Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
vhFZk5qPZd.exe

Overview

General Information

Sample name:vhFZk5qPZd.exe
renamed because original name is a hash value
Original sample name:B37FB6FCD79F8E7CAD5F1B5AB40D107A.exe
Analysis ID:1538239
MD5:b37fb6fcd79f8e7cad5f1b5ab40d107a
SHA1:3aeedadae2d4564000014baae138bb05af2e8016
SHA256:9a758275144859206b6f3149212ba72c51ead3549da162723bd7d28116fa522e
Tags:exeRedLineStealeruser-abuse_ch
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected RedLine Stealer
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • vhFZk5qPZd.exe (PID: 7696 cmdline: "C:\Users\user\Desktop\vhFZk5qPZd.exe" MD5: B37FB6FCD79F8E7CAD5F1B5AB40D107A)
    • vhFZk5qPZd.exe (PID: 7856 cmdline: "C:\Users\user\Desktop\vhFZk5qPZd.exe" MD5: B37FB6FCD79F8E7CAD5F1B5AB40D107A)
    • vhFZk5qPZd.exe (PID: 7864 cmdline: "C:\Users\user\Desktop\vhFZk5qPZd.exe" MD5: B37FB6FCD79F8E7CAD5F1B5AB40D107A)
    • vhFZk5qPZd.exe (PID: 7872 cmdline: "C:\Users\user\Desktop\vhFZk5qPZd.exe" MD5: B37FB6FCD79F8E7CAD5F1B5AB40D107A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["188.190.10.19:1912"], "Bot Id": "FROSHLOG", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.1372573802.0000000003C47000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.1372573802.0000000003BFC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            00000000.00000002.1372573802.0000000003B29000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              00000005.00000002.1525488184.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                Click to see the 4 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.vhFZk5qPZd.exe.3bb9d78.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.2.vhFZk5qPZd.exe.3c04f98.2.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    0.2.vhFZk5qPZd.exe.3bb9d78.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      0.2.vhFZk5qPZd.exe.3c04f98.2.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                        5.2.vhFZk5qPZd.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                          Sigma Signatures

                          No Sigma rule has matched

                          Suricata Signatures

                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-10-20T21:17:10.110835+020020432341A Network Trojan was detected188.190.10.191912192.168.2.949739TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-10-20T21:17:09.807321+020020432311A Network Trojan was detected192.168.2.949739188.190.10.191912TCP
                          2024-10-20T21:17:15.290747+020020432311A Network Trojan was detected192.168.2.949739188.190.10.191912TCP
                          2024-10-20T21:17:16.125193+020020432311A Network Trojan was detected192.168.2.949739188.190.10.191912TCP
                          2024-10-20T21:17:16.440210+020020432311A Network Trojan was detected192.168.2.949739188.190.10.191912TCP
                          2024-10-20T21:17:16.834548+020020432311A Network Trojan was detected192.168.2.949739188.190.10.191912TCP
                          2024-10-20T21:17:18.141098+020020432311A Network Trojan was detected192.168.2.949739188.190.10.191912TCP
                          2024-10-20T21:17:18.484338+020020432311A Network Trojan was detected192.168.2.949739188.190.10.191912TCP
                          2024-10-20T21:17:18.813776+020020432311A Network Trojan was detected192.168.2.949739188.190.10.191912TCP
                          2024-10-20T21:17:19.283834+020020432311A Network Trojan was detected192.168.2.949739188.190.10.191912TCP
                          2024-10-20T21:17:19.592070+020020432311A Network Trojan was detected192.168.2.949739188.190.10.191912TCP
                          2024-10-20T21:17:21.059928+020020432311A Network Trojan was detected192.168.2.949739188.190.10.191912TCP
                          2024-10-20T21:17:21.369508+020020432311A Network Trojan was detected192.168.2.949739188.190.10.191912TCP
                          2024-10-20T21:17:21.678799+020020432311A Network Trojan was detected192.168.2.949739188.190.10.191912TCP
                          2024-10-20T21:17:21.987001+020020432311A Network Trojan was detected192.168.2.949739188.190.10.191912TCP
                          2024-10-20T21:17:22.301907+020020432311A Network Trojan was detected192.168.2.949739188.190.10.191912TCP
                          2024-10-20T21:17:22.979608+020020432311A Network Trojan was detected192.168.2.949739188.190.10.191912TCP
                          2024-10-20T21:17:23.441326+020020432311A Network Trojan was detected192.168.2.949739188.190.10.191912TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-10-20T21:17:15.594808+020020460561A Network Trojan was detected188.190.10.191912192.168.2.949739TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-10-20T21:17:09.807321+020020460451A Network Trojan was detected192.168.2.949739188.190.10.191912TCP

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Found malware configuration
                          Source: 0.2.vhFZk5qPZd.exe.3bb9d78.1.raw.unpackMalware Configuration Extractor: RedLine {"C2 url": ["188.190.10.19:1912"], "Bot Id": "FROSHLOG", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
                          Multi AV Scanner detection for submitted file
                          Source: vhFZk5qPZd.exeReversingLabs: Detection: 71%
                          AI detected suspicious sample
                          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                          Machine Learning detection for sample
                          Source: vhFZk5qPZd.exeJoe Sandbox ML: detected
                          Source: vhFZk5qPZd.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: vhFZk5qPZd.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Source: Binary string: qnT.pdb source: vhFZk5qPZd.exe
                          Source: Binary string: qnT.pdbSHA256M source: vhFZk5qPZd.exe
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 4x nop then jmp 07B36E27h5_2_07B366C8
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 4x nop then jmp 07B36624h5_2_07B36360
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 4x nop then jmp 07B324BBh5_2_07B32288
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 4x nop then jmp 07B314A2h5_2_07B31080
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 4x nop then jmp 07B31922h5_2_07B31080
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 4x nop then jmp 07B39290h5_2_07B38D98
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h5_2_07B35BF0
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 4x nop then jmp 07B34E2Bh5_2_07B34E13

