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.154480934 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.154489994 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.154520035 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.154527903 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.154539108 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.154545069 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.154556036 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.154575109 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.154578924 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.154601097 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.154609919 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.154644966 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.154654026 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.154661894 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.154745102 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.154752016 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.154762983 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.154772997 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.154782057 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.154787064 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.154814005 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.154839993 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.154845953 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.154855967 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.154906034 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.154962063 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155014992 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.155056000 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155065060 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155072927 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155081034 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155091047 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155100107 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155108929 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155109882 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.155118942 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155128956 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155138016 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155143023 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.155147076 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155158043 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.155167103 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155177116 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155185938 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155194044 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.155195951 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155206919 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155211926 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.155217886 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155235052 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155237913 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.155246019 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155253887 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155262947 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155272007 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155298948 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155308008 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155316114 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155327082 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155335903 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155344009 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155354023 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155375004 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155384064 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155391932 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155402899 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155451059 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155525923 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155535936 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155539036 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155548096 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155558109 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155582905 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155669928 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.155755043 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.156996012 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.157006979 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.157052994 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.157052994 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.157223940 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.157234907 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.157238960 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.157275915 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.157388926 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.157453060 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.157461882 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.157567978 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.157766104 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.157774925 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.157778978 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.157866001 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.158008099 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.158052921 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.158062935 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.158111095 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.158166885 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.158222914 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.158231020 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.158344984 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.158392906 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.158402920 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.158411026 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.158420086 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.158437967 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.158447027 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.158454895 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.158464909 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.158476114 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.158484936 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.158504009 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.158513069 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.158576965 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.158586025 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.158643961 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.158683062 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.158691883 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.158721924 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.158730984 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.158734083 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.158765078 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.158823967 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.158838987 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.158971071 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.158979893 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.158983946 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.158987045 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.158996105 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159007072 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159015894 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159059048 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159069061 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159118891 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159168959 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159178972 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159199953 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159328938 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159338951 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159348011 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159357071 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159365892 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159384966 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159393072 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159434080 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159442902 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159451008 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159491062 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159547091 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159555912 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159564018 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159600973 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159617901 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159626961 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159771919 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159780979 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159789085 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159797907 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159807920 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159826040 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159840107 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159849882 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159859896 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159868956 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159878016 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159894943 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159917116 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159926891 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159934998 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159954071 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.159964085 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.160001040 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.160020113 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.160029888 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.160042048 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.160077095 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.160087109 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.160115004 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.160141945 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.160151005 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.160243034 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.160265923 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.160274982 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.160279036 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.161680937 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.161730051 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.161741018 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.161750078 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.161802053 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.161812067 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.163026094 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.163072109 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.163152933 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.163163900 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.163263083 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.163271904 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.163316965 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.163326979 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.163444996 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.163455963 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.163536072 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.163587093 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.163597107 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.163630962 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.163706064 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.163752079 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.163825035 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.163834095 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.163873911 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.163961887 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.164072037 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.164081097 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.164091110 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.164098978 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.164172888 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.164239883 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.164304018 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.164356947 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.164366007 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.164500952 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.164585114 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.164632082 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.164684057 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.164694071 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.164829016 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.164876938 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.164886951 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.164948940 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.165045023 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.165054083 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.165091038 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.165153027 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.165162086 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.165170908 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.165182114 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.165190935 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.165208101 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.165250063 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.165258884 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.165291071 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.165330887 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.165342093 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.165479898 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.165534973 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.165544033 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.165550947 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.496782064 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.498786926 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.504398108 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.690922976 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.696185112 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.701524019 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.891089916 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:04.892360926 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:04.897200108 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:05.083575964 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:05.151639938 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:05.157040119 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:05.163330078 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:05.349338055 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:05.391710043 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:05.392442942 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:05.397891045 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:05.584567070 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:05.625998974 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:05.628937960 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:05.639720917 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:05.639781952 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:05.639791965 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:05.639822960 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:05.639831066 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:05.639841080 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:05.639844894 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:05.640008926 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:05.920475006 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:05.969775915 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:05.991355896 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:05.996365070 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:06.182857037 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:06.235506058 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:06.867532969 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:07.172858000 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:07.782259941 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:07.914829969 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:07.914845943 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:07.916040897 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:08.101028919 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:08.157380104 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:08.169907093 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:08.175081015 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:08.375993967 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:08.383022070 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:08.387964010 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:08.613960981 CEST3003549704147.45.47.36192.168.2.5