                          Networking

                          barindex
                          Suricata IDS alerts for network traffic
                          Source: Network trafficSuricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.9:49739 -> 188.190.10.19:1912
                          Source: Network trafficSuricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.9:49739 -> 188.190.10.19:1912
                          Source: Network trafficSuricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 188.190.10.19:1912 -> 192.168.2.9:49739
                          Source: Network trafficSuricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 188.190.10.19:1912 -> 192.168.2.9:49739
                          C2 URLs / IPs found in malware configuration
                          Source: Malware configuration extractorURLs: 188.190.10.19:1912
                          Source: global trafficTCP traffic: 192.168.2.9:49739 -> 188.190.10.19:1912
                          Source: Joe Sandbox ViewASN Name: ASINTTELUA ASINTTELUA
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527029912.00000000015CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://purl.oen
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000003024000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000003024000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000003024000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000003024000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000003024000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000003024000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000003024000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000003024000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                          Source: vhFZk5qPZd.exe, 00000000.00000002.1372573802.0000000003B29000.00000004.00000800.00020000.00000000.sdmp, vhFZk5qPZd.exe, 00000000.00000002.1372573802.0000000003C47000.00000004.00000800.00020000.00000000.sdmp, vhFZk5qPZd.exe, 00000000.00000002.1372573802.0000000003BFC000.00000004.00000800.00020000.00000000.sdmp, vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp, vhFZk5qPZd.exe, 00000005.00000002.1525488184.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 0_2_010AD6C40_2_010AD6C4
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 0_2_05CA04380_2_05CA0438
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 0_2_05CA10B80_2_05CA10B8
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 0_2_05CA09500_2_05CA0950
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 0_2_05CA39700_2_05CA3970
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 0_2_05CA9AE80_2_05CA9AE8
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 0_2_05CA9AD70_2_05CA9AD7
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 0_2_07147B280_2_07147B28
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 0_2_07141D570_2_07141D57
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 0_2_07141D580_2_07141D58
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 0_2_071434600_2_07143460
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 0_2_071419200_2_07141920
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 0_2_071499680_2_07149968
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 0_2_071441B80_2_071441B8
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 0_2_071441C80_2_071441C8
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 0_2_071438980_2_07143898
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 0_2_071418E70_2_071418E7
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 5_2_0159DC745_2_0159DC74
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 5_2_07B337805_2_07B33780
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 5_2_07B366C85_2_07B366C8
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 5_2_07B375805_2_07B37580
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 5_2_07B345285_2_07B34528
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 5_2_07B355005_2_07B35500
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 5_2_07B333185_2_07B33318
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 5_2_07B310805_2_07B31080
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 5_2_07B300405_2_07B30040
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 5_2_07B38D985_2_07B38D98
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 5_2_07B33DC05_2_07B33DC0
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 5_2_07B3BCF85_2_07B3BCF8
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 5_2_07B3ACE85_2_07B3ACE8
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 5_2_07B35BF05_2_07B35BF0
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 5_2_07B337705_2_07B33770
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 5_2_07B354F05_2_07B354F0
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 5_2_07B333095_2_07B33309
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 5_2_07B3106F5_2_07B3106F
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 5_2_07B35BE05_2_07B35BE0
                          Source: vhFZk5qPZd.exe, 00000000.00000002.1372573802.0000000003C92000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs vhFZk5qPZd.exe
                          Source: vhFZk5qPZd.exe, 00000000.00000002.1372573802.0000000003C92000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs vhFZk5qPZd.exe
                          Source: vhFZk5qPZd.exe, 00000000.00000002.1375920815.00000000074D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs vhFZk5qPZd.exe
                          Source: vhFZk5qPZd.exe, 00000000.00000002.1372573802.0000000003C47000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs vhFZk5qPZd.exe
                          Source: vhFZk5qPZd.exe, 00000000.00000002.1372573802.0000000003BFC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs vhFZk5qPZd.exe
                          Source: vhFZk5qPZd.exe, 00000000.00000000.1355217561.0000000000716000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameqnT.exeD vs vhFZk5qPZd.exe
                          Source: vhFZk5qPZd.exe, 00000000.00000002.1370104428.0000000000BFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs vhFZk5qPZd.exe
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs vhFZk5qPZd.exe
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1525488184.0000000000446000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs vhFZk5qPZd.exe
                          Source: vhFZk5qPZd.exeBinary or memory string: OriginalFilenameqnT.exeD vs vhFZk5qPZd.exe
                          Source: vhFZk5qPZd.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: vhFZk5qPZd.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, k2WsvcEpO3XMMP1wTF.csSecurity API names: _0020.SetAccessControl
                          Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, k2WsvcEpO3XMMP1wTF.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, k2WsvcEpO3XMMP1wTF.csSecurity API names: _0020.AddAccessRule
                          Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, xj6EE79rNsvfVDFZEi.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, xj6EE79rNsvfVDFZEi.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, xj6EE79rNsvfVDFZEi.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, k2WsvcEpO3XMMP1wTF.csSecurity API names: _0020.SetAccessControl
                          Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, k2WsvcEpO3XMMP1wTF.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, k2WsvcEpO3XMMP1wTF.csSecurity API names: _0020.AddAccessRule
                          Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, k2WsvcEpO3XMMP1wTF.csSecurity API names: _0020.SetAccessControl
                          Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, k2WsvcEpO3XMMP1wTF.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, k2WsvcEpO3XMMP1wTF.csSecurity API names: _0020.AddAccessRule
                          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/1@0/1
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vhFZk5qPZd.exe.logJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeMutant created: NULL
                          Source: vhFZk5qPZd.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: vhFZk5qPZd.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: vhFZk5qPZd.exeReversingLabs: Detection: 71%
                          Source: unknownProcess created: C:\Users\user\Desktop\vhFZk5qPZd.exe "C:\Users\user\Desktop\vhFZk5qPZd.exe"
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess created: C:\Users\user\Desktop\vhFZk5qPZd.exe "C:\Users\user\Desktop\vhFZk5qPZd.exe"
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess created: C:\Users\user\Desktop\vhFZk5qPZd.exe "C:\Users\user\Desktop\vhFZk5qPZd.exe"
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess created: C:\Users\user\Desktop\vhFZk5qPZd.exe "C:\Users\user\Desktop\vhFZk5qPZd.exe"
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess created: C:\Users\user\Desktop\vhFZk5qPZd.exe "C:\Users\user\Desktop\vhFZk5qPZd.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess created: C:\Users\user\Desktop\vhFZk5qPZd.exe "C:\Users\user\Desktop\vhFZk5qPZd.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess created: C:\Users\user\Desktop\vhFZk5qPZd.exe "C:\Users\user\Desktop\vhFZk5qPZd.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: dwrite.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: windowscodecs.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: dwrite.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: windowscodecs.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: rstrtmgr.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                          Source: vhFZk5qPZd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                          Source: vhFZk5qPZd.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Source: vhFZk5qPZd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                          Source: Binary string: qnT.pdb source: vhFZk5qPZd.exe
                          Source: Binary string: qnT.pdbSHA256M source: vhFZk5qPZd.exe