                                            Sep 5, 2024 18:39:08.657258034 CEST4970430035192.168.2.5147.45.47.36
                                            Sep 5, 2024 18:39:08.871681929 CEST4970430035192.168.2.5147.45.47.36

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Sep 5, 2024 18:39:25.164360046 CEST5357525162.159.36.2192.168.2.5
                                            Sep 5, 2024 18:39:25.635520935 CEST5112953192.168.2.51.1.1.1
                                            Sep 5, 2024 18:39:25.642875910 CEST53511291.1.1.1192.168.2.5

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Sep 5, 2024 18:39:25.635520935 CEST192.168.2.51.1.1.10x943eStandard query (0)56.126.166.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Sep 5, 2024 18:39:25.642875910 CEST1.1.1.1192.168.2.50x943eName error (3)56.126.166.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:12:38:50
                                            Start date:05/09/2024
                                            Path:C:\Users\user\Desktop\file.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\file.exe"
                                            Imagebase:0x6c0000
                                            File size:331'776 bytes
                                            MD5 hash:E600B6015B0312B52214F459FCC6F3C2
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2006781657.0000000003AF5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:1
                                            Start time:12:38:51
                                            Start date:05/09/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff6d64d0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:2
                                            Start time:12:38:51
                                            Start date:05/09/2024
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                            Imagebase:0xcd0000
                                            File size:65'440 bytes
                                            MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.2171722834.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.2173973312.0000000003177000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:high
                                            Has exited:true

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:52.8%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:25%
                                              Total number of Nodes:24
                                              Total number of Limit Nodes:1
                                              execution_graph 359 2af5249 362 2af5281 CreateProcessA VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 359->362 361 2af545e WriteProcessMemory 363 2af54a3 361->363 362->361 364 2af54a8 WriteProcessMemory 363->364 365 2af54e5 WriteProcessMemory Wow64SetThreadContext ResumeThread 363->365 364->363 366 28f0b50 367 28f0b6d 366->367 372 28f0ca8 367->372 368 28f0b7f 369 28f0bba 368->369 377 28f04d8 368->377 376 28f0cd5 372->376 373 28f0fd3 VirtualProtectEx 374 28f1013 373->374 374->368 375 28f0f64 375->368 376->373 376->375 378 28f0f88 VirtualProtectEx 377->378 380 28f1013 378->380 380->369 381 28f0b40 382 28f0b50 381->382 386 28f0ca8 VirtualProtectEx 382->386 383 28f0b7f 384 28f04d8 VirtualProtectEx 383->384 385 28f0bba 383->385 384->385 386->383

                                              Callgraph

                                              • Executed
                                              • Not Executed
                                              • Opacity -> Relevance
                                              • Disassembly available
                                              callgraph 0 Function_028F018C 1 Function_028F0489 2 Function_028F0288 3 Function_028F0108 4 Function_028F0485 5 Function_028F0204 6 Function_02AF50A2 7 Function_028F0481 8 Function_028F0080 9 Function_028F0180 10 Function_028F049F 57 Function_028F0860 10->57 11 Function_028F0C19 12 Function_028F0198 13 Function_028F0114 14 Function_028F0090 15 Function_028F0210 16 Function_028F022C 17 Function_028F0CA8 18 Function_028F01A8 19 Function_028F0AA8 56 Function_028F09E0 19->56 20 Function_028F00A0 21 Function_028F0120 22 Function_028F0220 23 Function_028F00BC 24 Function_028F013C 25 Function_028F023C 26 Function_028F0938 27 Function_028F1035 62 Function_028F0278 27->62 28 Function_028F01B4 29 Function_028F00B0 30 Function_028F0130 31 Function_028F004D 32 Function_028F04CC 33 Function_028F024C 34 Function_028F00C8 35 Function_028F0148 36 Function_028F01C0 37 Function_028F0B40 37->17 37->32 40 Function_028F04D8 37->40 52 Function_028F04E4 37->52 38 Function_028F115F 38->62 39 Function_028F025C 41 Function_028F0458 42 Function_028F1158 43 Function_028F00D4 44 Function_028F0154 45 Function_028F1152 46 Function_028F0850 46->57 47 Function_028F0B50 47->17 47->32 47->40 47->52 48 Function_028F09D0 49 Function_028F026C 50 Function_02AF5249 51 Function_028F01E8 52->62 53 Function_028F00E4 54 Function_028F0164 55 Function_028F0464 56->56 58 Function_028F0060 59 Function_028F047D 60 Function_028F00FC 61 Function_028F0479 63 Function_028F0475 64 Function_028F0174 65 Function_028F01F4 66 Function_028F0471 67 Function_028F00F0 68 Function_028F0070 69 Function_028F04F0 69->57

                                              Executed Functions

                                              Function 02AF5249 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282threadinjectionmemoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02AF51BB,02AF51AB), ref: 02AF53B8
                                              • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02AF53CB
                                              • Wow64GetThreadContext.KERNEL32(00000098,00000000), ref: 02AF53E9
                                              • ReadProcessMemory.KERNELBASE(00000088,?,02AF51FF,00000004,00000000), ref: 02AF540D
                                              • VirtualAllocEx.KERNELBASE(00000088,?,?,00003000,00000040), ref: 02AF5438
                                              • WriteProcessMemory.KERNELBASE(00000088,00000000,?,?,00000000,?), ref: 02AF5490
                                              • WriteProcessMemory.KERNELBASE(00000088,00400000,?,?,00000000,?,00000028), ref: 02AF54DB
                                              • WriteProcessMemory.KERNELBASE(00000088,?,?,00000004,00000000), ref: 02AF5519
                                              • Wow64SetThreadContext.KERNEL32(00000098,02A70000), ref: 02AF5555
                                              • ResumeThread.KERNELBASE(00000098), ref: 02AF5564
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2004525968.0000000002AF5000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF5000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2af5000_file.jbxd
                                              Similarity
                                              • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
                                              • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
                                              • API String ID: 2687962208-1257834847
                                              • Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
                                              • Instruction ID: d0a7aa1fa1424cfeb9b48a611a2c2d3188f73e5932fe098687340ce4a5b3a2d0
                                              • Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
                                              • Instruction Fuzzy Hash: 75B1E57660024AAFDB60CFA8CC80BDA77A5FF88714F158124EA0CAB341D774FA41CB94
                                              Function 028F0CA8 Relevance: 1.8, APIs: 1, Instructions: 284COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 23 28f0ca8-28f0cea 26 28f0cec-28f0cfd 23->26 28 28f0f6c-28f1011 VirtualProtectEx 26->28 29 28f0d03-28f0d1d 26->29 39 28f1018-28f102c 28->39 40 28f1013 28->40 29->28 30 28f0d23-28f0d2e 29->30 30->28 31 28f0d34-28f0d3f 30->31 31->26 33 28f0d41-28f0d49 31->33 35 28f0d4c-28f0d54 33->35 35->28 36 28f0d5a-28f0d67 35->36 36->28 38 28f0d6d-28f0d79 36->38 41 28f0d7b-28f0d81 38->41 42 28f0d82-28f0d8c 38->42 40->39 41->42 42->28 43 28f0d92-28f0d9c 42->43 43->28 44 28f0da2-28f0dae 43->44 44->28 45 28f0db4-28f0dc1 44->45 45->35 46 28f0dc3-28f0dd2 45->46 47 28f0dd8-28f0ddf 46->47 48 28f0f64-28f0f6b 46->48 49 28f0de9-28f0df4 47->49 50 28f0de1-28f0de8 47->50 49->28 51 28f0dfa-28f0e06 49->51 50->49 52 28f0e0f-28f0e19 51->52 53 28f0e08-28f0e0e 51->53 52->28 54 28f0e1f-28f0e29 52->54 53->52 54->28 55 28f0e2f-28f0e3b 54->55 55->28 56 28f0e41-28f0e62 55->56 57 28f0e6c-28f0eb0 56->57 58 28f0e64-28f0e6b 56->58 64 28f0eb7-28f0ee4 57->64 58->57 67 28f0ee6-28f0eeb 64->67 68 28f0ef3-28f0efc 64->68 67->68 68->28 69 28f0efe-28f0f08 68->69 69->28 70 28f0f0a-28f0f20 69->70 71 28f0f2f-28f0f38 70->71 72 28f0f22-28f0f27 70->72 71->28 73 28f0f3a-28f0f43 71->73 72->71 73->28 74 28f0f45-28f0f5e 73->74 74->47 74->48
                                              APIs
                                              • VirtualProtectEx.KERNELBASE(?,03AF3590,?,?,?), ref: 028F1004
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2004382209.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_28f0000_file.jbxd
                                              Similarity
                                              • API ID: ProtectVirtual
                                              • String ID:
                                              • API String ID: 544645111-0
                                              • Opcode ID: aa2a02a440d57bae6378789daff25f5b81d4278fa33c91831377cfa0bcf7b2fe
                                              • Instruction ID: 8517bdf77a46ade98c0062514e29343cc9e72476d3317e8ef7c73f381281da06
                                              • Opcode Fuzzy Hash: aa2a02a440d57bae6378789daff25f5b81d4278fa33c91831377cfa0bcf7b2fe
                                              • Instruction Fuzzy Hash: 62B1AC79A0025A8FCB01CFA8C480AEDFBF2FF48304F558569E558E7756D334A841CBA4
                                              Function 028F04D8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 75 28f04d8-28f1011 VirtualProtectEx 78 28f1018-28f102c 75->78 79 28f1013 75->79 79->78
                                              APIs
                                              • VirtualProtectEx.KERNELBASE(?,03AF3590,?,?,?), ref: 028F1004
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2004382209.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_28f0000_file.jbxd
                                              Similarity
                                              • API ID: ProtectVirtual
                                              • String ID:
                                              • API String ID: 544645111-0
                                              • Opcode ID: a447b62cbf482f8889cdcbbc9a6cf5c65e1c80efa50ce69ffd5704310242d3d7
                                              • Instruction ID: beec2795071d21dbdd443a3d06a5c2a01aaf2bc87cec76055b300e408ceb3a79
                                              • Opcode Fuzzy Hash: a447b62cbf482f8889cdcbbc9a6cf5c65e1c80efa50ce69ffd5704310242d3d7
                                              • Instruction Fuzzy Hash: 0421E4B5901259EFCB00DF9AC984ADEFBB4FB49310F108119EA18A7250C3756554CBE1

                                              Execution Graph

                                              Execution Coverage:8.5%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:86
                                              Total number of Limit Nodes:8
                                              execution_graph 54559 2dad01c 54560 2dad034 54559->54560 54561 2dad08e 54560->54561 54564 55a2c08 54560->54564 54573 55a0ad4 54560->54573 54567 55a2c45 54564->54567 54565 55a2c79 54595 55a0bfc 54565->54595 54567->54565 54568 55a2c69 54567->54568 54582 55a2e6c 54568->54582 54587 55a2da0 54568->54587 54591 55a2d90 54568->54591 54569 55a2c77 54574 55a0adf 54573->54574 54575 55a2c79 54574->54575 54577 55a2c69 54574->54577 54576 55a0bfc CallWindowProcW 54575->54576 54578 55a2c77 54576->54578 54579 55a2e6c CallWindowProcW 54577->54579 54580 55a2d90 CallWindowProcW 54577->54580 54581 55a2da0 CallWindowProcW 54577->54581 54579->54578 54580->54578 54581->54578 54583 55a2e7a 54582->54583 54584 55a2e2a 54582->54584 54599 55a2e58 54584->54599 54585 55a2e40 54585->54569 54588 55a2db4 54587->54588 54590 55a2e58 CallWindowProcW 54588->54590 54589 55a2e40 54589->54569 54590->54589 54593 55a2db4 54591->54593 54592 55a2e40 54592->54569 54594 55a2e58 CallWindowProcW 54593->54594 54594->54592 54596 55a0c07 54595->54596 54597 55a435a CallWindowProcW 54596->54597 54598 55a4309 54596->54598 54597->54598 54598->54569 54600 55a2e69 54599->54600 54602 55a4292 54599->54602 54600->54585 54603 55a0bfc CallWindowProcW 54602->54603 54604 55a42aa 54603->54604 54604->54600 54605 3024668 54606 3024684 54605->54606 54607 3024696 54606->54607 54609 30247a0 54606->54609 54610 30247c5 54609->54610 54614 30248b0 54610->54614 54618 30248a1 54610->54618 54615 30248d7 54614->54615 54617 30249b4 54615->54617 54622 3024248 54615->54622 54619 30248b0 54618->54619 54620 30249b4 54619->54620 54621 3024248 CreateActCtxA 54619->54621 54621->54620 54623 3025940 CreateActCtxA 54622->54623 54625 3025a03 54623->54625 54626 302ad38 54629 302ae30 54626->54629 54627 302ad47 54630 302ae41 54629->54630 54631 302ae64 54629->54631 54630->54631 54637 302b0b8 54630->54637 54641 302b0c8 54630->54641 54631->54627 54632 302ae5c 54632->54631 54633 302b068 GetModuleHandleW 54632->54633 54634 302b095 54633->54634 54634->54627 54638 302b0dc 54637->54638 54639 302b101 54638->54639 54645 302a870 54638->54645 54639->54632 54642 302b0dc 54641->54642 54643 302b101 54642->54643 54644 302a870 LoadLibraryExW 54642->54644 54643->54632 54644->54643 54646 302b2a8 LoadLibraryExW 54645->54646 54648 302b321 54646->54648 54648->54639 54649 302d0b8 54650 302d0fe 54649->54650 54654 302d298 54650->54654 54657 302d289 54650->54657 54651 302d1eb 54655 302d2c6 54654->54655 54660 302c9a0 54654->54660 54655->54651 54658 302c9a0 DuplicateHandle 54657->54658 54659 302d2c6 54658->54659 54659->54651 54661 302d300 DuplicateHandle 54660->54661 54662 302d396 54661->54662 54662->54655 54663 7bf4ac0 54664 7bf4b08 LoadLibraryW 54663->54664 54665 7bf4b02 54663->54665 54666 7bf4b35 54664->54666 54665->54664

                                              Executed Functions

                                              Function 07BF6C20 Relevance: 16.2, Strings: 12, Instructions: 1183COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2188497513.0000000007BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_7bf0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: (_]q$(_]q$,aq$4c]q$4c]q$Haq$Nv\q$$]q$$]q$$]q$c]q$c]q
                                              • API String ID: 0-67377238
                                              • Opcode ID: f2a7b496d66d3e8e11b9199fcafe5f6bb7f401b1aaead1f588afc545e3ab85c0
                                              • Instruction ID: 524720a3058e0e423a7711ea9d6885c6b9fcd256e1b6d8978335b4f100890a7c
                                              • Opcode Fuzzy Hash: f2a7b496d66d3e8e11b9199fcafe5f6bb7f401b1aaead1f588afc545e3ab85c0
                                              • Instruction Fuzzy Hash: EC82EAB0B401158FCB59AFBD485062D6AE7FFCDB00F6049EAD14ADB394EE64CC458BA1
                                              Function 07BFAA28 Relevance: 13.3, Strings: 10, Instructions: 762COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1081 7bfaa28-7bfaa37 1082 7bfaa8a-7bfaa93 1081->1082 1083 7bfaa39-7bfaa45 1081->1083 1086 7bfaa95-7bfaaa1 1082->1086 1087 7bfaaa3-7bfaab0 call 7bfaa28 1082->1087 1088 7bfaa47-7bfaa63 1083->1088 1089 7bfaa65-7bfaa6f 1083->1089 1092 7bfaab6-7bfaabf 1086->1092 1087->1092 1088->1092 1094 7bfaa81-7bfaa88 1089->1094 1095 7bfaa71-7bfaa77 1089->1095 1094->1092 1097 7bfaa79-7bfaa7f 1095->1097 1098 7bfaac2-7bfab28 1095->1098 1097->1092 1104 7bfab2a-7bfab35 call 7bfaa28 1098->1104 1105 7bfab40-7bfab50 1098->1105 1106 7bfab3b 1104->1106 1109 7bfab89-7bfab94 1105->1109 1110 7bfab52-7bfab68 1105->1110 1108 7bfad4d-7bfad59 1106->1108 1113 7bfab96-7bfaba1 1109->1113 1114 7bfaba3-7bfabaf 1109->1114 1115 7bfab7e-7bfab84 1110->1115 1116 7bfab6a-7bfab79 1110->1116 1113->1114 1120 7bfabb4-7bfabd6 1113->1120 1114->1108 1115->1108 1116->1108 1124 7bfac1d-7bfac37 1120->1124 1125 7bfabd8-7bfabf8 1120->1125 1131 7bfac3d-7bfac4d 1124->1131 1132 7bfad17-7bfad2b 1124->1132 1130 7bfad4b 1125->1130 1130->1108 1133 7bfac4f-7bfac55 1131->1133 1134 7bfacb3-7bfacd0 1131->1134 1141 7bfad2d-7bfad39 1132->1141 1142 7bfad3b-7bfad41 1132->1142 1136 7bfac57-7bfac59 1133->1136 1137 7bfac63-7bfacb1 1133->1137 1148 7bfacd7-7bfacf8 1134->1148 1136->1137 1137->1148 1141->1108 1145 7bfad5c-7bfae29 1142->1145 1146 7bfad43-7bfad49 1142->1146 1164 7bfae2f-7bfae5b call 7bfaa28 1145->1164 1165 7bfaef7-7bfaf05 1145->1165 1146->1108 1146->1130 1148->1130 1175 7bfae5d-7bfae77 1164->1175 1176 7bfae7c-7bfae80 1164->1176 1168 7bfaf07-7bfaf1a 1165->1168 1169 7bfaf61-7bfaf65 1165->1169 1168->1169 1178 7bfaf1c-7bfaf3b 1168->1178 1172 7bfaf67-7bfaf73 1169->1172 1173 7bfaf75-7bfaf7c 1169->1173 1172->1173 1182 7bfaf7f-7bfafa7 1172->1182 1173->1182 1195 7bfb2cb-7bfb2d7 1175->1195 1180 7bfae82-7bfae8b 1176->1180 1181 7bfaea1 1176->1181 1198 7bfb2c8 1178->1198 1185 7bfae8d-7bfae90 1180->1185 1186 7bfae92-7bfae95 1180->1186 1183 7bfaea4-7bfaea9 1181->1183 1205 7bfb1bd-7bfb1c8 1182->1205 1206 7bfafad-7bfafbb 1182->1206 1183->1165 1188 7bfaeab-7bfaeaf 1183->1188 1187 7bfae9f 1185->1187 1186->1187 1187->1183 1191 7bfaee8-7bfaeee 1188->1191 1192 7bfaeb1-7bfaecc 1188->1192 1191->1165 1192->1191 1201 7bfaece-7bfaed4 1192->1201 1198->1195 1203 7bfb2da-7bfb2ee 1201->1203 1204 7bfaeda-7bfaee3 1201->1204 1215 7bfb2f5-7bfb358 1203->1215 1204->1195 1210 7bfb1fd-7bfb236 1205->1210 1211 7bfb1ca-7bfb1e1 1205->1211 1212 7bfb465-7bfb47a 1206->1212 1213 7bfafc1-7bfafd4 1206->1213 1222 7bfb28c-7bfb29f 1210->1222 1223 7bfb238-7bfb24f 1210->1223 1211->1210 1230 7bfb1e3-7bfb1e9 1211->1230 1220 7bfafff-7bfb00d 1213->1220 1221 7bfafd6-7bfafe3 1213->1221 1234 7bfb35f-7bfb38f 1215->1234 1220->1212 1233 7bfb013-7bfb028 1220->1233 1221->1220 1231 7bfafe5-7bfafeb 1221->1231 1226 7bfb2a1 1222->1226 1236 7bfb258-7bfb25a 1223->1236 1226->1198 1230->1234 1235 7bfb1ef-7bfb1f8 1230->1235 1231->1215 1237 7bfaff1-7bfaffa 1231->1237 1243 7bfb02a-7bfb043 1233->1243 1244 7bfb048-7bfb0c0 1233->1244 1253 7bfb3fb-7bfb45e 1234->1253 1254 7bfb391-7bfb3f4 1234->1254 1235->1195 1238 7bfb25c-7bfb279 1236->1238 1239 7bfb27b-7bfb28a 1236->1239 1237->1195 1238->1226 1239->1222 1239->1223 1256 7bfb0c6-7bfb0cd 1243->1256 1244->1256 1253->1212 1254->1253 1256->1205 1258 7bfb0d3-7bfb10c 1256->1258 1267 7bfb10e-7bfb135 call 7bfaa28 1258->1267 1268 7bfb178-7bfb18b 1258->1268 1281 7bfb137-7bfb154 1267->1281 1282 7bfb156-7bfb176 1267->1282 1272 7bfb18d 1268->1272 1272->1205 1281->1272 1282->1267 1282->1268
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2188497513.0000000007BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_7bf0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 4']q$4c]q$4c]q$4c]q$4|bq$$]q$$]q$$]q$$]q$$]q
                                              • API String ID: 0-4196629754
                                              • Opcode ID: f6ab508b513f46a15232abc2e0e65183ec567646eb82b3021b6f7467cfa09009
                                              • Instruction ID: fbcb7055219072ca3cc7c177c7fecb596f101beba5f2e43bfc6f07e25f7b1b3b
                                              • Opcode Fuzzy Hash: f6ab508b513f46a15232abc2e0e65183ec567646eb82b3021b6f7467cfa09009
                                              • Instruction Fuzzy Hash: 31526EB0B002198FDB18DF79C854AAEBBF6FF89700F1484A9E909DB364DA349D45CB51
                                              Function 07BF08A0 Relevance: 6.6, Strings: 5, Instructions: 392COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1397 7bf08a0-7bf08e1 1399 7bf08ed-7bf08f1 1397->1399 1400 7bf08e3-7bf08eb 1397->1400 1401 7bf08f6-7bf08fb 1399->1401 1400->1401 1402 7bf08fd-7bf0902 1401->1402 1403 7bf0904-7bf090d 1401->1403 1404 7bf0910-7bf0912 1402->1404 1403->1404 1405 7bf0c7e-7bf0ca8 1404->1405 1406 7bf0918-7bf0931 call 7bf0718 1404->1406 1430 7bf0caf-7bf0cef 1405->1430 1410 7bf097f-7bf0986 1406->1410 1411 7bf0933-7bf0943 1406->1411 1412 7bf098b-7bf099b 1410->1412 1413 7bf0988 1410->1413 1414 7bf0949-7bf0961 1411->1414 1415 7bf0c16-7bf0c33 1411->1415 1417 7bf099d-7bf09a9 1412->1417 1418 7bf09ab-7bf09c8 1412->1418 1413->1412 1419 7bf0c3c-7bf0c45 1414->1419 1420 7bf0967-7bf096e 1414->1420 1415->1419 1422 7bf09cc-7bf09d8 1417->1422 1418->1422 1423 7bf0c4d-7bf0c77 1419->1423 1420->1423 1424 7bf0974-7bf097e 1420->1424 1425 7bf09de 1422->1425 1426 7bf09da-7bf09dc 1422->1426 1423->1405 1429 7bf09e1-7bf09e3 1425->1429 1426->1429 1429->1430 1431 7bf09e9-7bf09fe 1429->1431 1462 7bf0cf6-7bf0d36 1430->1462 1433 7bf0a0e-7bf0a2b 1431->1433 1434 7bf0a00-7bf0a0c 1431->1434 1436 7bf0a2f-7bf0a3b 1433->1436 1434->1436 1438 7bf0a3d-7bf0a42 1436->1438 1439 7bf0a44-7bf0a4d 1436->1439 1441 7bf0a50-7bf0a52 1438->1441 1439->1441 1443 7bf0ada-7bf0ade 1441->1443 1444 7bf0a58-7bf0a5a call 7bf0d98 1441->1444 1446 7bf0b12-7bf0b2a call 7bf05e0 1443->1446 1447 7bf0ae0-7bf0afe 1443->1447 1448 7bf0a60-7bf0a80 call 7bf0718 1444->1448 1466 7bf0b2f-7bf0b59 call 7bf0718 1446->1466 1447->1446 1459 7bf0b00-7bf0b0d call 7bf0718 1447->1459 1454 7bf0a82-7bf0a8e 1448->1454 1455 7bf0a90-7bf0aad 1448->1455 1460 7bf0ab1-7bf0abd 1454->1460 1455->1460 1459->1411 1464 7bf0abf-7bf0ac4 1460->1464 1465 7bf0ac6-7bf0acf 1460->1465 1489 7bf0d3d-7bf0d96 1462->1489 1468 7bf0ad2-7bf0ad4 1464->1468 1465->1468 1474 7bf0b5b-7bf0b67 1466->1474 1475 7bf0b69-7bf0b86 1466->1475 1468->1443 1468->1462 1476 7bf0b8a-7bf0b96 1474->1476 1475->1476 1478 7bf0b9c 1476->1478 1479 7bf0b98-7bf0b9a 1476->1479 1480 7bf0b9f-7bf0ba1 1478->1480 1479->1480 1480->1411 1482 7bf0ba7-7bf0bb7 1480->1482 1483 7bf0bb9-7bf0bc5 1482->1483 1484 7bf0bc7-7bf0be4 1482->1484 1486 7bf0be8-7bf0bf4 1483->1486 1484->1486 1487 7bf0bfd-7bf0c06 1486->1487 1488 7bf0bf6-7bf0bfb 1486->1488 1490 7bf0c09-7bf0c0b 1487->1490 1488->1490 1490->1489 1491 7bf0c11 1490->1491 1491->1406
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2188497513.0000000007BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_7bf0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Haq$Haq$Haq$Haq$Haq
                                              • API String ID: 0-1792267638
                                              • Opcode ID: 2e11a2c64f470e11be43e514f8258ae45b2ace9fd6ecdacc71f7d929332d6ed1
                                              • Instruction ID: d891d0dbfc3143a79e8b6f6e9691a45cc849945ac51fce4aeeaf051a3e2b8554
                                              • Opcode Fuzzy Hash: 2e11a2c64f470e11be43e514f8258ae45b2ace9fd6ecdacc71f7d929332d6ed1
                                              • Instruction Fuzzy Hash: 68F1C4B1A00256CBDB15DF74C4502BDFBF2FF85300F2486A9D546AB252E7789A89CB90
                                              Function 069F3F50 Relevance: 3.0, Strings: 2, Instructions: 531COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1594 69f3f50-69f3f84 1597 69f3f86-69f3f8f 1594->1597 1598 69f3f92-69f3fa5 1594->1598 1597->1598 1599 69f3fab-69f3fae 1598->1599 1600 69f4215-69f4219 1598->1600 1604 69f3fbd-69f3fc9 1599->1604 1605 69f3fb0-69f3fb5 1599->1605 1602 69f422e-69f4238 1600->1602 1603 69f421b-69f422b 1600->1603 1603->1602 1606 69f3fcf-69f3fe1 1604->1606 1607 69f4253-69f4299 1604->1607 1605->1604 1611 69f414d-69f415b 1606->1611 1612 69f3fe7-69f403a 1606->1612 1616 69f429b-69f42a5 1607->1616 1617 69f42a8-69f42d0 1607->1617 1618 69f4161-69f416f 1611->1618 1619 69f41e0-69f41e2 1611->1619 1641 69f403c-69f4048 call 69f3c88 1612->1641 1642 69f404a 1612->1642 1616->1617 1637 69f42d6-69f42ef 1617->1637 1638 69f4425-69f4443 1617->1638 1621 69f417e-69f418a 1618->1621 1622 69f4171-69f4176 1618->1622 1623 69f41e4-69f41ea 1619->1623 1624 69f41f0-69f41fc 1619->1624 1621->1607 1629 69f4190-69f41bf 1621->1629 1622->1621 1627 69f41ee 1623->1627 1628 69f41ec 1623->1628 1634 69f41fe-69f420f 1624->1634 1627->1624 1628->1624 1646 69f41c1-69f41ce 1629->1646 1647 69f41d0-69f41de 1629->1647 1634->1599 1634->1600 1658 69f4406-69f441f 1637->1658 1659 69f42f5-69f430b 1637->1659 1656 69f44ae-69f44b8 1638->1656 1657 69f4445-69f4467 1638->1657 1649 69f404c-69f405c 1641->1649 1642->1649 1646->1647 1647->1600 1660 69f405e-69f4075 1649->1660 1661 69f4077-69f4079 1649->1661 1677 69f44b9-69f450a 1657->1677 1678 69f4469-69f4485 1657->1678 1658->1637 1658->1638 1659->1658 1674 69f4311-69f435f 1659->1674 1660->1661 1663 69f407b-69f4089 1661->1663 1664 69f40c2-69f40c4 1661->1664 1663->1664 1680 69f408b-69f409d 1663->1680 1667 69f40c6-69f40d0 1664->1667 1668 69f40d2-69f40e2 1664->1668 1667->1668 1681 69f411b-69f4127 1667->1681 1682 69f410d-69f4110 1668->1682 1683 69f40e4-69f40f2 1668->1683 1722 69f4389-69f43ad 1674->1722 1723 69f4361-69f4387 1674->1723 1713 69f450c-69f4528 1677->1713 1714 69f452a-69f4568 1677->1714 1692 69f44a9-69f44ac 1678->1692 1688 69f409f-69f40a1 1680->1688 1689 69f40a3-69f40a7 1680->1689 1681->1634 1699 69f412d-69f4148 1681->1699 1742 69f4113 call 69f48b8 1682->1742 1743 69f4113 call 69f48a8 1682->1743 1694 69f4105-69f4108 1683->1694 1695 69f40f4-69f4103 1683->1695 1696 69f40ad-69f40bc 1688->1696 1689->1696 1691 69f4119 1691->1681 1692->1656 1697 69f4493-69f4496 1692->1697 1694->1600 1695->1681 1696->1664 1708 69f4239-69f424c 1696->1708 1697->1677 1701 69f4498-69f44a8 1697->1701 1699->1600 1701->1692 1708->1607 1713->1714 1732 69f43df-69f43f8 1722->1732 1733 69f43af-69f43c6 1722->1733 1723->1722 1735 69f43fa 1732->1735 1736 69f4403 1732->1736 1739 69f43c8-69f43cb 1733->1739 1740 69f43d2-69f43dd 1733->1740 1735->1736 1736->1658 1739->1740 1740->1732 1740->1733 1742->1691 1743->1691
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $]q$k Pm^
                                              • API String ID: 0-722610573
                                              • Opcode ID: fae4eba88e2c4a7ed2a3d3b59e85c5ce84d6b760104d80fa7fb01f8dfb1bfed5
                                              • Instruction ID: 280e59202fb9ed2a80ae517b93700d5673eccc69f7ab9a0cc8876f83324fa719
                                              • Opcode Fuzzy Hash: fae4eba88e2c4a7ed2a3d3b59e85c5ce84d6b760104d80fa7fb01f8dfb1bfed5
                                              • Instruction Fuzzy Hash: DB127034F102158FCB54DF69C9849AEBBFABF88710B258169D506EB3A5DB71DC01CBA0
                                              Function 07BFFCD8 Relevance: 2.7, Strings: 2, Instructions: 201COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1744 7bffcd8-7bffd03 1745 7bffd0a-7bffd5c 1744->1745 1746 7bffd05 1744->1746 1748 7bffd5e-7bffd7e 1745->1748 1749 7bffd80-7bffd82 1745->1749 1746->1745 1750 7bffd85-7bffd90 1748->1750 1749->1750 1752 7bfff5f-7bfff83 1750->1752 1753 7bffd96-7bfff43 call 7bfc360 * 2 1750->1753 1758 7bfff84-7bfffb2 1752->1758 1780 7bfff4c-7bfff5d 1753->1780 1780->1758
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2188497513.0000000007BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_7bf0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 1$v
                                              • API String ID: 0-2456183578
                                              • Opcode ID: d892c10ffb3ce3c47140ad4c17901481819044ec58db7c9769b442660f6f3823
                                              • Instruction ID: 39c6bb743d857310467ced0c090bb8fd1da6d3dc591f901fac069899759c6255
                                              • Opcode Fuzzy Hash: d892c10ffb3ce3c47140ad4c17901481819044ec58db7c9769b442660f6f3823
                                              • Instruction Fuzzy Hash: 7891A574E01218CFDB58DFA9D844BADBBB2FF89700F1080AAD909AB355DB345945CF51
                                              Function 07BFFCD5 Relevance: 2.7, Strings: 2, Instructions: 188COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1781 7bffcd5-7bffd03 1783 7bffd0a-7bffd5c 1781->1783 1784 7bffd05 1781->1784 1786 7bffd5e-7bffd7e 1783->1786 1787 7bffd80-7bffd82 1783->1787 1784->1783 1788 7bffd85-7bffd90 1786->1788 1787->1788 1790 7bfff5f-7bfff83 1788->1790 1791 7bffd96-7bffe99 1788->1791 1796 7bfff84-7bfffb2 1790->1796 1809 7bffe9f-7bffeb3 1791->1809 1810 7bffebb-7bffee4 1809->1810 1812 7bffeef-7bffefb call 7bfc360 1810->1812 1814 7bfff00-7bfff29 call 7bfc360 1812->1814 1817 7bfff2e-7bfff43 1814->1817 1818 7bfff4c-7bfff5d 1817->1818 1818->1796
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2188497513.0000000007BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_7bf0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 1$v
                                              • API String ID: 0-2456183578
                                              • Opcode ID: 7f6f03f8e3c817ac124617a76d37ab19ad1f0472881a47a5f26fb018aaea4148
                                              • Instruction ID: 79c9d064f213c372bad51efd189a288076ecb0745b1b0331a1a19030b83f6f89
                                              • Opcode Fuzzy Hash: 7f6f03f8e3c817ac124617a76d37ab19ad1f0472881a47a5f26fb018aaea4148
                                              • Instruction Fuzzy Hash: 7F91A374E01218CFDB58DFA9D844BADBBB2FF89700F1080AAD909A7355DB345946CF51
                                              Function 07BF19E8 Relevance: .8, Instructions: 814COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2188497513.0000000007BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_7bf0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6e8252a3e4334d014416278323d5a35af92bdf73c70f9b7cf7c3a5e003ce49b3
                                              • Instruction ID: 6ae4c3138da264773eeb3ee1b014ba4e06513c2524368bcee129a9de83ec1427
                                              • Opcode Fuzzy Hash: 6e8252a3e4334d014416278323d5a35af92bdf73c70f9b7cf7c3a5e003ce49b3
                                              • Instruction Fuzzy Hash: 6A825CF4650226CFEB28CF28D558BA977B1FB44708F1081E8D9099B7A1E7389C4ADF51
                                              Function 055A6948 Relevance: .5, Instructions: 499COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2182212393.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_55a0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f4cccece5128bc9ee39357166d1c2703f2ebb03a63ad86019b976293a66e826a
                                              • Instruction ID: c122bb3490e72e9e10fcbbfc2f72a6cf084209d46160576f3bf9f7e96d34099a
                                              • Opcode Fuzzy Hash: f4cccece5128bc9ee39357166d1c2703f2ebb03a63ad86019b976293a66e826a
                                              • Instruction Fuzzy Hash: BC22F071905228CFDB65DF64C958BD9BBB2FF4A300F0084E9E509AB2A1DB359E84DF50
                                              Function 069F67D8 Relevance: .4, Instructions: 426COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4bd48f8531dbc83a0a0f9f96608779f8fa91dfc7d4d11903fce88b0eb8d494e1
                                              • Instruction ID: ac4dcf4a5ec9af46a7319e64a290977e4db7a8ca76595105c991b8a78bd2f9e7
                                              • Opcode Fuzzy Hash: 4bd48f8531dbc83a0a0f9f96608779f8fa91dfc7d4d11903fce88b0eb8d494e1
                                              • Instruction Fuzzy Hash: ABF1A130A103199FCB55DF68D840B9EBBF6EF84310F158569E605EB2A1DB34ED45CBA0
                                              Function 07BFDEB8 Relevance: .3, Instructions: 320COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2188497513.0000000007BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_7bf0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b69d7c3ed9ac59bf76bd433e9bc8ec22cffd1ba283721fad41e464af8d062961
                                              • Instruction ID: 5ef4bb83b81fce62f67849713f822ac95148119338d67620e74795d0b0597ccf
                                              • Opcode Fuzzy Hash: b69d7c3ed9ac59bf76bd433e9bc8ec22cffd1ba283721fad41e464af8d062961
                                              • Instruction Fuzzy Hash: 92E1B3B4E01219CFEB14DFA9C884A9DFBB2FF48310F6482A9D509A7255D734A985CF50
                                              Function 069FA3D8 Relevance: .3, Instructions: 295COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2ff041ca90d07df485e1604ff0dff89d3092dc44d294645025eb3025a764bda2
                                              • Instruction ID: dbee47806c6a4d43470a33e610669a86ced0faa2c1899c061cfbacedfd877f17
                                              • Opcode Fuzzy Hash: 2ff041ca90d07df485e1604ff0dff89d3092dc44d294645025eb3025a764bda2
                                              • Instruction Fuzzy Hash: 6ED1D474901218CFCB54EFB4D854A9DBBB2FF8A301F2081A9D51AAB394DB359D86CF11
                                              Function 069FA3E8 Relevance: .3, Instructions: 289COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 131668e0338a07be32244d1c540ef96d5985deadd95ae5526e7b40881de5adc1