                          Data Obfuscation

                          barindex
                          .NET source code contains potential unpacker
                          Source: vhFZk5qPZd.exe, FormGame.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                          Source: vhFZk5qPZd.exe, FormGame.cs.Net Code: InitializeComponent
                          Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, k2WsvcEpO3XMMP1wTF.cs.Net Code: MTKt2ZfSqo System.Reflection.Assembly.Load(byte[])
                          Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, k2WsvcEpO3XMMP1wTF.cs.Net Code: MTKt2ZfSqo System.Reflection.Assembly.Load(byte[])
                          Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, k2WsvcEpO3XMMP1wTF.cs.Net Code: MTKt2ZfSqo System.Reflection.Assembly.Load(byte[])
                          Source: vhFZk5qPZd.exeStatic PE information: 0xFAE5C82E [Wed May 23 11:29:50 2103 UTC]
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 0_2_05CAA410 push cs; retf 0_2_05CAA41E
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 0_2_05CAF7C9 pushad ; retf 0_2_05CAF7CA
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 0_2_05CAF7F3 pushad ; retf 0_2_05CAF7F4
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 0_2_05CA91A8 push ebx; retf 0_2_05CA91B2
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 0_2_05CAD123 push eax; retf 0_2_05CAD131
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 0_2_05CAA02F push ecx; retf 0_2_05CAA03B
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 0_2_05CAA390 push cs; retf 0_2_05CAA41E
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 0_2_05CA9290 push esi; retf 0_2_05CA929A
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 0_2_05CA9258 push esp; retf 0_2_05CAA5D6
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 0_2_05CA923D push cs; retf 0_2_05CA923F
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 0_2_05CAF93C pushad ; retf 0_2_05CAF93D
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 0_2_05CAF8E1 pushad ; retf 0_2_05CAF8E2
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 0_2_05CAF840 pushad ; retf 0_2_05CAF841
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 0_2_05CAF874 pushad ; retf 0_2_05CAF875
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 0_2_071417AB push eax; retf 0_2_071417AC
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 0_2_07141616 push eax; retf 0_2_0714161C
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 0_2_071416E9 push eax; retf 0_2_071416EF
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 0_2_0714147F push eax; retf 0_2_07141480
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 0_2_071462DC push ds; iretd 0_2_071462DF
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 0_2_071459F1 push eax; retf 0_2_07145A00
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 5_2_015947D7 push ebp; iretd 5_2_0159483D
                          Source: vhFZk5qPZd.exeStatic PE information: section name: .text entropy: 7.988836332316538
                          Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, aK9Kvdl6aKUkU8Qr4f.csHigh entropy of concatenated method names: 'UjpZDxuQcH', 'NDsZ90Dfci', 'PUXZxMFHJG', 'ubXZGOghwh', 'rncZU25r29', 'CBRZIM3O5i', 'ruKZRcSRpg', 'BkjZP89NOB', 'J8sZf4M4r3', 'pq4ZnLvxcv'
                          Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, KmasHNN3HsYiqa4rkJ.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'pFjueAFU9M', 'GaKuMhliWc', 'Fq6uz2Lg0J', 'hMpWdoAer4', 'EJUWiV46lM', 'K76Wud02yw', 'TA5WWhlDF8', 'Kfx7aT1fOr3tOmLH66J'
                          Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, xMgPZhF2YiiucHy84N.csHigh entropy of concatenated method names: 'TVa2hS8Pq', 'qqtDFdbcG', 'r7a9QGCli', 'c7SHVPyvY', 'hw2GuSejw', 'MpEjlTiSc', 'CIHv9Ka4ulKCb2gW59', 'rJkpcSIv0A0LqTjTWV', 'YvPPgM08K', 'PCon7UI5P'
                          Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, DCOGKBJuI90uQyZEqx.csHigh entropy of concatenated method names: 'bcShYDTcY0', 'KWihHxJ2Si', 'GsdZLyYu72', 'ijLZrT15F3', 'zZ1Z0OLfe6', 'ucuZ5TvniO', 'Ng3ZkOJJAe', 'x12ZwOP2n7', 'xsJZ7uKfWr', 'OadZJKsx6t'
                          Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, zAZA74R3JuOHGsNPQp.csHigh entropy of concatenated method names: 'mpUPF8HxGP', 'sl2P3M9dFj', 'Xv9PLLtRtk', 'HGdPrmyVnl', 'NmQPphlo17', 'hGuP04XTCD', 'Next', 'Next', 'Next', 'NextBytes'
                          Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, a8Hs6c4KES9K7cQPSy.csHigh entropy of concatenated method names: 'vpQSxHiExX', 'M6wSGrpmwf', 'DySSFyD4gf', 'CcVS3A9ZlF', 'JugSrykQgv', 'UgYS0Y1OUE', 'CDkSkoDS6Y', 'onFSwlmr2v', 'DtlSJIsjq5', 'sRYSEAdfBN'
                          Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, NshQXlehtY22OeIe4v.csHigh entropy of concatenated method names: 'YaJPXIc7wd', 'Q2HPbEcyBx', 'r33PZkiFLs', 'AfdPhmghau', 'PNkP1QSsDV', 'zsePTISE0K', 'RvPPcMDNXg', 'gJpPCJAnxq', 'km4P4WZOyK', 'VtJPQQcAkr'
                          Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, XVVjaRgErtfruRfsVW.csHigh entropy of concatenated method names: 'HOCiTKqPN0', 'TxbicniXSF', 'PBJi4SJeVk', 'nWwiQ4mlj6', 'ihJiUgNJqF', 'S3EiIf9qll', 'y9kbOyyahNlqEMj6Fp', 'uALTg4wljhElsdqrnS', 'e4piiVh4UJ', 'M72iWlcJLA'
                          Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, YsxcHQOp6KvdGmx9PY.csHigh entropy of concatenated method names: 'AOxT6K9gql', 'rZhTNjcVBG', 'F2qT2IBxeS', 'ac0TDJVBkh', 'fUXTYJUOVM', 'USMT94Wuqx', 'oOeTHUCx4K', 'AyxTxedUuH', 'wmtTGvDZvJ', 'sRcTj3X1X0'
                          Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, xj6EE79rNsvfVDFZEi.csHigh entropy of concatenated method names: 'SuibpQy8A3', 'JXJbsJ0J9n', 'R9pboLg4dB', 'xsdbVwBQLT', 'ekebKEHMBe', 'DKBbykYRPg', 'yMQb8XAREJ', 'HYRblTy6JW', 'P7Hbe9PYTB', 'vQIbMKN7vY'
                          Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, jsrcYQwhRmXlS3p8hL.csHigh entropy of concatenated method names: 'XQX1A2aFVF', 'XJB1bCpvns', 'Hgl1hw6HUq', 'D2d1TDBi6O', 'mHD1cot9MD', 'EWkhKWGwkR', 'Qh8hyXt2lE', 'Uo3h8qmOpa', 'VHDhl44u76', 'oQVhehSFZh'
                          Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, RbxvwUYlkFxbfwZPku.csHigh entropy of concatenated method names: 'Dispose', 'mL6ieETr9U', 'PHBu3Ybvc3', 'wIrBBCFpml', 'SGqiM7psFa', 'l1EizHMHds', 'ProcessDialogKey', 'cVqud98J6m', 'isDuinQPlD', 'Iltuu6vmEY'
                          Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, k2WsvcEpO3XMMP1wTF.csHigh entropy of concatenated method names: 'eX0WAiREtQ', 'YwRWX45GHI', 'n70Wb3HDKv', 'CRUWZX4XNn', 'RfMWh2ed3q', 'uXpW1GNQcs', 'WvuWTyT1ik', 'AiZWcQoNYs', 'JfyWCbicrR', 'zWOW4BIouS'
                          Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, bEVOL96eS8epun77ws.csHigh entropy of concatenated method names: 'qi91otL6Sb', 'PRF1VKsjOw', 'hhJ1KSiqeu', 'ToString', 'GL31y5VePv', 'PAg180TAuB', 'UDcurdHJuAGRKhw44SY', 'fxq5p2HrtPLRn5HcNdT', 'zOAgh9HqcdBJSLEqnBl', 'FVDGBwHyyt0t7RrBQfO'
                          Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, tqpW97WuF0P2Yusw7o.csHigh entropy of concatenated method names: 'jaOfijGle7', 'EbAfWkvP47', 'knDftUc7Fc', 'RYUfX07hAg', 'ycKfbtFZbv', 'qTRfh2uXL3', 'khLf1x4Gfg', 'kTrP8TXb3e', 'beuPlmPmyV', 'i5NPeClIrM'
                          Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, ccbVjrjKPfBC3Ubyvu.csHigh entropy of concatenated method names: 'yYkRlPGO5i', 'BINRMT4neX', 'qsrPdHnXmF', 'pLQPivlA97', 'FSVREWkKN6', 'dKkRvVn4m2', 'jk5ROxM8nH', 'FSKRpl0Tef', 'b4QRskD7VV', 'c5URodfJUJ'
                          Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, WlCdhYQV2UlTaj7IIwC.csHigh entropy of concatenated method names: 'veKf6Z1Rmh', 'BDKfN99Rmp', 'xhOf29Z62s', 'UVRfDGk0wC', 'YC1fYQ19gv', 'oU4f9NSVby', 'PyofHQM3gY', 'p2wfx3KmSK', 'gRPfGHNiEj', 'eZbfjEBdZk'
                          Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, KpC2jLQdUmQTnkoOCGb.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pYbnpTd4mJ', 'n4DnsqUYnk', 'yF7noAx9lv', 'zUUnVBM0EH', 'dvsnKJesyD', 'YVVnyQsq8y', 'y6vn83x8sp'
                          Source: 0.2.vhFZk5qPZd.exe.74d0000.6.raw.unpack, bUWaQ6TUIryUiQ4QX6.csHigh entropy of concatenated method names: 'nR3UJxSkSE', 'GJQUvSLwf2', 'cimUpvItms', 'iw0UsK06kc', 'fuUU3mZVJu', 'SdeULWp1pK', 'Lv3UrTPyCK', 'vnoU0TjhTt', 'V9jU5CdvM0', 'AWkUkVUD5d'
                          Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, aK9Kvdl6aKUkU8Qr4f.csHigh entropy of concatenated method names: 'UjpZDxuQcH', 'NDsZ90Dfci', 'PUXZxMFHJG', 'ubXZGOghwh', 'rncZU25r29', 'CBRZIM3O5i', 'ruKZRcSRpg', 'BkjZP89NOB', 'J8sZf4M4r3', 'pq4ZnLvxcv'
                          Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, KmasHNN3HsYiqa4rkJ.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'pFjueAFU9M', 'GaKuMhliWc', 'Fq6uz2Lg0J', 'hMpWdoAer4', 'EJUWiV46lM', 'K76Wud02yw', 'TA5WWhlDF8', 'Kfx7aT1fOr3tOmLH66J'
                          Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, xMgPZhF2YiiucHy84N.csHigh entropy of concatenated method names: 'TVa2hS8Pq', 'qqtDFdbcG', 'r7a9QGCli', 'c7SHVPyvY', 'hw2GuSejw', 'MpEjlTiSc', 'CIHv9Ka4ulKCb2gW59', 'rJkpcSIv0A0LqTjTWV', 'YvPPgM08K', 'PCon7UI5P'
                          Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, DCOGKBJuI90uQyZEqx.csHigh entropy of concatenated method names: 'bcShYDTcY0', 'KWihHxJ2Si', 'GsdZLyYu72', 'ijLZrT15F3', 'zZ1Z0OLfe6', 'ucuZ5TvniO', 'Ng3ZkOJJAe', 'x12ZwOP2n7', 'xsJZ7uKfWr', 'OadZJKsx6t'
                          Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, zAZA74R3JuOHGsNPQp.csHigh entropy of concatenated method names: 'mpUPF8HxGP', 'sl2P3M9dFj', 'Xv9PLLtRtk', 'HGdPrmyVnl', 'NmQPphlo17', 'hGuP04XTCD', 'Next', 'Next', 'Next', 'NextBytes'
                          Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, a8Hs6c4KES9K7cQPSy.csHigh entropy of concatenated method names: 'vpQSxHiExX', 'M6wSGrpmwf', 'DySSFyD4gf', 'CcVS3A9ZlF', 'JugSrykQgv', 'UgYS0Y1OUE', 'CDkSkoDS6Y', 'onFSwlmr2v', 'DtlSJIsjq5', 'sRYSEAdfBN'
                          Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, NshQXlehtY22OeIe4v.csHigh entropy of concatenated method names: 'YaJPXIc7wd', 'Q2HPbEcyBx', 'r33PZkiFLs', 'AfdPhmghau', 'PNkP1QSsDV', 'zsePTISE0K', 'RvPPcMDNXg', 'gJpPCJAnxq', 'km4P4WZOyK', 'VtJPQQcAkr'
                          Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, XVVjaRgErtfruRfsVW.csHigh entropy of concatenated method names: 'HOCiTKqPN0', 'TxbicniXSF', 'PBJi4SJeVk', 'nWwiQ4mlj6', 'ihJiUgNJqF', 'S3EiIf9qll', 'y9kbOyyahNlqEMj6Fp', 'uALTg4wljhElsdqrnS', 'e4piiVh4UJ', 'M72iWlcJLA'
                          Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, YsxcHQOp6KvdGmx9PY.csHigh entropy of concatenated method names: 'AOxT6K9gql', 'rZhTNjcVBG', 'F2qT2IBxeS', 'ac0TDJVBkh', 'fUXTYJUOVM', 'USMT94Wuqx', 'oOeTHUCx4K', 'AyxTxedUuH', 'wmtTGvDZvJ', 'sRcTj3X1X0'
                          Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, xj6EE79rNsvfVDFZEi.csHigh entropy of concatenated method names: 'SuibpQy8A3', 'JXJbsJ0J9n', 'R9pboLg4dB', 'xsdbVwBQLT', 'ekebKEHMBe', 'DKBbykYRPg', 'yMQb8XAREJ', 'HYRblTy6JW', 'P7Hbe9PYTB', 'vQIbMKN7vY'
                          Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, jsrcYQwhRmXlS3p8hL.csHigh entropy of concatenated method names: 'XQX1A2aFVF', 'XJB1bCpvns', 'Hgl1hw6HUq', 'D2d1TDBi6O', 'mHD1cot9MD', 'EWkhKWGwkR', 'Qh8hyXt2lE', 'Uo3h8qmOpa', 'VHDhl44u76', 'oQVhehSFZh'
                          Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, RbxvwUYlkFxbfwZPku.csHigh entropy of concatenated method names: 'Dispose', 'mL6ieETr9U', 'PHBu3Ybvc3', 'wIrBBCFpml', 'SGqiM7psFa', 'l1EizHMHds', 'ProcessDialogKey', 'cVqud98J6m', 'isDuinQPlD', 'Iltuu6vmEY'
                          Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, k2WsvcEpO3XMMP1wTF.csHigh entropy of concatenated method names: 'eX0WAiREtQ', 'YwRWX45GHI', 'n70Wb3HDKv', 'CRUWZX4XNn', 'RfMWh2ed3q', 'uXpW1GNQcs', 'WvuWTyT1ik', 'AiZWcQoNYs', 'JfyWCbicrR', 'zWOW4BIouS'
                          Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, bEVOL96eS8epun77ws.csHigh entropy of concatenated method names: 'qi91otL6Sb', 'PRF1VKsjOw', 'hhJ1KSiqeu', 'ToString', 'GL31y5VePv', 'PAg180TAuB', 'UDcurdHJuAGRKhw44SY', 'fxq5p2HrtPLRn5HcNdT', 'zOAgh9HqcdBJSLEqnBl', 'FVDGBwHyyt0t7RrBQfO'
                          Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, tqpW97WuF0P2Yusw7o.csHigh entropy of concatenated method names: 'jaOfijGle7', 'EbAfWkvP47', 'knDftUc7Fc', 'RYUfX07hAg', 'ycKfbtFZbv', 'qTRfh2uXL3', 'khLf1x4Gfg', 'kTrP8TXb3e', 'beuPlmPmyV', 'i5NPeClIrM'
                          Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, ccbVjrjKPfBC3Ubyvu.csHigh entropy of concatenated method names: 'yYkRlPGO5i', 'BINRMT4neX', 'qsrPdHnXmF', 'pLQPivlA97', 'FSVREWkKN6', 'dKkRvVn4m2', 'jk5ROxM8nH', 'FSKRpl0Tef', 'b4QRskD7VV', 'c5URodfJUJ'
                          Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, WlCdhYQV2UlTaj7IIwC.csHigh entropy of concatenated method names: 'veKf6Z1Rmh', 'BDKfN99Rmp', 'xhOf29Z62s', 'UVRfDGk0wC', 'YC1fYQ19gv', 'oU4f9NSVby', 'PyofHQM3gY', 'p2wfx3KmSK', 'gRPfGHNiEj', 'eZbfjEBdZk'
                          Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, KpC2jLQdUmQTnkoOCGb.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pYbnpTd4mJ', 'n4DnsqUYnk', 'yF7noAx9lv', 'zUUnVBM0EH', 'dvsnKJesyD', 'YVVnyQsq8y', 'y6vn83x8sp'
                          Source: 0.2.vhFZk5qPZd.exe.3d649e0.4.raw.unpack, bUWaQ6TUIryUiQ4QX6.csHigh entropy of concatenated method names: 'nR3UJxSkSE', 'GJQUvSLwf2', 'cimUpvItms', 'iw0UsK06kc', 'fuUU3mZVJu', 'SdeULWp1pK', 'Lv3UrTPyCK', 'vnoU0TjhTt', 'V9jU5CdvM0', 'AWkUkVUD5d'
                          Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, aK9Kvdl6aKUkU8Qr4f.csHigh entropy of concatenated method names: 'UjpZDxuQcH', 'NDsZ90Dfci', 'PUXZxMFHJG', 'ubXZGOghwh', 'rncZU25r29', 'CBRZIM3O5i', 'ruKZRcSRpg', 'BkjZP89NOB', 'J8sZf4M4r3', 'pq4ZnLvxcv'
                          Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, KmasHNN3HsYiqa4rkJ.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'pFjueAFU9M', 'GaKuMhliWc', 'Fq6uz2Lg0J', 'hMpWdoAer4', 'EJUWiV46lM', 'K76Wud02yw', 'TA5WWhlDF8', 'Kfx7aT1fOr3tOmLH66J'
                          Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, xMgPZhF2YiiucHy84N.csHigh entropy of concatenated method names: 'TVa2hS8Pq', 'qqtDFdbcG', 'r7a9QGCli', 'c7SHVPyvY', 'hw2GuSejw', 'MpEjlTiSc', 'CIHv9Ka4ulKCb2gW59', 'rJkpcSIv0A0LqTjTWV', 'YvPPgM08K', 'PCon7UI5P'
                          Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, DCOGKBJuI90uQyZEqx.csHigh entropy of concatenated method names: 'bcShYDTcY0', 'KWihHxJ2Si', 'GsdZLyYu72', 'ijLZrT15F3', 'zZ1Z0OLfe6', 'ucuZ5TvniO', 'Ng3ZkOJJAe', 'x12ZwOP2n7', 'xsJZ7uKfWr', 'OadZJKsx6t'
                          Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, zAZA74R3JuOHGsNPQp.csHigh entropy of concatenated method names: 'mpUPF8HxGP', 'sl2P3M9dFj', 'Xv9PLLtRtk', 'HGdPrmyVnl', 'NmQPphlo17', 'hGuP04XTCD', 'Next', 'Next', 'Next', 'NextBytes'
                          Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, a8Hs6c4KES9K7cQPSy.csHigh entropy of concatenated method names: 'vpQSxHiExX', 'M6wSGrpmwf', 'DySSFyD4gf', 'CcVS3A9ZlF', 'JugSrykQgv', 'UgYS0Y1OUE', 'CDkSkoDS6Y', 'onFSwlmr2v', 'DtlSJIsjq5', 'sRYSEAdfBN'
                          Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, NshQXlehtY22OeIe4v.csHigh entropy of concatenated method names: 'YaJPXIc7wd', 'Q2HPbEcyBx', 'r33PZkiFLs', 'AfdPhmghau', 'PNkP1QSsDV', 'zsePTISE0K', 'RvPPcMDNXg', 'gJpPCJAnxq', 'km4P4WZOyK', 'VtJPQQcAkr'
                          Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, XVVjaRgErtfruRfsVW.csHigh entropy of concatenated method names: 'HOCiTKqPN0', 'TxbicniXSF', 'PBJi4SJeVk', 'nWwiQ4mlj6', 'ihJiUgNJqF', 'S3EiIf9qll', 'y9kbOyyahNlqEMj6Fp', 'uALTg4wljhElsdqrnS', 'e4piiVh4UJ', 'M72iWlcJLA'
                          Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, YsxcHQOp6KvdGmx9PY.csHigh entropy of concatenated method names: 'AOxT6K9gql', 'rZhTNjcVBG', 'F2qT2IBxeS', 'ac0TDJVBkh', 'fUXTYJUOVM', 'USMT94Wuqx', 'oOeTHUCx4K', 'AyxTxedUuH', 'wmtTGvDZvJ', 'sRcTj3X1X0'
                          Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, xj6EE79rNsvfVDFZEi.csHigh entropy of concatenated method names: 'SuibpQy8A3', 'JXJbsJ0J9n', 'R9pboLg4dB', 'xsdbVwBQLT', 'ekebKEHMBe', 'DKBbykYRPg', 'yMQb8XAREJ', 'HYRblTy6JW', 'P7Hbe9PYTB', 'vQIbMKN7vY'
                          Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, jsrcYQwhRmXlS3p8hL.csHigh entropy of concatenated method names: 'XQX1A2aFVF', 'XJB1bCpvns', 'Hgl1hw6HUq', 'D2d1TDBi6O', 'mHD1cot9MD', 'EWkhKWGwkR', 'Qh8hyXt2lE', 'Uo3h8qmOpa', 'VHDhl44u76', 'oQVhehSFZh'
                          Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, RbxvwUYlkFxbfwZPku.csHigh entropy of concatenated method names: 'Dispose', 'mL6ieETr9U', 'PHBu3Ybvc3', 'wIrBBCFpml', 'SGqiM7psFa', 'l1EizHMHds', 'ProcessDialogKey', 'cVqud98J6m', 'isDuinQPlD', 'Iltuu6vmEY'
                          Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, k2WsvcEpO3XMMP1wTF.csHigh entropy of concatenated method names: 'eX0WAiREtQ', 'YwRWX45GHI', 'n70Wb3HDKv', 'CRUWZX4XNn', 'RfMWh2ed3q', 'uXpW1GNQcs', 'WvuWTyT1ik', 'AiZWcQoNYs', 'JfyWCbicrR', 'zWOW4BIouS'
                          Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, bEVOL96eS8epun77ws.csHigh entropy of concatenated method names: 'qi91otL6Sb', 'PRF1VKsjOw', 'hhJ1KSiqeu', 'ToString', 'GL31y5VePv', 'PAg180TAuB', 'UDcurdHJuAGRKhw44SY', 'fxq5p2HrtPLRn5HcNdT', 'zOAgh9HqcdBJSLEqnBl', 'FVDGBwHyyt0t7RrBQfO'
                          Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, tqpW97WuF0P2Yusw7o.csHigh entropy of concatenated method names: 'jaOfijGle7', 'EbAfWkvP47', 'knDftUc7Fc', 'RYUfX07hAg', 'ycKfbtFZbv', 'qTRfh2uXL3', 'khLf1x4Gfg', 'kTrP8TXb3e', 'beuPlmPmyV', 'i5NPeClIrM'
                          Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, ccbVjrjKPfBC3Ubyvu.csHigh entropy of concatenated method names: 'yYkRlPGO5i', 'BINRMT4neX', 'qsrPdHnXmF', 'pLQPivlA97', 'FSVREWkKN6', 'dKkRvVn4m2', 'jk5ROxM8nH', 'FSKRpl0Tef', 'b4QRskD7VV', 'c5URodfJUJ'
                          Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, WlCdhYQV2UlTaj7IIwC.csHigh entropy of concatenated method names: 'veKf6Z1Rmh', 'BDKfN99Rmp', 'xhOf29Z62s', 'UVRfDGk0wC', 'YC1fYQ19gv', 'oU4f9NSVby', 'PyofHQM3gY', 'p2wfx3KmSK', 'gRPfGHNiEj', 'eZbfjEBdZk'
                          Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, KpC2jLQdUmQTnkoOCGb.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pYbnpTd4mJ', 'n4DnsqUYnk', 'yF7noAx9lv', 'zUUnVBM0EH', 'dvsnKJesyD', 'YVVnyQsq8y', 'y6vn83x8sp'
                          Source: 0.2.vhFZk5qPZd.exe.3df1600.3.raw.unpack, bUWaQ6TUIryUiQ4QX6.csHigh entropy of concatenated method names: 'nR3UJxSkSE', 'GJQUvSLwf2', 'cimUpvItms', 'iw0UsK06kc', 'fuUU3mZVJu', 'SdeULWp1pK', 'Lv3UrTPyCK', 'vnoU0TjhTt', 'V9jU5CdvM0', 'AWkUkVUD5d'
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                          Malware Analysis System Evasion