                                              • Instruction ID: fd3c2dc840b29963207020a37b2950d191a7deee85ab3adb332c5444198dfeac
                                              • Opcode Fuzzy Hash: 131668e0338a07be32244d1c540ef96d5985deadd95ae5526e7b40881de5adc1
                                              • Instruction Fuzzy Hash: B9D1D474D01218CFCB54EFB4D844A9DBBB2FF8A301F2081A9D51AAB294DB359D86CF11
                                              Function 055A7C20 Relevance: .3, Instructions: 279COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2182212393.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_55a0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4de04fd26c6158845ba4402fb35defbd34a98107908c9868a143bfb74b561adf
                                              • Instruction ID: 95f84aaf9e919cdc2283309879499d0026f2d8d0d52a499241065ee98ea1fef0
                                              • Opcode Fuzzy Hash: 4de04fd26c6158845ba4402fb35defbd34a98107908c9868a143bfb74b561adf
                                              • Instruction Fuzzy Hash: D2C1A375E00219CFDB14DFAAD980A9DBBB6FF88300F1081A9D809AB355DB349D86CF51
                                              Function 055A7C10 Relevance: .1, Instructions: 126COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2182212393.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_55a0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6ac7fe4f0fe5db2e696bdeb6658734eca1a012bde26c142ca2f4f598f83404bd
                                              • Instruction ID: 2c997648b36a12ce98a9f52cdf0f1f108471de0f2f0faee38d1b398de0871d69
                                              • Opcode Fuzzy Hash: 6ac7fe4f0fe5db2e696bdeb6658734eca1a012bde26c142ca2f4f598f83404bd
                                              • Instruction Fuzzy Hash: 6151A975E00218CBDB18DFA6D944B9EBBB7BF88300F14C0A9981DAB269DB3459458F50
                                              Function 069D0D80 Relevance: 20.6, Strings: 16, Instructions: 618COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 294 69d0d80-69d0dcb 299 69d0efd-69d0f10 294->299 300 69d0dd1-69d0dd3 294->300 303 69d1006-69d1011 299->303 304 69d0f16-69d0f25 299->304 301 69d0dd6-69d0de5 300->301 306 69d0e9d-69d0ea1 301->306 307 69d0deb-69d0e1d 301->307 309 69d1019-69d1022 303->309 314 69d0f2b-69d0f51 304->314 315 69d0fd1-69d0fd5 304->315 310 69d0eb0 306->310 311 69d0ea3-69d0eae 306->311 342 69d0e1f-69d0e24 307->342 343 69d0e26-69d0e2d 307->343 313 69d0eb5-69d0eb8 310->313 311->313 313->309 319 69d0ebe-69d0ec2 313->319 344 69d0f5a-69d0f61 314->344 345 69d0f53-69d0f58 314->345 316 69d0fe4 315->316 317 69d0fd7-69d0fe2 315->317 320 69d0fe6-69d0fe8 316->320 317->320 322 69d0ec4-69d0ecf 319->322 323 69d0ed1 319->323 326 69d1039-69d10b5 320->326 327 69d0fea-69d0ff4 320->327 328 69d0ed3-69d0ed5 322->328 323->328 376 69d1189-69d119c 326->376 377 69d10bb-69d10bd 326->377 336 69d0ff7-69d1000 327->336 332 69d0edb-69d0ee5 328->332 333 69d1025-69d1032 328->333 346 69d0ee8-69d0ef2 332->346 333->326 336->303 336->304 347 69d0e91-69d0e9b 342->347 348 69d0e2f-69d0e50 343->348 349 69d0e52-69d0e76 343->349 351 69d0f86-69d0faa 344->351 352 69d0f63-69d0f84 344->352 350 69d0fc5-69d0fcf 345->350 346->301 353 69d0ef8 346->353 347->346 348->347 366 69d0e8e 349->366 367 69d0e78-69d0e7e 349->367 350->336 368 69d0fac-69d0fb2 351->368 369 69d0fc2 351->369 352->350 353->309 366->347 371 69d0e80 367->371 372 69d0e82-69d0e84 367->372 373 69d0fb4 368->373 374 69d0fb6-69d0fb8 368->374 369->350 371->366 372->366 373->369 374->369 381 69d1234-69d123f 376->381 382 69d11a2-69d11b1 376->382 378 69d10c0-69d10cf 377->378 383 69d1129-69d112d 378->383 384 69d10d1-69d10dd 378->384 388 69d1247-69d1250 381->388 391 69d11ff-69d1203 382->391 392 69d11b3-69d11dc 382->392 385 69d113c 383->385 386 69d112f-69d113a 383->386 397 69d10e7-69d10fe 384->397 390 69d1141-69d1144 385->390 386->390 390->388 396 69d114a-69d114e 390->396 394 69d1205-69d1210 391->394 395 69d1212 391->395 415 69d11de-69d11e4 392->415 416 69d11f4-69d11fd 392->416 400 69d1214-69d1216 394->400 395->400 398 69d115d 396->398 399 69d1150-69d115b 396->399 406 69d1104-69d1106 397->406 405 69d115f-69d1161 398->405 399->405 403 69d1218-69d1222 400->403 404 69d1267-69d12af 400->404 420 69d1225-69d122e 403->420 430 69d12c7-69d12e9 404->430 431 69d12b1-69d12b7 404->431 409 69d1167-69d1171 405->409 410 69d1253-69d1260 405->410 412 69d111e-69d1127 406->412 413 69d1108-69d110e 406->413 427 69d1174-69d117e 409->427 410->404 412->427 418 69d1110 413->418 419 69d1112-69d1114 413->419 421 69d11e8-69d11ea 415->421 422 69d11e6 415->422 416->420 418->412 419->412 420->381 420->382 421->416 422->416 427->378 428 69d1184 427->428 428->388 436 69d12ec-69d12f0 430->436 432 69d12b9 431->432 433 69d12bb-69d12bd 431->433 432->430 433->430 437 69d12f9-69d12fe 436->437 438 69d12f2-69d12f7 436->438 439 69d1304-69d1307 437->439 438->439 440 69d130d-69d1322 439->440 441 69d14f8-69d1500 439->441 440->436 443 69d1324 440->443 444 69d1498 443->444 445 69d132b-69d1350 443->445 446 69d13e0-69d1405 443->446 447 69d14a2-69d14b9 444->447 458 69d1356-69d135a 445->458 459 69d1352-69d1354 445->459 456 69d140b-69d140f 446->456 457 69d1407-69d1409 446->457 451 69d14bf-69d14f3 447->451 451->436 461 69d1411-69d142e 456->461 462 69d1430-69d1453 456->462 460 69d146d-69d1493 457->460 464 69d135c-69d1379 458->464 465 69d137b-69d139e 458->465 463 69d13b8-69d13db 459->463 460->436 461->460 480 69d146b 462->480 481 69d1455-69d145b 462->481 463->436 464->463 482 69d13b6 465->482 483 69d13a0-69d13a6 465->483 480->460 486 69d145d 481->486 487 69d145f-69d1461 481->487 482->463 484 69d13a8 483->484 485 69d13aa-69d13ac 483->485 484->482 485->482 486->480 487->480
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183363885.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69d0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                              • API String ID: 0-2551331179
                                              • Opcode ID: 95c572d9489c2588cee8b2ed4bda57d1f79d393c982b45217ef909cb3a13a1ea
                                              • Instruction ID: 0fe82f047a1a694a711e011c51fd9a4dd223f6b03848723bcadeb759457bb83f
                                              • Opcode Fuzzy Hash: 95c572d9489c2588cee8b2ed4bda57d1f79d393c982b45217ef909cb3a13a1ea
                                              • Instruction Fuzzy Hash: 0132AF30B042059FDB559F69C894A7EBBE6BF89304B24C869E506C77A2CB75DC01CB51
                                              Function 069D1582 Relevance: 7.8, Strings: 6, Instructions: 338COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1292 69d1582-69d1584 1293 69d158e 1292->1293 1294 69d1598-69d15af 1293->1294 1295 69d15b5-69d15b7 1294->1295 1296 69d15cf-69d15f1 1295->1296 1297 69d15b9-69d15bf 1295->1297 1302 69d1638-69d163f 1296->1302 1298 69d15c1 1297->1298 1299 69d15c3-69d15c5 1297->1299 1298->1296 1299->1296 1303 69d1645-69d1747 1302->1303 1304 69d1571-69d1580 1302->1304 1304->1292 1307 69d15f3-69d15f7 1304->1307 1308 69d15f9-69d1604 1307->1308 1309 69d1606 1307->1309 1311 69d160b-69d160e 1308->1311 1309->1311 1311->1303 1314 69d1610-69d1614 1311->1314 1315 69d1616-69d1621 1314->1315 1316 69d1623 1314->1316 1317 69d1625-69d1627 1315->1317 1316->1317 1318 69d162d-69d1637 1317->1318 1319 69d174a-69d177c 1317->1319 1318->1302 1326 69d177e-69d1794 1319->1326 1327 69d1795-69d17a7 1319->1327 1326->1327 1329 69d17bf-69d17e1 1327->1329 1330 69d17a9-69d17af 1327->1330 1335 69d17e4-69d17e8 1329->1335 1331 69d17b1 1330->1331 1332 69d17b3-69d17b5 1330->1332 1331->1329 1332->1329 1336 69d17ea-69d17ef 1335->1336 1337 69d17f1-69d17f6 1335->1337 1338 69d17fc-69d17ff 1336->1338 1337->1338 1339 69d1abf-69d1ac7 1338->1339 1340 69d1805-69d181a 1338->1340 1340->1335 1342 69d181c 1340->1342 1343 69d18d8-69d198b 1342->1343 1344 69d1a07-69d1a2c 1342->1344 1345 69d1990-69d19bd 1342->1345 1346 69d1823-69d18d3 1342->1346 1343->1335 1360 69d1a2e-69d1a30 1344->1360 1361 69d1a32-69d1a36 1344->1361 1367 69d1b36-69d1b77 1345->1367 1368 69d19c3-69d19cd 1345->1368 1346->1335 1366 69d1a94-69d1aba 1360->1366 1369 69d1a38-69d1a55 1361->1369 1370 69d1a57-69d1a7a 1361->1370 1366->1335 1371 69d1b00-69d1b2f 1368->1371 1372 69d19d3-69d1a02 1368->1372 1369->1366 1389 69d1a7c-69d1a82 1370->1389 1390 69d1a92 1370->1390 1371->1367 1372->1335 1392 69d1a84 1389->1392 1393 69d1a86-69d1a88 1389->1393 1390->1366 1392->1390 1393->1390
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183363885.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69d0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                                              • API String ID: 0-3723351465
                                              • Opcode ID: bd111616ef252f537498c63a9d365d415683b1b4641e74bd468cc0aadb10cbea
                                              • Instruction ID: c5bc326772c65d7069fc20989be3d143901c30b2212bc897089e50da704d052b
                                              • Opcode Fuzzy Hash: bd111616ef252f537498c63a9d365d415683b1b4641e74bd468cc0aadb10cbea
                                              • Instruction Fuzzy Hash: 9BC1E534B042019FDB959BA8C894A7E7BEAEF85700F10897AE502CB7A2DF75DC05CB51
                                              Function 069F48B8 Relevance: 1.8, Strings: 1, Instructions: 600COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: + Pm^
                                              • API String ID: 0-1772364228
                                              • Opcode ID: 0bbdaff59ef9b45211f2e599db54eaa97ccdef820287c66db0801566d98c5e79
                                              • Instruction ID: 00310e0385e0529c8638b6aef0ceab4fdc37e791fa1d94bfb5209316a80f3782
                                              • Opcode Fuzzy Hash: 0bbdaff59ef9b45211f2e599db54eaa97ccdef820287c66db0801566d98c5e79
                                              • Instruction Fuzzy Hash: 9E325034B106018FCB54DF39D584A6ABBFAFF88710B1584A9E506CB7A6DB34EC45CB90
                                              Function 0302AE30 Relevance: 1.7, APIs: 1, Instructions: 207COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0302B086
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2173213662.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_3020000_RegAsm.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 031ab3c6aa3b76a0a138b524c624258b62e404272d8b4e1dfb9aeb683af49890
                                              • Instruction ID: 9f7a99bc3c62f05934ac9f69300961f4ef1dfddd62cc141c7b108ea86fcc35f1
                                              • Opcode Fuzzy Hash: 031ab3c6aa3b76a0a138b524c624258b62e404272d8b4e1dfb9aeb683af49890
                                              • Instruction Fuzzy Hash: 14817AB0A01B158FDB64DF69D04079ABBF5FF88704F04896DD48AD7A50DB38E80ACB90
                                              Function 055A0BFC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                              Download Yara Rule
                                              APIs
                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 055A4381
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2182212393.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_55a0000_RegAsm.jbxd
                                              Similarity
                                              • API ID: CallProcWindow
                                              • String ID:
                                              • API String ID: 2714655100-0
                                              • Opcode ID: f84f3d3200740fa60eb4543051406c3c50663443fa94ab1209d6cf90fe439626
                                              • Instruction ID: b917253ef2eaa1bf86858379421fb0202d34e097d6df11c55dce101fa3e9816f
                                              • Opcode Fuzzy Hash: f84f3d3200740fa60eb4543051406c3c50663443fa94ab1209d6cf90fe439626
                                              • Instruction Fuzzy Hash: EC4105B5900305DFDB14CF99C488AAEBBF5FF88314F248959E519AB321D774A885CFA0
                                              Function 03025935 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 030259F1
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2173213662.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_3020000_RegAsm.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 37e6e27112002698ec332a56599df71fbeb76e779a43bc75481e7041c883f6b6
                                              • Instruction ID: 671731290dec39a24707d5f3b216f5729a20c4e1a48d1fb24e2233981676322c
                                              • Opcode Fuzzy Hash: 37e6e27112002698ec332a56599df71fbeb76e779a43bc75481e7041c883f6b6
                                              • Instruction Fuzzy Hash: 1241FFB0C00629CEDB24CFA9C884B9DFBF5FF49304F24806AD418AB254DB75694ACF91
                                              Function 03024248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 030259F1
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2173213662.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_3020000_RegAsm.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: d3eff93902f1aebaaea5654b76595769f48bd84c140365b5be73f4acff366460
                                              • Instruction ID: c2d44918a1499ea0fa88a8f0d03a77f327c695e02e6ae3d6ac4f9dff1106ece0
                                              • Opcode Fuzzy Hash: d3eff93902f1aebaaea5654b76595769f48bd84c140365b5be73f4acff366460
                                              • Instruction Fuzzy Hash: 0241FFB0C00629CBDB24CFA9C884B9DFBF5FF49304F24806AD408AB250DB756946CF95
                                              Function 0302A858 Relevance: 1.6, APIs: 1, Instructions: 79libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0302B101,00000800,00000000,00000000), ref: 0302B312
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2173213662.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_3020000_RegAsm.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 5b24a44fc25a6328cb63352620b6d980ed320925d03363b87a2ba5baaf040f8e
                                              • Instruction ID: 9f9c275e5a321a77561a1d0e6440b4a9cc67f09872b8a6224d9a8b409689e5cc
                                              • Opcode Fuzzy Hash: 5b24a44fc25a6328cb63352620b6d980ed320925d03363b87a2ba5baaf040f8e
                                              • Instruction Fuzzy Hash: D731BDB68053988FDB11DFAAC894ADEBFF4EF49310F04845AD848A7211C6789545CFA5
                                              Function 0302C9A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                              Download Yara Rule
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0302D2C6,?,?,?,?,?), ref: 0302D387
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2173213662.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_3020000_RegAsm.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 8c18e0102fd252b06a95a768206d11090acc10025fec7d804e4eebabcc0d3823
                                              • Instruction ID: d989ffa06c733a5b0cbbbdd7a5156858aa9cf435f9df51777bc27b122cf2d7a8
                                              • Opcode Fuzzy Hash: 8c18e0102fd252b06a95a768206d11090acc10025fec7d804e4eebabcc0d3823
                                              • Instruction Fuzzy Hash: 3C21E6B5901258AFDB10CF9AD984ADEFFF4FB48310F14841AE918A3310D378A954CFA5
                                              Function 0302D2F9 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                              Download Yara Rule
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0302D2C6,?,?,?,?,?), ref: 0302D387
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2173213662.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_3020000_RegAsm.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 5c9b2f0377ef8c7dbf1dcadf8b1fb7f2816d71cd8bd7145679f9b501e950afe3
                                              • Instruction ID: c18c0266a51b8b79bde4cad178f3e5c0b6e08298949bd86855deca2fda35bb6a
                                              • Opcode Fuzzy Hash: 5c9b2f0377ef8c7dbf1dcadf8b1fb7f2816d71cd8bd7145679f9b501e950afe3
                                              • Instruction Fuzzy Hash: 8D21E5B59012189FDB10CF99D584ADEBBF4FB48310F14841AE918B3210D378A944CF64
                                              Function 0302A870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0302B101,00000800,00000000,00000000), ref: 0302B312
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2173213662.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_3020000_RegAsm.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 468beac99163424d5945d7aeefced5f68542c28b173080ebdf92a71733e24edd
                                              • Instruction ID: e290510c93c251237597029160838f7358ff12e93cec8ba9cfb94e490dd78ae2
                                              • Opcode Fuzzy Hash: 468beac99163424d5945d7aeefced5f68542c28b173080ebdf92a71733e24edd
                                              • Instruction Fuzzy Hash: 401114B68013499FDB10CF9AC444AAEFBF4EF48310F14842AD919A7200C378A544CFA5
                                              Function 0302B2A0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0302B101,00000800,00000000,00000000), ref: 0302B312
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2173213662.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_3020000_RegAsm.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: df4f12dd71f94e83305a66c3e803023775813f96ddf6b90c1c43b83af0c85eb2
                                              • Instruction ID: 529ae9ed9e835fe62da515ea0bbe364a8180e97bfe2ac006fc13def6db1d80f5
                                              • Opcode Fuzzy Hash: df4f12dd71f94e83305a66c3e803023775813f96ddf6b90c1c43b83af0c85eb2
                                              • Instruction Fuzzy Hash: C11114B68003489FCB10CF9AC444ADEFFF4EF48310F14841AD919A7210C378A545CFA5
                                              Function 07BF4AB8 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryW.KERNELBASE(00000000), ref: 07BF4B26
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2188497513.0000000007BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_7bf0000_RegAsm.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 07cf559657575f6bec354cbe6e6ebc561052e6e10e0256815f14a890fbd06e31
                                              • Instruction ID: e4f62dbae2f5ca00d00be4cfb8cf2368a18bfa23a6e4bd60108a76cd3166a6f4
                                              • Opcode Fuzzy Hash: 07cf559657575f6bec354cbe6e6ebc561052e6e10e0256815f14a890fbd06e31
                                              • Instruction Fuzzy Hash: 941123B6C002499FDB10DF9AC844B9EFBF4EF88720F14846AD518B7211D378A545CFA1
                                              Function 07BF4AC0 Relevance: 1.6, APIs: 1, Instructions: 50libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryW.KERNELBASE(00000000), ref: 07BF4B26
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2188497513.0000000007BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_7bf0000_RegAsm.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 5d69e314fa656656df285e267f3b85cf622551530477445fa91017c98792d1d2
                                              • Instruction ID: d3a76f87389db724c2837764ccf0255f399b93b3b858d55f2c9d12af32c87ed2
                                              • Opcode Fuzzy Hash: 5d69e314fa656656df285e267f3b85cf622551530477445fa91017c98792d1d2
                                              • Instruction Fuzzy Hash: 651102B6C006498FDB10DFAAC944B9EFBF4EF88720F14845AD519B7211D378A645CFA1
                                              Function 0302B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0302B086
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2173213662.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_3020000_RegAsm.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 4e1e43361ff9ca48ec1a2bf4519ef236db4297e0a3485da297a13511c59d5007
                                              • Instruction ID: 5b34ccedee856f39418a5d50f483659e30549bc713e78ce838d862c57239c0f2
                                              • Opcode Fuzzy Hash: 4e1e43361ff9ca48ec1a2bf4519ef236db4297e0a3485da297a13511c59d5007
                                              • Instruction Fuzzy Hash: 6A110FB6C007498FCB20CF9AC484A9EFBF8AF88620F14841AD428B7210C379A545CFA5
                                              Function 069F59D8 Relevance: 1.5, Strings: 1, Instructions: 295COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: d
                                              • API String ID: 0-2564639436
                                              • Opcode ID: 89f8b048e5c6a0c24b2323ac3c07aab7044f3c97b4a3e4a97225519b66bc1456
                                              • Instruction ID: e053e43160ba443bab31e9e2b8eddfdb81283b82807812be74712115aed6f1a9
                                              • Opcode Fuzzy Hash: 89f8b048e5c6a0c24b2323ac3c07aab7044f3c97b4a3e4a97225519b66bc1456
                                              • Instruction Fuzzy Hash: E7C15C34710602CFCB65CF28C58096ABBF6FF89310B26C999D55A8BA65D730FC56CB90
                                              Function 069F48A8 Relevance: 1.5, Strings: 1, Instructions: 283COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: + Pm^
                                              • API String ID: 0-1772364228
                                              • Opcode ID: bfdb3adee732c12f8dee1b914545448b67b2c358dcd122ef14563e7837126b8b
                                              • Instruction ID: 643d36b1100faa16fe1a5d73efcea2d75fb1cc51511cde98862b75a4a67e5891
                                              • Opcode Fuzzy Hash: bfdb3adee732c12f8dee1b914545448b67b2c358dcd122ef14563e7837126b8b
                                              • Instruction Fuzzy Hash: 0CB16A34B106048FCB54DF39C584A5ABBFAFF88700B2544A9E506DB7A2DB34ED05CBA0
                                              Function 069D1BA0 Relevance: 1.4, Instructions: 1441COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183363885.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69d0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5b5ff181298172e4f0f8c8d02db708fe34c93af2701fae85f5f4ee59f388e873
                                              • Instruction ID: 07cf8bf2c45ebef9630c2c799090c236d84fbf6baae64d8c1d3ee5c2efabfeec
                                              • Opcode Fuzzy Hash: 5b5ff181298172e4f0f8c8d02db708fe34c93af2701fae85f5f4ee59f388e873
                                              • Instruction Fuzzy Hash: D5C27070B001189FCB54DF64C991EADBBB6FF88700F108499E60AAB3A1DB719E45DF61
                                              Function 069F3DE0 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 4']q
                                              • API String ID: 0-1259897404
                                              • Opcode ID: a0e1fd4883804d9712efb6766395e80d93cbbf2b88b320a646d6744bba1a6110
                                              • Instruction ID: 3210434df09c87d0db88d3b40b50bd7972696d41a1647fcca3f71f2dc06c1cb0
                                              • Opcode Fuzzy Hash: a0e1fd4883804d9712efb6766395e80d93cbbf2b88b320a646d6744bba1a6110
                                              • Instruction Fuzzy Hash: 1A31C331B052514FC769AB38A8504AE7BEADFC622071544BAE449CF791DE39EC0BC7E1
                                              Function 069F84D8 Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 4']q
                                              • API String ID: 0-1259897404
                                              • Opcode ID: 2620bdfde729be8c8ce25344c83970c16c8343c360f33a3af1042e0ccbb38c9d
                                              • Instruction ID: 95f1772452a7be13450c06f2b3e8a6487732008fb9f945e6afd615ec4135b7a4
                                              • Opcode Fuzzy Hash: 2620bdfde729be8c8ce25344c83970c16c8343c360f33a3af1042e0ccbb38c9d
                                              • Instruction Fuzzy Hash: AB318031B00214CFDB48EB79A65856E77E7EFC8200B104839E60ADF384EE39AC0687D1
                                              Function 069F84C8 Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 4']q
                                              • API String ID: 0-1259897404
                                              • Opcode ID: 678cfe1673c407c54b6eb668737306e8a31fc1f7546c1c04c3edfe8e75677923
                                              • Instruction ID: 35aa1e930ab40d7f98a5e1f7c6d653d6e68d5917045010382158a130c5036f0b
                                              • Opcode Fuzzy Hash: 678cfe1673c407c54b6eb668737306e8a31fc1f7546c1c04c3edfe8e75677923
                                              • Instruction Fuzzy Hash: FF319330700214CFDB49AB79965857E36E7AFC9200B10487DE60ADF384EE38AC0687D2
                                              Function 069FB358 Relevance: 1.3, Strings: 1, Instructions: 38COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 4']q
                                              • API String ID: 0-1259897404
                                              • Opcode ID: 717bbc9fd4b370f7de908f1d6b46616b6021f1a0754405f48368e30c6952ba92
                                              • Instruction ID: cf60468e8389ad082e07355168b0313e72250f0573a2aeafd5ff094ff186bc3e
                                              • Opcode Fuzzy Hash: 717bbc9fd4b370f7de908f1d6b46616b6021f1a0754405f48368e30c6952ba92
                                              • Instruction Fuzzy Hash: 0E018474D0624ADFCB45EFB8E59458C7FB2FF45200B1541A9D946A7350DB344E49CF11
                                              Function 069FB368 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 4']q
                                              • API String ID: 0-1259897404
                                              • Opcode ID: b567d7afd257455a8db090c82440fb0928435b90f4e26539f5c305f5ce0c2cd0
                                              • Instruction ID: 8b37fc4fdca540ac4d0b55f2e1b9a465d13620d02737d55b3f1fc10858865e93
                                              • Opcode Fuzzy Hash: b567d7afd257455a8db090c82440fb0928435b90f4e26539f5c305f5ce0c2cd0
                                              • Instruction Fuzzy Hash: 52F06970E0220AAFCB04EFBCE54489CBBB6FB44200B2441A8D90AA7354DB385E09CF51
                                              Function 069D3838 Relevance: 1.0, Instructions: 1025COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183363885.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69d0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 76c0ee858461848b69f2e7e51e76fd0c81c753fbcc16a6fb32deb4e5d8c02dae
                                              • Instruction ID: cf67c22e3a55814d1c33b5631b9cd50c994d1fa49558af225bdd76280075d1c8
                                              • Opcode Fuzzy Hash: 76c0ee858461848b69f2e7e51e76fd0c81c753fbcc16a6fb32deb4e5d8c02dae
                                              • Instruction Fuzzy Hash: B5825874B502049FCB44DF68C994EAEBBF6EF89704F1580A9E506DB3A1CA71EC41CB61
                                              Function 069D00D8 Relevance: .7, Instructions: 676COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183363885.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69d0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8d78f3b3fd47e289eef756134fd8088c66109f0be5b6fed55f97b141b0befc4e
                                              • Instruction ID: e5636e9d27daab362a6eced60b7312f35aa4ea991b79f26e340760198cf8f87b
                                              • Opcode Fuzzy Hash: 8d78f3b3fd47e289eef756134fd8088c66109f0be5b6fed55f97b141b0befc4e
                                              • Instruction Fuzzy Hash: 51428930B406158FCB65AF78E450A6E7AA6FF85304F014A6CD5079B794CF7AAC098B92
                                              Function 069D2070 Relevance: .6, Instructions: 568COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183363885.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69d0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d534860fb79c47846ab90c37995d87c1ca89a6f10caa0ca87338cc0a90bfedbd
                                              • Instruction ID: f5d5a3e5282329fdfcc1da7670b3e211a2fa245d5ce3d806493faee8bd65bbb4
                                              • Opcode Fuzzy Hash: d534860fb79c47846ab90c37995d87c1ca89a6f10caa0ca87338cc0a90bfedbd
                                              • Instruction Fuzzy Hash: FB22D370B501148FCB149F24C995EAE77B6EFC8704F10C599EA0A9B7A1CFB1EE418B91
                                              Function 069D0598 Relevance: .5, Instructions: 462COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183363885.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69d0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3c5b50c9da6c6f94f1f2bbb82cdb5c1d8b9b665e2e38bae54d6c90a82dba924c
                                              • Instruction ID: 4c7834736015c2ea7a2e6f470e0aead7db1a1124812609662be2ca870c4bb76c
                                              • Opcode Fuzzy Hash: 3c5b50c9da6c6f94f1f2bbb82cdb5c1d8b9b665e2e38bae54d6c90a82dba924c
                                              • Instruction Fuzzy Hash: A502CF30B402048FDB559F78D894A2E7BB6FF89704F108969D5069B7A1CFBAEC05CB91
                                              Function 069D0610 Relevance: .5, Instructions: 453COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183363885.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69d0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7b41aa790df2bf538fb6a1ee234e44b83c8135717fe45ca403e592945f327141
                                              • Instruction ID: 7c6786904ee6b74965a5d0b310c530160afb57fe8ba02b7408b0181a676274f5
                                              • Opcode Fuzzy Hash: 7b41aa790df2bf538fb6a1ee234e44b83c8135717fe45ca403e592945f327141
                                              • Instruction Fuzzy Hash: 5B02C330B402048FDB549F74D994A2E7BB6FF89704F108969E5069B7A1CFBAEC05CB91
                                              Function 069D0688 Relevance: .4, Instructions: 389COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183363885.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69d0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b22c7e35978d7b37364b52981e8e5b09b3d1cbb1ade99e41103cf10e41a027e8
                                              • Instruction ID: 465c4f95ed1963eaa70cc21e63eb41f94fbff88c8c0e3d7560b51d86228e5de0
                                              • Opcode Fuzzy Hash: b22c7e35978d7b37364b52981e8e5b09b3d1cbb1ade99e41103cf10e41a027e8
                                              • Instruction Fuzzy Hash: 38E1C130B002048FDB449F74C999A2E7BB6FF89704F108569E6069B7A1CFBADC05CB91
                                              Function 069D0700 Relevance: .4, Instructions: 365COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183363885.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69d0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d87bf7281ed558d2ca002644c130045c28a135edaf8f0a7ca54c6b87b0949971
                                              • Instruction ID: d42e4eb88fb61d71b425804ed8e63ffc69c483565a450372be367a1d041f404f
                                              • Opcode Fuzzy Hash: d87bf7281ed558d2ca002644c130045c28a135edaf8f0a7ca54c6b87b0949971
                                              • Instruction Fuzzy Hash: 72D1A330B002049FDB449F64C999B697BB6FF89704F108579EA069B7A1CFBADC05CB91
                                              Function 069D00B7 Relevance: .3, Instructions: 339COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183363885.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69d0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f058cbc26e61b0ebee2f7b908ca3e57fbc0e0d012b77e93bd83cd2298af6b03b
                                              • Instruction ID: 44249debcb76414ff179a7649e308625e44b3f53d7c0ce1160a9b0596ad5a2e3
                                              • Opcode Fuzzy Hash: f058cbc26e61b0ebee2f7b908ca3e57fbc0e0d012b77e93bd83cd2298af6b03b
                                              • Instruction Fuzzy Hash: E5C17030B002049FDB449FA4C999B697BB6FF89704F108566E606DB7A1CFBADC41CB91
                                              Function 069F7D58 Relevance: .1, Instructions: 147COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 449eeeed7c0908b8dcb9aa87b83f999884ece8f132ed14f8624f842cc30dc35d
                                              • Instruction ID: 2b2f0179ed82cdfb49a10a96b79b3cffe107cd52a5f074c7e92e9eed384fb530
                                              • Opcode Fuzzy Hash: 449eeeed7c0908b8dcb9aa87b83f999884ece8f132ed14f8624f842cc30dc35d
                                              • Instruction Fuzzy Hash: EA513571E10218DFDB54CFE9E980BEEBBB5BF88300F25842AD515AB654DB749941CF80
                                              Function 069D34D8 Relevance: .1, Instructions: 143COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183363885.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69d0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dc441ca4f5980d418356235466f9ee56f68e031b23f04627d2f7a5035124236b
                                              • Instruction ID: cbc6dce569797ca91921ad3d7a46d63b2022ba115e834e53f1999dd1a3f41a03
                                              • Opcode Fuzzy Hash: dc441ca4f5980d418356235466f9ee56f68e031b23f04627d2f7a5035124236b
                                              • Instruction Fuzzy Hash: 46514735B101199FCB54CF69C88499EBBF6FF89310B1580A9E909EB361DB70EC05CB61
                                              Function 069F7D4C Relevance: .1, Instructions: 132COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 499433a76ffa52b804757daf99720d510478cee475d3027377ce928b74ec67dc
                                              • Instruction ID: bbb070a2c52a8d98f4567e7c748a0ca3b8d3e2fde85b189e72eccaf1be27f846
                                              • Opcode Fuzzy Hash: 499433a76ffa52b804757daf99720d510478cee475d3027377ce928b74ec67dc
                                              • Instruction Fuzzy Hash: 4A5156B0E10219DFDB50CFE9D980BEEBBF9AF48300F24842AE415AB650DB749841CF91
                                              Function 069F59C8 Relevance: .1, Instructions: 126COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e33aba9d40d077d23d5fb4a5eb73c2187b2a8410484ed40bc8c566c56a7854cb
                                              • Instruction ID: 90122a773cac8bb36becaf88b0231c0dd10f20d6c1f7e41581a8ca65cb7b9070