                          barindex
                          Yara detected AntiVM3
                          Source: Yara matchFile source: Process Memory Space: vhFZk5qPZd.exe PID: 7696, type: MEMORYSTR
                          Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeMemory allocated: 10A0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeMemory allocated: 2B20000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeMemory allocated: 2870000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeMemory allocated: 7D10000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeMemory allocated: 8D10000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeMemory allocated: 8ED0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeMemory allocated: 9ED0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeMemory allocated: 1590000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeMemory allocated: 2F30000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeMemory allocated: 4F30000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeWindow / User API: threadDelayed 575Jump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeWindow / User API: threadDelayed 3778Jump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exe TID: 7716Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exe TID: 8124Thread sleep time: -17524406870024063s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exe TID: 7896Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696497155
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696497155x
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696497155h
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696497155d
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.000000000311F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696497155LR
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696497155
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696497155s
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696497155f
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696497155x
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696497155
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696497155
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696497155x
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696497155d
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155x
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696497155t
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155}
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696497155t
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696497155u
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696497155}
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696497155f
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696497155u
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696497155
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1526199697.0000000001136000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllL
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696497155s
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696497155
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696497155
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696497155j
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696497155t
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696497155j
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696497155o
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696497155]
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696497155o
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696497155h
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696497155
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696497155]
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696497155
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696497155
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155}
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696497155t
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155x
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696497155
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696497155}
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1527504662.00000000033F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696497155
                          Source: vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004384000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696497155x
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess information queried: ProcessInformationJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeCode function: 5_2_07B37580 LdrInitializeThunk,5_2_07B37580
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeMemory allocated: page read and write | page guardJump to behavior