                                              • Opcode Fuzzy Hash: e33aba9d40d077d23d5fb4a5eb73c2187b2a8410484ed40bc8c566c56a7854cb
                                              • Instruction Fuzzy Hash: 6D417C34B10606DFCB11CF58C8809AABBF6FF89310B16C999E656DB661D731F911CB90
                                              Function 069F5579 Relevance: .1, Instructions: 107COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b6a93397888e8d0d1b175beb051101281e5a811040450c854ed303c3cd9ade50
                                              • Instruction ID: 922d95e4142d4e162074a3aec7467b764f043ed13f627fab4159dc4d3cb00339
                                              • Opcode Fuzzy Hash: b6a93397888e8d0d1b175beb051101281e5a811040450c854ed303c3cd9ade50
                                              • Instruction Fuzzy Hash: 0E31B035B112109FCB15DF38D84499EBBBAFF89311B118469EA05CB3A5CB75ED05CBA0
                                              Function 069FF920 Relevance: .1, Instructions: 97COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1ae26da53d741eccc6667bf67fab7082ef0706fa7ad280f6a2e8498972558b4b
                                              • Instruction ID: 87f90b22d12057594287b3b7381590a9c2871f2d7b8dd0f209dfb1adb4d3acc1
                                              • Opcode Fuzzy Hash: 1ae26da53d741eccc6667bf67fab7082ef0706fa7ad280f6a2e8498972558b4b
                                              • Instruction Fuzzy Hash: A931D57A7093545FCB596F78E85446A3FABEF8621031504AAE606CB391EE398C06C761
                                              Function 069F5588 Relevance: .1, Instructions: 96COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c6eb49e3a7ebf48d2d7bed21ddb99f46dbaa3323bc01542587cf14c2067aad5f
                                              • Instruction ID: 2d229f561586afc6470a7becce08e65dc2bf53734afe2a4ec7eb1c0a6526c089
                                              • Opcode Fuzzy Hash: c6eb49e3a7ebf48d2d7bed21ddb99f46dbaa3323bc01542587cf14c2067aad5f
                                              • Instruction Fuzzy Hash: 2631D034B102109FCB15DF38D88495EBBBAFF89300B118469EA05CB3A5CB71ED01CBA0
                                              Function 069F87A0 Relevance: .1, Instructions: 93COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e1d4974e50d972a9b056c2ce4b976983ffb32d56c5ff396bde88be8a0ab1fa9d
                                              • Instruction ID: 5d4bee85aca8df9c6e031c662ff3c795eb7e69eccc36b2240f8e3c85fca52312
                                              • Opcode Fuzzy Hash: e1d4974e50d972a9b056c2ce4b976983ffb32d56c5ff396bde88be8a0ab1fa9d
                                              • Instruction Fuzzy Hash: 3541F0B1D11248DFDB54DFAAD940ADEBFB6AF88310F20842AE519B7250DB34A945CF90
                                              Function 069F8796 Relevance: .1, Instructions: 82COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 318a4f2ce44dd50629b43a3e471b68c58ba129340920407b48b2b302c3cd0d0f
                                              • Instruction ID: 236d08f84ae194e2b97369a4657f07b64b728529077fec99ab2715f47b6fde33
                                              • Opcode Fuzzy Hash: 318a4f2ce44dd50629b43a3e471b68c58ba129340920407b48b2b302c3cd0d0f
                                              • Instruction Fuzzy Hash: 923126B1D11248DFDB54DFAAC940ADEBFFAAF88310F24802AD525B7250DB345945CF90
                                              Function 02D9D654 Relevance: .1, Instructions: 77COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2172817839.0000000002D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D9D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2d9d000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 07680b2c179c35859512596530999e93bc8b5945049aa04ec0f8ff18904587cf
                                              • Instruction ID: 7a418f33c9ca4077bd59da06710f8b3d7e38e99bd4670a85352bf5e1301d4bf5
                                              • Opcode Fuzzy Hash: 07680b2c179c35859512596530999e93bc8b5945049aa04ec0f8ff18904587cf
                                              • Instruction Fuzzy Hash: F121C476504244DFDF05AF14D9C4F26BFA6FB88314F248669E9490B356C33AD816CBA1
                                              Function 069D105C Relevance: .1, Instructions: 77COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183363885.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69d0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0048007526326923b7c4a7ca8ed77697efcd209e032cf28cbf25deaea2286211
                                              • Instruction ID: e450823a778cbefebcd2d97c5cd460c1475a84f83f0467b879cae72ddc929b50
                                              • Opcode Fuzzy Hash: 0048007526326923b7c4a7ca8ed77697efcd209e032cf28cbf25deaea2286211
                                              • Instruction Fuzzy Hash: 5221B231B042049FDB55CB6998449BABBFAFFC5214B25857AE415C76A1CB70CC11C761
                                              Function 069F8A98 Relevance: .1, Instructions: 77COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fcdf5646e7abd881d5f7e965e54884bbb584c735a8f4761e32ff2078fb9a3c38
                                              • Instruction ID: 1e68bcb00d066e33a8c8212731076b38ebe08d5c298135d6f9bad64fb3c9f6b8
                                              • Opcode Fuzzy Hash: fcdf5646e7abd881d5f7e965e54884bbb584c735a8f4761e32ff2078fb9a3c38
                                              • Instruction Fuzzy Hash: 243114B1D11258DFDF54CFA9D990ADEBBB9AF48310F24882AE509B7240C734A946CB90
                                              Function 02D9D3D8 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2172817839.0000000002D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D9D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2d9d000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 51c64ed5ad40ec6441ef21816d1bc59fc85b927c12f559d32812922c2147e81d
                                              • Instruction ID: 3b619bc2408e37172ae315d816ef604dcf2239b62b234e789cbabf55f0e22ece
                                              • Opcode Fuzzy Hash: 51c64ed5ad40ec6441ef21816d1bc59fc85b927c12f559d32812922c2147e81d
                                              • Instruction Fuzzy Hash: 47210371500204DFDF09EF14D9C0B26BF66FB99324F24C569E9490B31AC33AE856CAA2
                                              Function 02D9D4C4 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2172817839.0000000002D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D9D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2d9d000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a7e3f5032ff663643534ba2cb20676aba65167336d79c7f816159fd8a87da752
                                              • Instruction ID: 9cc84a4d1997a1429acb056f84de864150fe943de4d43792e4633b0b7106d4ca
                                              • Opcode Fuzzy Hash: a7e3f5032ff663643534ba2cb20676aba65167336d79c7f816159fd8a87da752
                                              • Instruction Fuzzy Hash: 0C21FF71504240DFDF45EF14DA80B26BF66FB89318F24C569E9490B356C33AD856CBA2
                                              Function 02DAD01C Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2172887367.0000000002DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DAD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2dad000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 998e6015eb552f0305b64624dd2c5632728d80907585f3d5d40cd6e2131ff4fa
                                              • Instruction ID: 9eefdefc962d7b36920dc2228a6fbb07de47f7fe5fb621c1358d78177a02e7f4
                                              • Opcode Fuzzy Hash: 998e6015eb552f0305b64624dd2c5632728d80907585f3d5d40cd6e2131ff4fa
                                              • Instruction Fuzzy Hash: 2B212F71604200DFDB14CF24D991F26BFA6EB88314F30C969E84A4B756C33AD807CAA2
                                              Function 069F8F42 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 248071c1e9a5c1dd656f0640f5a34d70b7bdf3ce18ccf511dcde9b6a5bb99908
                                              • Instruction ID: 2eb70303e8e8e6d2517b26c15881a0473138999b9dc7984b97b4b54bb9fe9a1d
                                              • Opcode Fuzzy Hash: 248071c1e9a5c1dd656f0640f5a34d70b7bdf3ce18ccf511dcde9b6a5bb99908
                                              • Instruction Fuzzy Hash: B7214474D1524ADFCF80CFA8D584AEEBBB5EF09321F2040AAE525A7351C7345A81DB90
                                              Function 069F8A8C Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e95fc833dce2f941cf8139529b31681d44f28fb5c97a86676e7455d145c2ffd8
                                              • Instruction ID: 1b34e57553adf67931c3adb2aef2da6427360f19f98b91848796726d6bea45ba
                                              • Opcode Fuzzy Hash: e95fc833dce2f941cf8139529b31681d44f28fb5c97a86676e7455d145c2ffd8
                                              • Instruction Fuzzy Hash: F02126B0D112589FCB54CFA9C995BDEBFF9AF48310F14882AE505B7240D7759845CBA0
                                              Function 069FC0BF Relevance: .1, Instructions: 65COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f337c2da032d0406b8f44dc905d35eb292be401f009f177bfd6d6bd3e2debf12
                                              • Instruction ID: 081f684541203eb575fbd418ccea507b04c850a68878026056bd1dec55d3e42f
                                              • Opcode Fuzzy Hash: f337c2da032d0406b8f44dc905d35eb292be401f009f177bfd6d6bd3e2debf12
                                              • Instruction Fuzzy Hash: 7D1126722013944FC302DF2CE9987DB3FEADF82304F04055AE0C6CB266D6259A5AC751
                                              Function 069F6E72 Relevance: .1, Instructions: 65COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 36bae2a98f102d1099d882ddedc4abc565538718903d65458a5f12b489cc4151
                                              • Instruction ID: b462eab59469b620b3780dc40f966496e567e2b9502ed8f37afb63fb0bfb02c3
                                              • Opcode Fuzzy Hash: 36bae2a98f102d1099d882ddedc4abc565538718903d65458a5f12b489cc4151
                                              • Instruction Fuzzy Hash: E801D2621092E83FCB624A796C10CE73FEDDE8B25070940CBF9D4D6193C0298A65D7B2
                                              Function 02DAD005 Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2172887367.0000000002DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DAD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2dad000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7af77a603e03fa77319a7799c57176ff7626b4697d640f29f4f4196ef9c6c903
                                              • Instruction ID: 6dbea3424e7f2d5e6b72230528e22bc8b8c712eab2b971f7a4a7847b43736de3
                                              • Opcode Fuzzy Hash: 7af77a603e03fa77319a7799c57176ff7626b4697d640f29f4f4196ef9c6c903
                                              • Instruction Fuzzy Hash: FD21A7755093C08FCB02CF24D594B15BF71EB46214F28C5DAD8498F657C33A980ACB62
                                              Function 069FBC5D Relevance: .1, Instructions: 59COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a43111a825f38a5f6e1d52309cf8fd04c99f963eca38e16c858b7531108fec9b
                                              • Instruction ID: 03c0a89de227491a88d7592db9d1177df897cf5378bd4825f504081af0780cbf
                                              • Opcode Fuzzy Hash: a43111a825f38a5f6e1d52309cf8fd04c99f963eca38e16c858b7531108fec9b
                                              • Instruction Fuzzy Hash: B611E5722002055FC789BB38E8509AE3BABEEC1390B150469E10787750DD34AD4ECBA1
                                              Function 02D9D64F Relevance: .1, Instructions: 58COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2172817839.0000000002D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D9D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2d9d000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c1af77b3fa130e801d82a87a7fe0c5247251245d4ec94d460628ebe357439b1a
                                              • Instruction ID: 5874739f31d1c7dce7b298a4ab3f196b2df9fb33c922b98b9df6770948bd1cb9
                                              • Opcode Fuzzy Hash: c1af77b3fa130e801d82a87a7fe0c5247251245d4ec94d460628ebe357439b1a
                                              • Instruction Fuzzy Hash: A321D276404280DFCF06DF00D9C4B16BF72FB88314F24C6A9E9490B256C33AD416CB91
                                              Function 02D9D3D3 Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2172817839.0000000002D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D9D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2d9d000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 07d586b370810bf15e8d939e07fb0dccd80900219e7a08ccebccaf9c83e80135
                                              • Instruction ID: 0999064593039a3f96379b71c0d0a83fe9b1a4f6f78d4e94f2b8c4c78f002800
                                              • Opcode Fuzzy Hash: 07d586b370810bf15e8d939e07fb0dccd80900219e7a08ccebccaf9c83e80135
                                              • Instruction Fuzzy Hash: FE11D272404240CFCF06DF00D5C4B16BF62FB85314F24C6A9E9090B616C33AD456CBA1
                                              Function 02D9D4BF Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2172817839.0000000002D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D9D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2d9d000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 07d586b370810bf15e8d939e07fb0dccd80900219e7a08ccebccaf9c83e80135
                                              • Instruction ID: cca68b824341eda0b68b8991b5d84b5b03b4ef32810a803f75b5019720d8f19f
                                              • Opcode Fuzzy Hash: 07d586b370810bf15e8d939e07fb0dccd80900219e7a08ccebccaf9c83e80135
                                              • Instruction Fuzzy Hash: C611E176404280CFCF02DF10D9C4B16BF72FB84318F24C6A9E8494B616C336D85ACBA2
                                              Function 069F8350 Relevance: .0, Instructions: 50COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 35510d2cc2950617c84a33b1c8b280805c7f8a2021454629141c84a8a0150e59
                                              • Instruction ID: 357aaa7a630dc9b02197e52afec4de018d9d31a305e209268be49aa77daba22d
                                              • Opcode Fuzzy Hash: 35510d2cc2950617c84a33b1c8b280805c7f8a2021454629141c84a8a0150e59
                                              • Instruction Fuzzy Hash: C801B132B001199BDB10DAA9AC44AAFB7FEEB84211F148036E604D3240DB709D1987A0
                                              Function 069FC499 Relevance: .0, Instructions: 48COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 83aa5a738525964d384273151544ded98dff7ff026d4f439e05fad3ca426f57a
                                              • Instruction ID: 9ba4aab10b99de91b42abbad573fb3f59300d881f8b45aecb166fed20ec86727
                                              • Opcode Fuzzy Hash: 83aa5a738525964d384273151544ded98dff7ff026d4f439e05fad3ca426f57a
                                              • Instruction Fuzzy Hash: CB0104706042048FC329AF69E40465E7BE3EFCA301F118A69D14B8B758CF789C0ACB91
                                              Function 069FBC70 Relevance: .0, Instructions: 46COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e8c3c3d35417aaf2068861b70a026df8940881c94ae6f29a4777b5bc0fd478f2
                                              • Instruction ID: d22c1f1a0df33f6b7d86b7c3abaf87ad08c07bac06dfa003a828038629958d3e
                                              • Opcode Fuzzy Hash: e8c3c3d35417aaf2068861b70a026df8940881c94ae6f29a4777b5bc0fd478f2
                                              • Instruction Fuzzy Hash: 770171722002054F8BC8BB78E55496E7BABEFC1394B544868E20B87754DE74BD4ECBA1
                                              Function 02D9DAB1 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2172817839.0000000002D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D9D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2d9d000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c58d45ee84e7ee82696dfc83e61e4f0d82ff90168039bb9b6d2d3a28a717f5ac
                                              • Instruction ID: 9b63313babceac1e09e3aedbe9f9b0ecbeb8e34360f8d2492447c72a9f20a0b9
                                              • Opcode Fuzzy Hash: c58d45ee84e7ee82696dfc83e61e4f0d82ff90168039bb9b6d2d3a28a717f5ac
                                              • Instruction Fuzzy Hash: 7601F2311083449AEB209E19CD84B67BFA8EF55368F18C56AFD484A346C3789C40CAB1
                                              Function 069FACB8 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 48083f96b0c6a6ca28f01fdc3ea7b953b3336ee3e69538d071ac46cda6ccf22e
                                              • Instruction ID: 80b1c4c4c4bea10bc37e57ef517bc3440de651a6e0234346bccc3d519aa70581
                                              • Opcode Fuzzy Hash: 48083f96b0c6a6ca28f01fdc3ea7b953b3336ee3e69538d071ac46cda6ccf22e
                                              • Instruction Fuzzy Hash: 1FF078726092505FCB622BA8AC104AE3F6ADC8224534940AEE28BC7251CA244D07C7E1
                                              Function 069FE8B0 Relevance: .0, Instructions: 44COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f30e8432a8fd64734e82da1a696608fa96bca4b443ecea007630aae0944efb68
                                              • Instruction ID: db0ed17259bc86350bb3f49618aae8edf248b83fa654ebb37eedd95cbc460fa5
                                              • Opcode Fuzzy Hash: f30e8432a8fd64734e82da1a696608fa96bca4b443ecea007630aae0944efb68
                                              • Instruction Fuzzy Hash: 4B01D1346083489FCB46EF78D8148AA3FBAEF86300B1484E9E501CB262DB36DD11C792
                                              Function 069FC4A8 Relevance: .0, Instructions: 42COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0285cf7092cc5bf01d2e54fe1302588d9cdb5a56f63deb189dee2d6b0d926a65
                                              • Instruction ID: a488c68a80fb6dbdbabf7d68a7050d3a01fa025ce39365cee38f603b7b0634bd
                                              • Opcode Fuzzy Hash: 0285cf7092cc5bf01d2e54fe1302588d9cdb5a56f63deb189dee2d6b0d926a65
                                              • Instruction Fuzzy Hash: 2701B5702002058FD319AF69E44465E77E7EFC5315F108A28D14B87748CF78EC0ACB91
                                              Function 069F5508 Relevance: .0, Instructions: 42COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b721dd7a831edfc010857ac06ab4c70660800a7b92564365177c75673ae6334c
                                              • Instruction ID: 4a077285aef6302600c6702e8789a4c7a2e5857f2ccf66a47db885fb8449092d
                                              • Opcode Fuzzy Hash: b721dd7a831edfc010857ac06ab4c70660800a7b92564365177c75673ae6334c
                                              • Instruction Fuzzy Hash: 5001D130A21312CFDBA88B39A504523B3EBBF94205B26883DD202C6E55DA75E880CBD0
                                              Function 069F67C8 Relevance: .0, Instructions: 37COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 258bc88df4789f9ce06c2f01d6a9bc31d30c08c8d10d07e96e959b857265ba48
                                              • Instruction ID: 067641b16a5cba68fe09e8f29bf63cfc5de87350e5ad203c704866334a53377b
                                              • Opcode Fuzzy Hash: 258bc88df4789f9ce06c2f01d6a9bc31d30c08c8d10d07e96e959b857265ba48
                                              • Instruction Fuzzy Hash: 3DF09031B513006BC7208B28EC01F967FEE9B42721F25826AF714CB1E2D7B1E80597A0
                                              Function 069FC170 Relevance: .0, Instructions: 37COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cf5ba80f7b2765c5c058c8e63c7b1f9a791cdd57f30994db78cec05c9d4fd50d
                                              • Instruction ID: 49ed331a651ed8fc9f7a10ff35c554189d186136722fad23b41a47e86e3e5516
                                              • Opcode Fuzzy Hash: cf5ba80f7b2765c5c058c8e63c7b1f9a791cdd57f30994db78cec05c9d4fd50d
                                              • Instruction Fuzzy Hash: 1A01D1B1502B058FD316DF2AE808166BBF7FB89300701862EE48AC7611DB34A90ACF81
                                              Function 069F8F50 Relevance: .0, Instructions: 37COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9df9fae8b38c4bdd22f006c68efb9b3097d614f0d92dd6793f9c7732fa54a846
                                              • Instruction ID: e0376c4f138f9d12e0bf08073bf8180d2bb6c8505b71c98328f36b8e3ebc29bd
                                              • Opcode Fuzzy Hash: 9df9fae8b38c4bdd22f006c68efb9b3097d614f0d92dd6793f9c7732fa54a846
                                              • Instruction Fuzzy Hash: 3401D6B4D1420AEFCB84DFA9D9456EEBFF5BB48301F2084AAE515A3340E7740A44DF90
                                              Function 02D9DAB0 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2172817839.0000000002D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D9D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_2d9d000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d0bbf99fba9a0a030931a57b5c33d6cebd1c59ba932426b424fe2a27116ab158
                                              • Instruction ID: ab53570630a911a4412584f721ac177bdbc8cceb73f0f4f0617215bbdf30606f
                                              • Opcode Fuzzy Hash: d0bbf99fba9a0a030931a57b5c33d6cebd1c59ba932426b424fe2a27116ab158
                                              • Instruction Fuzzy Hash: D3F0C271004344AEEB108E06CD84B62FFA8EF45769F18C45AED485B286C3789840CA70
                                              Function 069F54F8 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f895f1d33a7bb207d7ac6c89d192ca9f3c33f61d56cf27fe5c3c583516b1d8c9
                                              • Instruction ID: 73033a2fe6c9e863c5460aa55ec9f6b21d3dcf070f0661ed5fa3f868110d0d43
                                              • Opcode Fuzzy Hash: f895f1d33a7bb207d7ac6c89d192ca9f3c33f61d56cf27fe5c3c583516b1d8c9
                                              • Instruction Fuzzy Hash: 01F04630515341DFCBA5CF21D840A63BBBBAF82214F4A48ADF04186C22C7B1E888CBA0
                                              Function 069F6EA0 Relevance: .0, Instructions: 35COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7620dfd3362541a7a67ddcef16afb5e8e56e456b1077ac7187809afcf6f96f0b
                                              • Instruction ID: d63be014ed0d93ffcb396008541c19296249531f906a800bab90ebed4aa10fd2
                                              • Opcode Fuzzy Hash: 7620dfd3362541a7a67ddcef16afb5e8e56e456b1077ac7187809afcf6f96f0b
                                              • Instruction Fuzzy Hash: 15F037722041E83F8F515E9A5C10CFB7FEDDA8E161B084156FFD8D2281C429CD21ABB0
                                              Function 069FADE9 Relevance: .0, Instructions: 35COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e00ae92fb371f1c4e5468a259430a9a85b616e52e88c78981798b376c2fe2877
                                              • Instruction ID: 43f21bc4730f60c0dfced29016b3800d7b87551ab47b5408d4ae87db0f4c7f40
                                              • Opcode Fuzzy Hash: e00ae92fb371f1c4e5468a259430a9a85b616e52e88c78981798b376c2fe2877
                                              • Instruction Fuzzy Hash: D5F082313051006FC7643A6DE854BDBBEDBEFCA751F40406DE20F83282CA621C0587B9
                                              Function 069F8341 Relevance: .0, Instructions: 33COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4112ea34c5b63f221d212fadd3c7fae0d33b7375ad8f24ac5d3a4472a2d6ad08
                                              • Instruction ID: c2219a0d3720f96ae7bdd70ddaa23dd8e7d2080455cd4de4e67c85ffa9e424c9
                                              • Opcode Fuzzy Hash: 4112ea34c5b63f221d212fadd3c7fae0d33b7375ad8f24ac5d3a4472a2d6ad08
                                              • Instruction Fuzzy Hash: 07F0A772F101155B9B509A689D48AFE7BBEAB841617090026DA14D3100E734851E87A0
                                              Function 069F8FC0 Relevance: .0, Instructions: 33COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9b09b44375372666c00d670f7258b680d21506c564b9a272de77d5d1ec2cab4f
                                              • Instruction ID: e3d372d61d6a1bd0ab1db4ae8f0f7b86ff434c08894bc2a48f9cb1492e89d6ad
                                              • Opcode Fuzzy Hash: 9b09b44375372666c00d670f7258b680d21506c564b9a272de77d5d1ec2cab4f
                                              • Instruction Fuzzy Hash: E4F0CDB0C18149EFDB80CFA4C9055BEBFB0EF1A301F0441D6E446E7750E6398A01EB80
                                              Function 069FAC60 Relevance: .0, Instructions: 31COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f163123aab093aa3d0ebae64d92daffe455a2b82925c44b05c0bb87e44e6148d
                                              • Instruction ID: 703e691e9c7e06d25dbaa89c525f78113748282767b8615b5b1d7a3861a086da
                                              • Opcode Fuzzy Hash: f163123aab093aa3d0ebae64d92daffe455a2b82925c44b05c0bb87e44e6148d
                                              • Instruction Fuzzy Hash: CCF082716092A41FC7177738A8244EE3F6ADE86611709009AE247CB292CE284E46C7F6
                                              Function 069FFF50 Relevance: .0, Instructions: 30COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 210f7e14ddc63eb9eda04facd027d2804613590253a2f65e1923a306907fa7a1
                                              • Instruction ID: 9b44a4a994649f223a2f100aeb1f8f32498b450d8565ca47ccc9be4165491c17
                                              • Opcode Fuzzy Hash: 210f7e14ddc63eb9eda04facd027d2804613590253a2f65e1923a306907fa7a1
                                              • Instruction Fuzzy Hash: A3F0E5B1952244DFCB82DFA4E9106ECBB75DB02300B2047A6D404D7691C7340F18DF81
                                              Function 069FADF8 Relevance: .0, Instructions: 28COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 140d1292ae5801845de7da84c8872e032af751b794da112994e63136b2021269
                                              • Instruction ID: ca299eddcfc3d9f15a497dabbf3c3e11ec14accd977c95df73398b8ade2e2707
                                              • Opcode Fuzzy Hash: 140d1292ae5801845de7da84c8872e032af751b794da112994e63136b2021269
                                              • Instruction Fuzzy Hash: 91E06D313011006FC7543A5AE448A9FBADBEBCA351F104028E20FC3281CA615C0587B5
                                              Function 069FC180 Relevance: .0, Instructions: 27COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4d48d9c48f76264ded1e3a8ba7b2c82d3a8f2dcfb3f5a68f3a63bdbe7c271d53
                                              • Instruction ID: 2cc4f55a2038846f62311dec0869515956503e26d9c4e3d644793c8355c0b09a
                                              • Opcode Fuzzy Hash: 4d48d9c48f76264ded1e3a8ba7b2c82d3a8f2dcfb3f5a68f3a63bdbe7c271d53
                                              • Instruction Fuzzy Hash: 58F09074501B068FD715DF26E408526BBF6FB88300B00C62EE94B83A10DB74A90ACF84
                                              Function 069F5698 Relevance: .0, Instructions: 26COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: de96b18b0f0879269b3b28895d79dab5bc91e973fdef2ac65ac461ba1666fa20
                                              • Instruction ID: 6364d1e3f09551d34a75cd719fee5f8160192ca3786d843a50be025ab6043c97
                                              • Opcode Fuzzy Hash: de96b18b0f0879269b3b28895d79dab5bc91e973fdef2ac65ac461ba1666fa20
                                              • Instruction Fuzzy Hash: 72E06DB250D210AFD340DB35AC058977BA9EBA2220F12886EF044C7141E631D840C7A5
                                              Function 069FC120 Relevance: .0, Instructions: 25COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c1a98c6ea3d5a37e93610629bd963e8f058e968a951b0c0f7d114664932309d1
                                              • Instruction ID: 36f5a56d78ab330a1efa0cde2c59925e6861522e77cb0cedc24983bbf606da7c
                                              • Opcode Fuzzy Hash: c1a98c6ea3d5a37e93610629bd963e8f058e968a951b0c0f7d114664932309d1
                                              • Instruction Fuzzy Hash: A5E0A9302017658FC710AB2DE408BAE7BEADF81304F040569E2478B641CBAAAC06CB91
                                              Function 069FCC38 Relevance: .0, Instructions: 25COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3e4e48bad6a17c6cc1c38f836350c63890f8eea7c4b73e5f2a130dd93d6fcaeb
                                              • Instruction ID: 29b1fcb1c3a81f3a254304199ba992ad4ac6d1ea0c6b03d4780f2419dc0f96df
                                              • Opcode Fuzzy Hash: 3e4e48bad6a17c6cc1c38f836350c63890f8eea7c4b73e5f2a130dd93d6fcaeb
                                              • Instruction Fuzzy Hash: B0E0D8722062414FC7419F1DF8406C97B96DF51210B02C066D849DB751CA7D0C09CB91
                                              Function 069FB500 Relevance: .0, Instructions: 23COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2dcb595710a1d5117be1dda40868cf356f0614d2ae55172d1131b9d37c384c73
                                              • Instruction ID: 57fd9595f9eec860e023c56d2b5d763e7ccbde05d86848ecdb4e8d384f5878da
                                              • Opcode Fuzzy Hash: 2dcb595710a1d5117be1dda40868cf356f0614d2ae55172d1131b9d37c384c73
                                              • Instruction Fuzzy Hash: E2F039B6D0120DEFCB01DFB8DA488CEBBB5EB44200F1082A6E845E3240EA304B55DB80
                                              Function 069FCE88 Relevance: .0, Instructions: 23COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2e78dc414fc359d704b1f1f3b059708e6e27d4108132162acce1fbfdc5732ccc
                                              • Instruction ID: 8f1895149fe2e989e48a600d234a3d36df0e6eb6e3b5bb44e8fb52eb776e02e7
                                              • Opcode Fuzzy Hash: 2e78dc414fc359d704b1f1f3b059708e6e27d4108132162acce1fbfdc5732ccc
                                              • Instruction Fuzzy Hash: 13E026F4106382AFCB42EB28B4114583B61DB4120031180EAEC8ADB301D92C9D0AC7C1
                                              Function 069FE1FF Relevance: .0, Instructions: 22COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1a95d6c0ae9b843380ce8f99b756d4b2bad83daac925da42ddc5aa094edd29d9
                                              • Instruction ID: 64e79309142727ccc8c09d5aca146ca822effc8df3da61bd5e99e6594beba2a3
                                              • Opcode Fuzzy Hash: 1a95d6c0ae9b843380ce8f99b756d4b2bad83daac925da42ddc5aa094edd29d9
                                              • Instruction Fuzzy Hash: 6CE048B1D49245EFCB41DFA8ED4089D7BB5DB4220172042D6E809D72A1D5344F15C751
                                              Function 069FE8F8 Relevance: .0, Instructions: 21COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ed3771f9a410904eec273b114001b04b5f6241dd9318d9f23cf61db19d9ab10d
                                              • Instruction ID: a9e171fdf252b608975e746b9921b115354338a4abe127c09a27c39a252436e1
                                              • Opcode Fuzzy Hash: ed3771f9a410904eec273b114001b04b5f6241dd9318d9f23cf61db19d9ab10d
                                              • Instruction Fuzzy Hash: 73E0C23E1142049FC7428F14C8008843F7ABF0AA0030540C5F1808F272C222D820DB62
                                              Function 069FF910 Relevance: .0, Instructions: 21COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b4ae141d4e911325c7333133267cc42fa084934d503ef7761834f48c606fd346
                                              • Instruction ID: ee12dbe3e662452a8926190eb7419633bc224022f1d2f190601de8d7f49c017b
                                              • Opcode Fuzzy Hash: b4ae141d4e911325c7333133267cc42fa084934d503ef7761834f48c606fd346
                                              • Instruction Fuzzy Hash: 3CE02B2A7083255FC7596AADE4202D77BAB5AD621031B80ABD381CB206CE324C0AC381
                                              Function 069FFF60 Relevance: .0, Instructions: 20COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b18e859fe84ef5723c35fc5a9329b7f1a28f1dbeb44bfc4d497209172b8a61ed
                                              • Instruction ID: fcc531c2f6957b9b11fe6fb9c4cf0de30fe6bb3e21eb3b999a66e7bd29001f1b
                                              • Opcode Fuzzy Hash: b18e859fe84ef5723c35fc5a9329b7f1a28f1dbeb44bfc4d497209172b8a61ed
                                              • Instruction Fuzzy Hash: 54E086B0941108EFCB40EFB8E915A9DB7B9EB01304F1046B8D80493250DB756E14DB51
                                              Function 069FAC80 Relevance: .0, Instructions: 20COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7578660279a145d7014d601d5999cf3e9fb68e4c021718a9f10fbb446bfbb857
                                              • Instruction ID: 14d60378dd56d44e24ecbb83df8e5fe46bec4dd57f511246ff6f481a9218d5cf
                                              • Opcode Fuzzy Hash: 7578660279a145d7014d601d5999cf3e9fb68e4c021718a9f10fbb446bfbb857
                                              • Instruction Fuzzy Hash: C0D01731301129678B0A3669F4188AE7BABEAC9662704002AF70BC3280CE659D0687E5
                                              Function 069FB510 Relevance: .0, Instructions: 19COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 32076fe2e9c05e27a38db91ea3c3fc0c977e44f6bec71da64acf91a41e22311c
                                              • Instruction ID: fad5a65853bc6f99ac879f1a42645eb94a3fbef6784c0faa2c64fc9254424d85
                                              • Opcode Fuzzy Hash: 32076fe2e9c05e27a38db91ea3c3fc0c977e44f6bec71da64acf91a41e22311c
                                              • Instruction Fuzzy Hash: 54E09275D0120DEFCB40DFE8E9448DDBBB9FB48200F1082AAD909A3200EB316B56DF80
                                              Function 069FE280 Relevance: .0, Instructions: 18COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fe6699f7632537023ed318e6eb2f3e54ab79d011b3185c7ae5cb841b49063cb9
                                              • Instruction ID: 7e151e2a40ba746bfd8a491663d6746a9d6b9873bd7711636c9ae6fb7a0133b5
                                              • Opcode Fuzzy Hash: fe6699f7632537023ed318e6eb2f3e54ab79d011b3185c7ae5cb841b49063cb9