                          HIPS / PFW / Operating System Protection Evasion

                          barindex
                          Injects a PE file into a foreign processes
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeMemory written: C:\Users\user\Desktop\vhFZk5qPZd.exe base: 400000 value starts with: 4D5AJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess created: C:\Users\user\Desktop\vhFZk5qPZd.exe "C:\Users\user\Desktop\vhFZk5qPZd.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess created: C:\Users\user\Desktop\vhFZk5qPZd.exe "C:\Users\user\Desktop\vhFZk5qPZd.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeProcess created: C:\Users\user\Desktop\vhFZk5qPZd.exe "C:\Users\user\Desktop\vhFZk5qPZd.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeQueries volume information: C:\Users\user\Desktop\vhFZk5qPZd.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeQueries volume information: C:\Users\user\Desktop\vhFZk5qPZd.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                          Stealing of Sensitive Information

                          barindex
                          Yara detected RedLine Stealer
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Source: Yara matchFile source: 0.2.vhFZk5qPZd.exe.3bb9d78.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.vhFZk5qPZd.exe.3c04f98.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.vhFZk5qPZd.exe.3bb9d78.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.vhFZk5qPZd.exe.3c04f98.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 5.2.vhFZk5qPZd.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.1372573802.0000000003C47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1372573802.0000000003BFC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1372573802.0000000003B29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000005.00000002.1525488184.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: vhFZk5qPZd.exe PID: 7696, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: vhFZk5qPZd.exe PID: 7872, type: MEMORYSTR
                          Tries to harvest and steal browser information (history, passwords, etc)
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqliteJump to behavior
                          Tries to steal Crypto Currency Wallets
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                          Source: C:\Users\user\Desktop\vhFZk5qPZd.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                          Source: Yara matchFile source: 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: vhFZk5qPZd.exe PID: 7872, type: MEMORYSTR

                          Remote Access Functionality

                          barindex
                          Yara detected RedLine Stealer
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Source: Yara matchFile source: 0.2.vhFZk5qPZd.exe.3bb9d78.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.vhFZk5qPZd.exe.3c04f98.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.vhFZk5qPZd.exe.3bb9d78.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.vhFZk5qPZd.exe.3c04f98.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 5.2.vhFZk5qPZd.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.1372573802.0000000003C47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1372573802.0000000003BFC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1372573802.0000000003B29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000005.00000002.1525488184.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: vhFZk5qPZd.exe PID: 7696, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: vhFZk5qPZd.exe PID: 7872, type: MEMORYSTR

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                          Windows Management Instrumentation                          		1
                          DLL Side-Loading                          		111
                          Process Injection                          		1
                          Masquerading                          		1
                          OS Credential Dumping                          		221
                          Security Software Discovery                          		Remote Services1
                          Archive Collected Data                          		1
                          Encrypted Channel                          		Exfiltration Over Other Network MediumAbuse Accessibility Features
                          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                          DLL Side-Loading                          		1
                          Disable or Modify Tools                          		LSASS Memory1
                          Process Discovery                          		Remote Desktop Protocol2
                          Data from Local System                          		1
                          Non-Standard Port                          		Exfiltration Over BluetoothNetwork Denial of Service
                          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                          Virtualization/Sandbox Evasion                          		Security Account Manager241
                          Virtualization/Sandbox Evasion                          		SMB/Windows Admin SharesData from Network Shared Drive1
                          Application Layer Protocol                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                          Process Injection                          		NTDS1
                          Application Window Discovery                          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
                          Obfuscated Files or Information                          		LSA Secrets113
                          System Information Discovery                          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
                          Software Packing                          		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                          Timestomp                          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                          DLL Side-Loading                          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          vhFZk5qPZd.exe71%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                          vhFZk5qPZd.exe100%Joe Sandbox ML

                          Dropped Files

                          No Antivirus matches

                          Unpacked PE Files

                          No Antivirus matches

                          Domains

                          No Antivirus matches

                          URLs

                          SourceDetectionScannerLabelLink
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/sc/sct0%URL Reputationsafe
                          https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk0%URL Reputationsafe
                          https://duckduckgo.com/ac/?q=0%URL Reputationsafe
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha10%URL Reputationsafe
                          http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap0%URL Reputationsafe
                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret0%URL Reputationsafe
                          http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/fault0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat0%URL Reputationsafe
                          http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey0%URL Reputationsafe
                          https://api.ip.sb/ip0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/04/sc0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel0%URL Reputationsafe
                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
                          http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA10%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA10%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue0%URL Reputationsafe
                          https://www.ecosia.org/newtab/0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego0%URL Reputationsafe
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/04/trust0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/Renew0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey0%URL Reputationsafe
                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.00%URL Reputationsafe
                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2006/02/addressingidentity0%URL Reputationsafe
                          http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey0%URL Reputationsafe

                          Domains and IPs

                          Contacted Domains

                          No contacted domains info

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/sc/sctvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://duckduckgo.com/chrome_newtabvhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004062000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://duckduckgo.com/ac/?q=vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004062000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id14ResponseDvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000003024000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            http://tempuri.org/Entity/Id23ResponseDvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000003024000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://tempuri.org/Entity/Id12ResponsevhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                http://tempuri.org/vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://tempuri.org/Entity/Id2ResponsevhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://tempuri.org/Entity/Id21ResponsevhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://tempuri.org/Entity/Id9vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://tempuri.org/Entity/Id8vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://tempuri.org/Entity/Id6ResponseDvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://tempuri.org/Entity/Id5vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/PreparevhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://tempuri.org/Entity/Id4vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://tempuri.org/Entity/Id7vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://purl.oenvhFZk5qPZd.exe, 00000005.00000002.1527029912.00000000015CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://tempuri.org/Entity/Id6vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://tempuri.org/Entity/Id19ResponsevhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licensevhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssuevhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequencevhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://tempuri.org/Entity/Id13ResponseDvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/faultvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://schemas.xmlsoap.org/ws/2004/10/wsatvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://tempuri.org/Entity/Id15ResponsevhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://tempuri.org/Entity/Id5ResponseDvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namevhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000003024000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegistervhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://tempuri.org/Entity/Id6ResponsevhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://api.ip.sb/ipvhFZk5qPZd.exe, 00000000.00000002.1372573802.0000000003B29000.00000004.00000800.00020000.00000000.sdmp, vhFZk5qPZd.exe, 00000000.00000002.1372573802.0000000003C47000.00000004.00000800.00020000.00000000.sdmp, vhFZk5qPZd.exe, 00000000.00000002.1372573802.0000000003BFC000.00000004.00000800.00020000.00000000.sdmp, vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp, vhFZk5qPZd.exe, 00000005.00000002.1525488184.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2004/04/scvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://tempuri.org/Entity/Id1ResponseDvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://tempuri.org/Entity/Id9ResponsevhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004062000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://tempuri.org/Entity/Id20vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      http://tempuri.org/Entity/Id21vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        http://tempuri.org/Entity/Id22vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://tempuri.org/Entity/Id23vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://tempuri.org/Entity/Id24vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssuevhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://tempuri.org/Entity/Id24ResponsevhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://www.ecosia.org/newtab/vhFZk5qPZd.exe, 00000005.00000002.1531150842.0000000004062000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://tempuri.org/Entity/Id1ResponsevhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegovhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://schemas.xmlsoap.org/ws/2004/08/addressingvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssuevhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://schemas.xmlsoap.org/ws/2004/04/trustvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://tempuri.org/Entity/Id10vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    http://tempuri.org/Entity/Id11vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://tempuri.org/Entity/Id10ResponseDvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        http://tempuri.org/Entity/Id12vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          http://tempuri.org/Entity/Id16ResponsevhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponsevhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://tempuri.org/Entity/Id13vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              http://tempuri.org/Entity/Id14vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                http://tempuri.org/Entity/Id15vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  http://tempuri.org/Entity/Id16vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/NoncevhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    http://tempuri.org/Entity/Id17vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id18vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id5ResponsevhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id19vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://tempuri.org/Entity/Id15ResponseDvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id10ResponsevhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RenewvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id11ResponseDvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000003024000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  http://tempuri.org/Entity/Id8ResponsevhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://schemas.xmlsoap.org/ws/2006/02/addressingidentityvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://schemas.xmlsoap.org/soap/envelope/vhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://tempuri.org/Entity/Id8ResponseDvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000003024000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyvhFZk5qPZd.exe, 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown

                                                                                                                      World Map of Contacted IPs

                                                                                                                      • No. of IPs < 25%
                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                      • 75% < No. of IPs

                                                                                                                      Public IPs

                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                      188.190.10.19
                                                                                                                      		unknownUkraine
                                                                                                                      		56370ASINTTELUAtrue

                                                                                                                      General Information

                                                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                                                      Analysis ID:1538239
                                                                                                                      Start date and time:2024-10-20 21:16:10 +02:00
                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                      Overall analysis duration:0h 6m 17s
                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                      Report type:full
                                                                                                                      Cookbook file name:default.jbs
                                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                      Number of analysed new started processes analysed:10
                                                                                                                      Number of new started drivers analysed:0
                                                                                                                      Number of existing processes analysed:0
                                                                                                                      Number of existing drivers analysed:0
                                                                                                                      Number of injected processes analysed:0
                                                                                                                      Technologies:
                                                                                                                      • HCA enabled
                                                                                                                      • EGA enabled
                                                                                                                      • AMSI enabled
                                                                                                                      Analysis Mode:default
                                                                                                                      Analysis stop reason:Timeout
                                                                                                                      Sample name:vhFZk5qPZd.exe
                                                                                                                      renamed because original name is a hash value
                                                                                                                      Original Sample Name:B37FB6FCD79F8E7CAD5F1B5AB40D107A.exe
                                                                                                                      Detection:MAL
                                                                                                                      Classification:mal100.troj.spyw.evad.winEXE@7/1@0/1
                                                                                                                      EGA Information:
                                                                                                                      • Successful, ratio: 100%
                                                                                                                      HCA Information:
                                                                                                                      • Successful, ratio: 100%
                                                                                                                      • Number of executed functions: 149
                                                                                                                      • Number of non-executed functions: 11
                                                                                                                      Cookbook Comments:
                                                                                                                      • Found application associated with file extension: .exe

                                                                                                                      Warnings

                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                      • VT rate limit hit for: vhFZk5qPZd.exe

                                                                                                                      Simulations

                                                                                                                      Behavior and APIs

                                                                                                                      TimeTypeDescription
                                                                                                                      15:17:05API Interceptor27x Sleep call for process: vhFZk5qPZd.exe modified

                                                                                                                      Joe Sandbox View / Context

                                                                                                                      IPs

                                                                                                                      No context

                                                                                                                      Domains

                                                                                                                      No context

                                                                                                                      ASNs

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      ASINTTELUAPO24252509JASIC.scr.exeGet hashmaliciousRedLineBrowse
                                                                                                                      • 188.190.10.12
                                                                                                                      Qpp5L1vHC0.elfGet hashmaliciousUnknownBrowse
                                                                                                                      • 188.190.4.165
                                                                                                                      6pZPnJdO23.elfGet hashmaliciousMiraiBrowse
                                                                                                                      • 188.190.4.141
                                                                                                                      9EUxitC1xZ.elfGet hashmaliciousMiraiBrowse
                                                                                                                      • 188.190.4.159
                                                                                                                      xd.x86.elfGet hashmaliciousMiraiBrowse
                                                                                                                      • 188.190.12.10
                                                                                                                      nPkth7pJDB.elfGet hashmaliciousMiraiBrowse
                                                                                                                      • 188.190.4.142
                                                                                                                      duAaSiWM5K.elfGet hashmaliciousUnknownBrowse
                                                                                                                      • 188.190.4.132
                                                                                                                      3dO4zEiA96Get hashmaliciousMiraiBrowse
                                                                                                                      • 188.190.4.116
                                                                                                                      xd.armGet hashmaliciousMiraiBrowse
                                                                                                                      • 188.190.4.143
                                                                                                                      a1mb0t.x86Get hashmaliciousMiraiBrowse
                                                                                                                      • 188.190.18.193

                                                                                                                      JA3 Fingerprints

                                                                                                                      No context

                                                                                                                      Dropped Files

                                                                                                                      No context

                                                                                                                      Created / dropped Files

                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vhFZk5qPZd.exe.log

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\Desktop\vhFZk5qPZd.exe
                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):1216
                                                                                                                      Entropy (8bit):5.34331486778365
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                      Malicious:true
                                                                                                                      Reputation:high, very likely benign file
                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                      Static File Info

                                                                                                                      General

                                                                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Entropy (8bit):7.980091037396245
                                                                                                                      TrID:
                                                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                      • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                      File name:vhFZk5qPZd.exe
                                                                                                                      File size:674'304 bytes
                                                                                                                      MD5:b37fb6fcd79f8e7cad5f1b5ab40d107a
                                                                                                                      SHA1:3aeedadae2d4564000014baae138bb05af2e8016
                                                                                                                      SHA256:9a758275144859206b6f3149212ba72c51ead3549da162723bd7d28116fa522e
                                                                                                                      SHA512:8b06ba8ebc001de0a5b1ba3880f0e95eda510c2dcc98f1ac35b024b3b479492e436fca8351c2676cdc4c372b0418719782324d28073722a99375391e96a7cf40
                                                                                                                      SSDEEP:12288:Gk1RveBYTNM7p+IhuomugeWgErcoi/zlLKWevRO32nomxO9q:71RWBYBTveWgEgt/R+WkO32nomE9
                                                                                                                      TLSH:A8E4230A5F6D07C1E2BD663D3BA117B152AA9C7B6E9CE31B2061350F3344707EA64E87
                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..............M... ...`....@.. ....................................@................................

                                                                                                                      File Icon

                                                                                                                      Icon Hash:32642092d4f29244

                                                                                                                      Static PE Info

                                                                                                                      General

                                                                                                                      Entrypoint:0x4a4de6
                                                                                                                      Entrypoint Section:.text
                                                                                                                      Digitally signed:false
                                                                                                                      Imagebase:0x400000
                                                                                                                      Subsystem:windows gui
                                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                      Time Stamp:0xFAE5C82E [Wed May 23 11:29:50 2103 UTC]
                                                                                                                      TLS Callbacks:
                                                                                                                      CLR (.Net) Version:
                                                                                                                      OS Version Major:4
                                                                                                                      OS Version Minor:0
                                                                                                                      File Version Major:4
                                                                                                                      File Version Minor:0
                                                                                                                      Subsystem Version Major:4
                                                                                                                      Subsystem Version Minor:0
                                                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                      Entrypoint Preview

                                                                                                                      Instruction
                                                                                                                      jmp dword ptr [00402000h]
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al

                                                                                                                      Data Directories

                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xa4d910x4f.text
                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xa60000x1770.rsrc
                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xa80000xc.reloc
                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0xa34e40x70.text
                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                      Sections

                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                      .text0x20000xa2dec0xa2e00df6537d8895a2ed7dcf58c12a1d59c1fFalse0.9848816433231006OpenPGP Secret Key7.988836332316538IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                      .rsrc0xa60000x17700x18002d35ffa8d129a3f8f7d515e737c4d12dFalse0.3893229166666667data5.056504168655569IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                      .reloc0xa80000xc0x2004e2ae698174ec419be4466885efd70cfFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                      Resources

                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                      RT_ICON0xa61300x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.3726547842401501
                                                                                                                      RT_GROUP_ICON0xa71d80x14data1.1
                                                                                                                      RT_VERSION0xa71ec0x398OpenPGP Public Key0.41630434782608694
                                                                                                                      RT_MANIFEST0xa75840x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                      Imports

                                                                                                                      DLLImport
                                                                                                                      mscoree.dll_CorExeMain

                                                                                                                      Network Behavior

                                                                                                                      Suricata IDS Alerts

                                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                      2024-10-20T21:17:09.807321+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949739188.190.10.191912TCP
                                                                                                                      2024-10-20T21:17:09.807321+02002046045ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)1192.168.2.949739188.190.10.191912TCP
                                                                                                                      2024-10-20T21:17:10.110835+02002043234ET MALWARE Redline Stealer TCP CnC - Id1Response1188.190.10.191912192.168.2.949739TCP
                                                                                                                      2024-10-20T21:17:15.290747+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949739188.190.10.191912TCP
                                                                                                                      2024-10-20T21:17:15.594808+02002046056ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)1188.190.10.191912192.168.2.949739TCP
                                                                                                                      2024-10-20T21:17:16.125193+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949739188.190.10.191912TCP
                                                                                                                      2024-10-20T21:17:16.440210+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949739188.190.10.191912TCP
                                                                                                                      2024-10-20T21:17:16.834548+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949739188.190.10.191912TCP
                                                                                                                      2024-10-20T21:17:18.141098+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949739188.190.10.191912TCP
                                                                                                                      2024-10-20T21:17:18.484338+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949739188.190.10.191912TCP
                                                                                                                      2024-10-20T21:17:18.813776+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949739188.190.10.191912TCP
                                                                                                                      2024-10-20T21:17:19.283834+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949739188.190.10.191912TCP
                                                                                                                      2024-10-20T21:17:19.592070+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949739188.190.10.191912TCP
                                                                                                                      2024-10-20T21:17:21.059928+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949739188.190.10.191912TCP
                                                                                                                      2024-10-20T21:17:21.369508+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949739188.190.10.191912TCP
                                                                                                                      2024-10-20T21:17:21.678799+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949739188.190.10.191912TCP
                                                                                                                      2024-10-20T21:17:21.987001+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949739188.190.10.191912TCP
                                                                                                                      2024-10-20T21:17:22.301907+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949739188.190.10.191912TCP
                                                                                                                      2024-10-20T21:17:22.979608+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949739188.190.10.191912TCP
                                                                                                                      2024-10-20T21:17:23.441326+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949739188.190.10.191912TCP

                                                                                                                      Network Port Distribution

                                                                                                                      TCP Packets

                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                      Oct 20, 2024 21:17:08.697638988 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:08.702645063 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:08.702847958 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:08.711772919 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:08.716981888 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:09.746928930 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:09.801592112 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:09.807321072 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:09.812638044 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:10.110835075 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:10.166136026 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:15.290746927 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:15.296505928 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:15.594345093 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:15.594367981 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:15.594384909 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:15.594486952 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:15.594702959 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:15.594760895 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:15.594808102 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:15.595082998 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:15.595135927 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.125193119 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.130753994 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.428533077 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.440210104 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.449863911 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.747920036 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.801762104 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.834547997 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.839890003 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.839914083 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.839942932 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.839953899 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.839951992 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.839981079 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.840028048 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.840053082 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.840064049 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.840074062 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.840084076 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.840092897 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.840102911 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.840116978 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.840131998 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.840159893 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.840192080 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.840244055 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.844777107 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.844841003 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.844857931 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.844892979 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.844902992 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.844904900 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.844918966 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.844937086 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.844965935 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.844990969 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.845045090 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.845164061 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.845257044 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.845267057 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.845350981 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.845371008 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.845427990 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.845455885 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.845514059 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.852044106 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.852133989 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.852195978 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.852263927 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.852930069 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.853001118 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.853044033 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.853055000 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.853065014 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.853108883 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.853208065 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.853358984 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.853370905 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.853380919 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.853390932 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.853400946 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.853410959 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.853431940 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.853466988 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.853487968 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.853832006 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.853842974 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.853852987 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.853905916 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.853965998 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.853977919 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.853986979 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.854027033 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.854043961 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.854141951 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.854152918 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.854162931 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.854172945 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.854185104 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.854192972 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.854195118 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.854207039 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.854207993 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.854218006 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.854228020 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.854238987 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.854243994 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.854249954 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.854262114 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.854298115 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.857980967 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.857990980 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.858051062 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.858053923 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.858067036 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.858076096 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.858273029 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.858283997 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.858293056 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.858303070 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.858310938 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.858321905 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.858331919 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.858340025 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.858349085 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.858356953 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.858366966 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.858700991 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.858720064 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.858731031 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.858741999 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.858865976 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.858875990 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.858886003 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.859335899 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.859347105 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.859354973 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.859431982 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.859442949 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.859456062 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.859466076 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.859716892 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.859797955 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.859936953 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.859992027 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.860024929 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.860035896 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.860079050 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.860089064 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.860106945 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.860186100 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.860212088 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.860222101 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.860229969 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.860239983 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.860311985 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.860321999 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.860332012 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.860342026 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.860352039 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.860361099 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.860378981 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.860388041 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.860441923 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.860454082 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.860465050 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.860476017 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.860512018 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.860523939 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.860532999 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.860543013 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.860935926 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.860946894 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.860956907 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.860965967 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.860975981 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.860991955 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.861001968 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.861011028 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.861021042 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.861032009 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.861041069 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.861051083 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.861061096 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.861069918 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.861080885 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.861089945 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.861099005 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.861109972 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.861119032 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.861129999 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.861138105 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.863806009 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.863816023 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.863823891 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.864435911 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.864785910 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.864990950 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.865046978 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.866776943 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.866823912 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.866930008 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.866940022 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.866950035 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.867033005 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.867043972 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.867254019 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.867264986 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.867273092 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.867280960 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.867290974 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.867300987 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.867311001 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.867321014 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.867330074 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.867338896 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.867347956 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.867389917 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.867443085 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.867453098 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.867464066 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.867533922 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.867680073 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.867691040 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.867733955 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.867743969 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.867752075 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.867763042 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.867772102 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.867782116 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.868077040 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.868779898 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.868789911 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.868802071 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.868810892 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.868875980 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.868885994 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.868895054 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.868999004 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.869012117 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.869021893 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.869033098 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.869040966 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.869580984 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.869590044 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.870043993 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.870055914 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.870064020 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.870126009 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.870136976 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.870145082 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.870155096 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.870254040 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.870498896 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.870584965 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.872911930 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.872966051 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.872976065 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.873078108 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.873087883 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.873095989 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.873109102 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.873119116 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.873501062 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.873579025 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.873646975 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.873657942 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.873740911 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.873795986 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.873857975 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.873867035 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.873876095 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.873888016 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.873939991 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.873950005 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.873954058 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.874006033 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.874098063 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.874109030 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.874182940 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.874192953 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.874209881 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.874219894 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.874228954 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.874519110 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.874528885 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.874538898 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.874548912 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.874557972 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.874567032 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.874576092 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.874584913 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.874593019 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.874603033 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.874610901 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.874619961 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.874629974 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.874639988 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.874649048 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.874658108 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.874666929 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.874676943 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.874686003 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.874695063 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.874705076 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.874715090 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.875106096 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.875163078 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.878473997 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.878484011 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.878549099 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.878560066 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.878578901 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.878588915 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.878638983 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.878649950 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.878669977 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.878765106 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.878776073 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.878784895 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.878794909 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.878803015 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.878810883 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.878818989 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.878823042 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.878887892 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.878895044 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.878906965 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.878926992 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.878937006 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.878990889 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.879004002 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.879012108 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.879020929 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.879122972 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.879132986 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.879142046 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.879152060 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.879160881 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.879179001 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.879189014 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.879198074 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.879304886 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.879314899 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.879323959 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.881843090 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.881853104 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.881860971 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.881870985 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.881963015 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.881973028 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.881983042 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.881993055 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.882002115 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.882011890 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.882019997 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.882030010 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.882040024 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.882050037 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.882059097 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.882070065 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.882078886 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.882087946 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.887792110 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.887906075 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.887942076 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.887950897 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.887973070 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.887985945 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.887996912 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.888036013 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.888189077 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.888199091 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.888210058 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.888273001 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.888283014 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.888292074 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.888302088 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.888312101 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.888320923 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.888330936 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.888339996 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.888349056 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.888411999 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.888422012 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.888430119 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.888439894 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.888448000 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.888457060 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.888467073 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.888475895 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.888484001 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.888494015 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.888504028 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.888705969 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.888715982 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.888724089 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.888734102 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.888744116 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.888753891 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.888766050 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.888775110 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.888784885 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.888792992 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.888803005 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.888812065 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.888819933 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.888839006 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.888849020 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.888858080 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.889539957 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.889559984 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.889569044 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.889615059 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.889733076 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.889743090 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.890012980 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.890022993 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.894059896 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.894079924 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.894089937 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.894157887 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.894169092 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.894177914 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.894221067 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.894288063 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.894335032 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.894345999 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.894355059 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.894364119 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.894372940 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.894382000 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.894407034 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.894417048 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.894423962 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.894433975 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.894443035 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.894452095 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.894539118 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.894550085 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.894558907 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.894568920 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.894577980 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.894587040 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.894594908 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.894622087 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.894632101 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.894649029 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.894659042 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.894666910 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.894676924 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.894685984 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.894695997 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.894705057 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.894879103 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.894889116 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.894896984 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.894906998 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.894921064 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.894929886 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.942747116 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:16.943211079 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.943304062 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.943304062 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.943346024 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:16.990706921 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:18.063719034 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:18.114161968 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:18.141098022 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:18.146028042 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:18.146064997 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:18.146075964 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:18.146140099 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:18.146150112 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:18.146157980 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:18.146270990 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:18.146281004 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:18.146289110 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:18.146308899 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:18.146317959 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:18.146327019 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:18.146446943 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:18.146517992 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:18.446489096 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:18.484338045 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:18.489962101 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:18.787919044 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:18.813776016 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:18.821224928 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:19.131108999 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:19.176611900 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:19.283833981 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:19.289318085 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:19.587142944 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:19.592070103 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:19.597237110 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:19.903366089 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:19.959506035 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:21.059927940 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:21.066344976 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:21.364965916 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:21.369508028 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:21.377476931 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:21.677020073 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:21.678798914 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:21.683669090 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:21.981775999 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:21.987000942 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:21.992850065 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:21.992863894 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:21.992867947 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:21.993899107 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:21.993910074 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:21.993918896 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:22.300584078 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:22.301907063 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:22.307295084 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:22.978085995 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:22.979608059 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:22.984535933 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:23.282821894 CEST191249739188.190.10.19192.168.2.9
                                                                                                                      Oct 20, 2024 21:17:23.348512888 CEST497391912192.168.2.9188.190.10.19
                                                                                                                      Oct 20, 2024 21:17:23.441325903 CEST497391912192.168.2.9188.190.10.19