                                              • Instruction Fuzzy Hash: 0EE01A715015178BCA54EE18F906A4573A6E748344F118469DC46276A4CB6D2E4DCBC0
                                              Function 069FE210 Relevance: .0, Instructions: 16COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d30a8d5bf58b7253c1bbc91ec7bc620d472d6fb50ba876b72ccada4a4c645a75
                                              • Instruction ID: c79d1643f58e45b0c7fa7090ce2ce54bb5aa39b4e9b73cef8586f3b83a8ec600
                                              • Opcode Fuzzy Hash: d30a8d5bf58b7253c1bbc91ec7bc620d472d6fb50ba876b72ccada4a4c645a75
                                              • Instruction Fuzzy Hash: 0FD012B1A0110CFF8B40EFA8E90195D77F9DB44205B1081E99409E3200DA355E04DB90
                                              Function 069FF8EA Relevance: .0, Instructions: 14COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0f1c18e5a6189f81bcfb60c8ad809e7e4759d19064cbc5184d925a962b203dc0
                                              • Instruction ID: f93caf2abd56e0a25d9dee3304208b6723d4c1f69124339795a284bf58a6fe70
                                              • Opcode Fuzzy Hash: 0f1c18e5a6189f81bcfb60c8ad809e7e4759d19064cbc5184d925a962b203dc0
                                              • Instruction Fuzzy Hash: 38C012B37001200F47D47A5C701016D65D3C7C85A2359406EE60EC3388DD714C418740
                                              Function 069F3721 Relevance: .0, Instructions: 12COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 877d9a0ad8f829cce3e6586f6f41e21e942398e938f9bc70928324e18b226497
                                              • Instruction ID: 74e90c33072583cbf8106c90af3c637855300b63daca0ac6cea030d84d64fe9c
                                              • Opcode Fuzzy Hash: 877d9a0ad8f829cce3e6586f6f41e21e942398e938f9bc70928324e18b226497
                                              • Instruction Fuzzy Hash: 29C08C3214A3903FC71207202C05DE37E3A1BD2700F060187F3848A09382A20534DBF3
                                              Function 069FDFD1 Relevance: .0, Instructions: 9COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 36cf734c3db0778b6900d9d95b9eb915dd76ef09413e951259d8547eba7adaab
                                              • Instruction ID: 351780aaa66c859ecdece4722ecf94604e23088d83c7c97ea2f7a341cd700269
                                              • Opcode Fuzzy Hash: 36cf734c3db0778b6900d9d95b9eb915dd76ef09413e951259d8547eba7adaab
                                              • Instruction Fuzzy Hash: 84B092676CB3805ED7120A289C0998A3A2A4BA7E2171400DFFA82DE0A6C211044B83A6

                                              Non-executed Functions

                                              Function 07BFA6F8 Relevance: 5.3, Strings: 4, Instructions: 268COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2188497513.0000000007BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_7bf0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Haq$Haq$Haq$Haq
                                              • API String ID: 0-3862180702
                                              • Opcode ID: 8b335ea1073efbfd52ef18125d28a8bf7e5246136743201dd325cf998635b8a8
                                              • Instruction ID: 852a2e2e8f9809a08bc213845e7cb735ed725193627e0fbdacd52a875637638b
                                              • Opcode Fuzzy Hash: 8b335ea1073efbfd52ef18125d28a8bf7e5246136743201dd325cf998635b8a8
                                              • Instruction Fuzzy Hash: 81A1B1B1B002128BDB199F79C4542BEBBF2EF86700F14C5B9D509EB291EB38D945CB90
                                              Function 07BFE7D8 Relevance: 1.0, Instructions: 991COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2188497513.0000000007BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_7bf0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0ccd530c8de06304bcbff168ffb57b9eba0c65cc4616caec9ccc4103fed79fc8
                                              • Instruction ID: 05674fa8d124a17591c712b37201bb3b2263e48f7620d5a63717b01785265cd8
                                              • Opcode Fuzzy Hash: 0ccd530c8de06304bcbff168ffb57b9eba0c65cc4616caec9ccc4103fed79fc8
                                              • Instruction Fuzzy Hash: 8BA282B4A01229CFEB64DF68C984BDDBBB2BB48300F5482E5D509A7365D770AE85CF50
                                              Function 069F6FE8 Relevance: .8, Instructions: 789COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e5c55042524f07a528198ef4d742a7cca3d7023141ef454fdce1721d871c5d0b
                                              • Instruction ID: 6de3c91d268f52d0cb22ec78ebdf52edc71ef695bc870b023ca2d9afe6c03266
                                              • Opcode Fuzzy Hash: e5c55042524f07a528198ef4d742a7cca3d7023141ef454fdce1721d871c5d0b
                                              • Instruction Fuzzy Hash: AB6210B06002019FD789DF19D45871A7ADAEF85308F24C4AC910E8F3D6DBBADD0B8B95
                                              Function 069F6FF8 Relevance: .8, Instructions: 780COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5cde1cae94cf0aed9ab273b34bbbb8b1c97bbb0ab72e997e708fc09ea8bc2e05
                                              • Instruction ID: 664e67699a5119db4c24ff2aac99c69751b39d719b44fb941b753edf7767ded0
                                              • Opcode Fuzzy Hash: 5cde1cae94cf0aed9ab273b34bbbb8b1c97bbb0ab72e997e708fc09ea8bc2e05
                                              • Instruction Fuzzy Hash: C06220B06002019FD789DF19D45871A7ADAEF85308F24C4AC910E8F3D6DBBADD0B8B95
                                              Function 055A0040 Relevance: .3, Instructions: 315COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2182212393.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_55a0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8f7a9c51c24626a51c1033f237901815cc6d19ce00dac647194103b6a6398359
                                              • Instruction ID: 3b81a0f59d619ff8ffe6ddce9af25824ad6f2d3e9284ed6b51e2629ef4a89c8d
                                              • Opcode Fuzzy Hash: 8f7a9c51c24626a51c1033f237901815cc6d19ce00dac647194103b6a6398359
                                              • Instruction Fuzzy Hash: F31285F04037468ED722EF66ED4C1897BB1BB86318F90421AD2656F2E9DBBC154ACF44
                                              Function 0302DC74 Relevance: .3, Instructions: 264COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2173213662.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_3020000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 42003f1395fcd2a2d3357b5d73d43c3a1163866eab1a1935485326475cb549ef
                                              • Instruction ID: 132b707c4633b0198201c37f7b0db947e45147fe91226ceef2b852452ce00ef9
                                              • Opcode Fuzzy Hash: 42003f1395fcd2a2d3357b5d73d43c3a1163866eab1a1935485326475cb549ef
                                              • Instruction Fuzzy Hash: 6DA17E36E01626CFCF05DFB4C8405DEBBB2FF84300B2545AAE815AB265DB75E945CB80
                                              Function 055A0006 Relevance: .2, Instructions: 241COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2182212393.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_55a0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 31f624274b478df1a506a1643f8bd031ed6cb9d4275a41a0ddaa8c8bdce13d8e
                                              • Instruction ID: e4428269ea3e51df26275bf5914c2bc0d548577f19dc3aed947f6a2cec1c050b
                                              • Opcode Fuzzy Hash: 31f624274b478df1a506a1643f8bd031ed6cb9d4275a41a0ddaa8c8bdce13d8e
                                              • Instruction Fuzzy Hash: D6C105F08037468FD722EF26EC481897BB1BB86328F55421BD1616B2E9DBBC154ACF44
                                              Function 07BFE7C9 Relevance: .1, Instructions: 109COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2188497513.0000000007BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_7bf0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 201066634b6243acc48f030089af11ccc087a4f4841ea501c5a62b82805c6115
                                              • Instruction ID: e65b68f38a8c464610cd7391f550bb101983588df7b2347b1a7dee0253460f43
                                              • Opcode Fuzzy Hash: 201066634b6243acc48f030089af11ccc087a4f4841ea501c5a62b82805c6115
                                              • Instruction Fuzzy Hash: 774112B1D016589FEB18CFAAC9487DDFBF2AF88300F14C16AD508A7265DB745989CF50
                                              Function 069FE2C7 Relevance: 46.6, Strings: 37, Instructions: 387COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj
                                              • API String ID: 0-2673088322
                                              • Opcode ID: cc6b8fb3d3717a9597bee7eb0d6d3aaef4f5e7693db08c3f2d91bb8626791b22
                                              • Instruction ID: 4506470cad703a64eb5d4358f649681bab1c3b2f8924a2a3e901eaac0ada468d
                                              • Opcode Fuzzy Hash: cc6b8fb3d3717a9597bee7eb0d6d3aaef4f5e7693db08c3f2d91bb8626791b22
                                              • Instruction Fuzzy Hash: DCD1B1307006106BC7096AA5AC93E6DB257FBC6700B94483CD2294F7E9DFB96C1A87D6
                                              Function 069FE2D8 Relevance: 46.6, Strings: 37, Instructions: 383COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj
                                              • API String ID: 0-2673088322
                                              • Opcode ID: b29582576c47c473673e08be3f99cc7906511ee01a4a2f8a65ff98c1f5dc33f9
                                              • Instruction ID: 1357d9086c4299bd4e9e1002de8a8ab7f7f8f92c85895adf2d97dff949b346ca
                                              • Opcode Fuzzy Hash: b29582576c47c473673e08be3f99cc7906511ee01a4a2f8a65ff98c1f5dc33f9
                                              • Instruction Fuzzy Hash: D0D1A0307006106BC7096AA5AC93E6DB157FBCA700B94483CD2394F7E9DFB96C1A87D6
                                              Function 069FCC7F Relevance: 16.4, Strings: 13, Instructions: 148COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj
                                              • API String ID: 0-2750564404
                                              • Opcode ID: 5b80d3edde7bdcab7ccbe933fac574881d5480cdb65854dcaa7b8a3caf4559d9
                                              • Instruction ID: 5b9f3a8a8331032a0f5aa76a66959273048a083cb23f8676be8d766da4445dd1
                                              • Opcode Fuzzy Hash: 5b80d3edde7bdcab7ccbe933fac574881d5480cdb65854dcaa7b8a3caf4559d9
                                              • Instruction Fuzzy Hash: AD41D2303002102FC7056EA5AC82E2D7657FBC6700B44493CE2294FBDACFBD6D1A879A
                                              Function 069FCC90 Relevance: 16.4, Strings: 13, Instructions: 143COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj
                                              • API String ID: 0-2750564404
                                              • Opcode ID: 9c071757c71383f1551f15607a370cd23f859df4ab65f88ec906548cadfbcb6a
                                              • Instruction ID: 5da22d40719fcb672f968626b9b1be6be71560dbc3bd5a0bb61c3fdb33d9a4e9
                                              • Opcode Fuzzy Hash: 9c071757c71383f1551f15607a370cd23f859df4ab65f88ec906548cadfbcb6a
                                              • Instruction Fuzzy Hash: 3041A3303006106BD7056EA5AC82E2D765BFBC6700B54493CE2294FBD9CFBD6D19879A
                                              Function 069FCED1 Relevance: 10.1, Strings: 8, Instructions: 101COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj
                                              • API String ID: 0-1413404143
                                              • Opcode ID: 59d657ce0b60d3fd61b7a4de7246a0f89b9545a897257d899a72de3fc96c56ab
                                              • Instruction ID: f1a768915a5fe8ac80187fb18ad14fed8d7e49283d40b098e952154d83be886b
                                              • Opcode Fuzzy Hash: 59d657ce0b60d3fd61b7a4de7246a0f89b9545a897257d899a72de3fc96c56ab
                                              • Instruction Fuzzy Hash: CA31B4307002112FC7066EA5AC82E3D7657FBC6700B54493CE2298FB99CFBD6D198796
                                              Function 069FCEE0 Relevance: 10.1, Strings: 8, Instructions: 93COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: DJj$DJj$DJj$DJj$DJj$DJj$DJj$DJj
                                              • API String ID: 0-1413404143
                                              • Opcode ID: 257ec437783a686371634d36f3dabf456ab619fccf52337b4f5db586af77c73d
                                              • Instruction ID: 710a6a37ad7f529f3e8688b77b6f25a56f99ffb6281f8214a55b693cec64bb7c
                                              • Opcode Fuzzy Hash: 257ec437783a686371634d36f3dabf456ab619fccf52337b4f5db586af77c73d
                                              • Instruction Fuzzy Hash: 892195307002112BC7056AA5AC82E3D755BFBC6700F94493CE2294FB99CFBD6C1987DA
                                              Function 069FC968 Relevance: 8.8, Strings: 7, Instructions: 88COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: DJj$DJj$DJj$DJj$DJj$DJj$DJj
                                              • API String ID: 0-2797143638
                                              • Opcode ID: cf468ff43288c56b4a68bae825c8070021a4255fdd19a675ce4c270c7ea7a61d
                                              • Instruction ID: 23a9766b4276584fbde24a183824fc332329f79112c1a2899f580dc8d0e2ebd8
                                              • Opcode Fuzzy Hash: cf468ff43288c56b4a68bae825c8070021a4255fdd19a675ce4c270c7ea7a61d
                                              • Instruction Fuzzy Hash: 8B31D6303012426BCB053FA5EC41D6D7B57FB9A700B184178E21A8F7E8CEB85D5ADB92
                                              Function 069FC978 Relevance: 8.8, Strings: 7, Instructions: 83COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: DJj$DJj$DJj$DJj$DJj$DJj$DJj
                                              • API String ID: 0-2797143638
                                              • Opcode ID: 19d8ea0af624bdfca9b76247645e0ff371e69c76d7c140448b4d8922b867dda2
                                              • Instruction ID: f2679586f8ce5d65665b98f5d70bf2cda3d407372670cc5246752e297d8eac9a
                                              • Opcode Fuzzy Hash: 19d8ea0af624bdfca9b76247645e0ff371e69c76d7c140448b4d8922b867dda2
                                              • Instruction Fuzzy Hash: EB21D8303011126BCB053FA5EC82C6D7B57FB9A700B544178E21A8F7A8CEBC5D5ADB92
                                              Function 069FD538 Relevance: 7.6, Strings: 6, Instructions: 79COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: DJj$DJj$DJj$DJj$DJj$DJj
                                              • API String ID: 0-1343131794
                                              • Opcode ID: 51e42f2bd18d35c83a7b40737907056259408753424248008e3a28e1e4cae867
                                              • Instruction ID: 0215f7347a109fac4dede77b39c36b36455c24dfe97dc9a37ebada4834239e46
                                              • Opcode Fuzzy Hash: 51e42f2bd18d35c83a7b40737907056259408753424248008e3a28e1e4cae867
                                              • Instruction Fuzzy Hash: 3621F8307002102FC7066EA5AC92E2D6657EBC6700F444A3CD1298FB99CFBE5D1A87A6
                                              Function 069FD548 Relevance: 7.6, Strings: 6, Instructions: 73COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: DJj$DJj$DJj$DJj$DJj$DJj
                                              • API String ID: 0-1343131794
                                              • Opcode ID: 1ed12baa697bb1b8fcbb582b59a61d26f8f16992828b6954be55c0be6eec2202
                                              • Instruction ID: a88410bf6564d28637d085cb6bbf8519580e1cc54353282834032ce9b493e5a3
                                              • Opcode Fuzzy Hash: 1ed12baa697bb1b8fcbb582b59a61d26f8f16992828b6954be55c0be6eec2202
                                              • Instruction Fuzzy Hash: 6611C9307002102FC7056EA5AC82E2DB65BEBC6700F50493CD2294FB99CFBE6D1987E6
                                              Function 069FED10 Relevance: 5.2, Strings: 4, Instructions: 241COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.2183385235.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_69f0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: (_]q$(_]q$(_]q$(_]q
                                              • API String ID: 0-2651352888
                                              • Opcode ID: ab0b18b848b8588912f11eb7502a14464f95e60fb166ed85500976895b35f769
                                              • Instruction ID: a93708358b10c6b356f70d1b45505e39fa0b878abc49e21d18b8c1d850cfdb08
                                              • Opcode Fuzzy Hash: ab0b18b848b8588912f11eb7502a14464f95e60fb166ed85500976895b35f769
                                              • Instruction Fuzzy Hash: 8991BD74B04204AFDB45AF68C4545AE7BB2EFC6300F2584AAE906DF391EA35DD06CBD1