                                                                                                                      Statistics

                                                                                                                      CPU Usage

                                                                                                                      Click to jump to process

                                                                                                                      Memory Usage

                                                                                                                      Click to jump to process

                                                                                                                      High Level Behavior Distribution

                                                                                                                      Click to dive into process behavior distribution

                                                                                                                      Behavior

                                                                                                                      Click to jump to process

                                                                                                                      System Behavior

                                                                                                                      General

                                                                                                                      Target ID:0
                                                                                                                      Start time:15:17:05
                                                                                                                      Start date:20/10/2024
                                                                                                                      Path:C:\Users\user\Desktop\vhFZk5qPZd.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:"C:\Users\user\Desktop\vhFZk5qPZd.exe"
                                                                                                                      Imagebase:0x670000
                                                                                                                      File size:674'304 bytes
                                                                                                                      MD5 hash:B37FB6FCD79F8E7CAD5F1B5AB40D107A
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1372573802.0000000003C47000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1372573802.0000000003BFC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1372573802.0000000003B29000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      Reputation:low
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:3
                                                                                                                      Start time:15:17:06
                                                                                                                      Start date:20/10/2024
                                                                                                                      Path:C:\Users\user\Desktop\vhFZk5qPZd.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:"C:\Users\user\Desktop\vhFZk5qPZd.exe"
                                                                                                                      Imagebase:0x20000
                                                                                                                      File size:674'304 bytes
                                                                                                                      MD5 hash:B37FB6FCD79F8E7CAD5F1B5AB40D107A
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:low
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:4
                                                                                                                      Start time:15:17:06
                                                                                                                      Start date:20/10/2024
                                                                                                                      Path:C:\Users\user\Desktop\vhFZk5qPZd.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:"C:\Users\user\Desktop\vhFZk5qPZd.exe"
                                                                                                                      Imagebase:0x1a0000
                                                                                                                      File size:674'304 bytes
                                                                                                                      MD5 hash:B37FB6FCD79F8E7CAD5F1B5AB40D107A
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:low
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:5
                                                                                                                      Start time:15:17:06
                                                                                                                      Start date:20/10/2024
                                                                                                                      Path:C:\Users\user\Desktop\vhFZk5qPZd.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:"C:\Users\user\Desktop\vhFZk5qPZd.exe"
                                                                                                                      Imagebase:0xb50000
                                                                                                                      File size:674'304 bytes
                                                                                                                      MD5 hash:B37FB6FCD79F8E7CAD5F1B5AB40D107A
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.1527504662.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000002.1525488184.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      Reputation:low
                                                                                                                      Has exited:true

                                                                                                                      Disassembly

                                                                                                                      Reset < >

                                                                                                                        Execution Graph

                                                                                                                        Execution Coverage:11.1%
                                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                                        Signature Coverage:0%
                                                                                                                        Total number of Nodes:200
                                                                                                                        Total number of Limit Nodes:11
                                                                                                                        execution_graph 33115 10ad708 33116 10ad74e GetCurrentProcess 33115->33116 33118 10ad7a0 GetCurrentThread 33116->33118 33121 10ad799 33116->33121 33119 10ad7dd GetCurrentProcess 33118->33119 33122 10ad7d6 33118->33122 33120 10ad813 33119->33120 33123 10ad83b GetCurrentThreadId 33120->33123 33121->33118 33122->33119 33124 10ad86c 33123->33124 33335 10a4668 33336 10a467a 33335->33336 33337 10a4686 33336->33337 33339 10a4781 33336->33339 33340 10a47a5 33339->33340 33344 10a487f 33340->33344 33348 10a4890 33340->33348 33341 10a47af 33341->33337 33345 10a48b7 33344->33345 33347 10a4994 33345->33347 33352 10a44d4 33345->33352 33347->33341 33350 10a48b7 33348->33350 33349 10a4994 33349->33341 33350->33349 33351 10a44d4 CreateActCtxA 33350->33351 33351->33349 33353 10a5920 CreateActCtxA 33352->33353 33355 10a59e3 33353->33355 33125 7144f5d 33131 714586e 33125->33131 33149 71457fa 33125->33149 33166 7145858 33125->33166 33184 7145808 33125->33184 33126 7144e79 33132 71457fc 33131->33132 33134 7145871 33131->33134 33133 714582a 33132->33133 33201 71460f5 33132->33201 33206 7145ceb 33132->33206 33210 714610b 33132->33210 33214 7145d4b 33132->33214 33219 71460c9 33132->33219 33224 7145cc9 33132->33224 33229 71462ce 33132->33229 33234 7145dee 33132->33234 33239 714618c 33132->33239 33243 7145e7e 33132->33243 33248 7146293 33132->33248 33253 7145c73 33132->33253 33260 7145d31 33132->33260 33265 7145d96 33132->33265 33133->33126 33134->33126 33150 71457fc 33149->33150 33151 71460f5 2 API calls 33150->33151 33152 7145d96 4 API calls 33150->33152 33153 7145d31 2 API calls 33150->33153 33154 7145c73 4 API calls 33150->33154 33155 7146293 2 API calls 33150->33155 33156 7145e7e 2 API calls 33150->33156 33157 714582a 33150->33157 33158 714618c 2 API calls 33150->33158 33159 7145dee 2 API calls 33150->33159 33160 71462ce 2 API calls 33150->33160 33161 7145cc9 2 API calls 33150->33161 33162 71460c9 2 API calls 33150->33162 33163 7145d4b 2 API calls 33150->33163 33164 714610b 2 API calls 33150->33164 33165 7145ceb 2 API calls 33150->33165 33151->33157 33152->33157 33153->33157 33154->33157 33155->33157 33156->33157 33157->33126 33158->33157 33159->33157 33160->33157 33161->33157 33162->33157 33163->33157 33164->33157 33165->33157 33167 7145866 33166->33167 33168 71457f9 33166->33168 33167->33126 33169 71460f5 2 API calls 33168->33169 33170 7145d96 4 API calls 33168->33170 33171 7145d31 2 API calls 33168->33171 33172 7145c73 4 API calls 33168->33172 33173 7146293 2 API calls 33168->33173 33174 7145e7e 2 API calls 33168->33174 33175 714582a 33168->33175 33176 714618c 2 API calls 33168->33176 33177 7145dee 2 API calls 33168->33177 33178 71462ce 2 API calls 33168->33178 33179 7145cc9 2 API calls 33168->33179 33180 71460c9 2 API calls 33168->33180 33181 7145d4b 2 API calls 33168->33181 33182 714610b 2 API calls 33168->33182 33183 7145ceb 2 API calls 33168->33183 33169->33175 33170->33175 33171->33175 33172->33175 33173->33175 33174->33175 33175->33126 33176->33175 33177->33175 33178->33175 33179->33175 33180->33175 33181->33175 33182->33175 33183->33175 33185 7145822 33184->33185 33186 71460f5 2 API calls 33185->33186 33187 7145d96 4 API calls 33185->33187 33188 7145d31 2 API calls 33185->33188 33189 7145c73 4 API calls 33185->33189 33190 7146293 2 API calls 33185->33190 33191 7145e7e 2 API calls 33185->33191 33192 714582a 33185->33192 33193 714618c 2 API calls 33185->33193 33194 7145dee 2 API calls 33185->33194 33195 71462ce 2 API calls 33185->33195 33196 7145cc9 2 API calls 33185->33196 33197 71460c9 2 API calls 33185->33197 33198 7145d4b 2 API calls 33185->33198 33199 714610b 2 API calls 33185->33199 33200 7145ceb 2 API calls 33185->33200 33186->33192 33187->33192 33188->33192 33189->33192 33190->33192 33191->33192 33192->33126 33193->33192 33194->33192 33195->33192 33196->33192 33197->33192 33198->33192 33199->33192 33200->33192 33202 7145cd2 33201->33202 33202->33133 33203 7145ce4 33202->33203 33273 7144792 33202->33273 33277 7144798 33202->33277 33203->33133 33281 71468b7 33206->33281 33286 71468b8 33206->33286 33207 7145d03 33207->33133 33212 7144792 WriteProcessMemory 33210->33212 33213 7144798 WriteProcessMemory 33210->33213 33211 7146049 33211->33133 33212->33211 33213->33211 33215 7145d51 33214->33215 33299 7144110 33215->33299 33303 7144118 33215->33303 33216 7145d77 33220 71460e2 33219->33220 33307 71446d2 33220->33307 33311 71446d8 33220->33311 33221 714624b 33226 7145cd2 33224->33226 33225 7145ce4 33225->33133 33226->33133 33226->33225 33227 7144792 WriteProcessMemory 33226->33227 33228 7144798 WriteProcessMemory 33226->33228 33227->33226 33228->33226 33230 7146608 33229->33230 33232 7144600 Wow64SetThreadContext 33230->33232 33233 71445fa Wow64SetThreadContext 33230->33233 33231 7146623 33232->33231 33233->33231 33235 7145d62 33234->33235 33236 7145d77 33234->33236 33237 7144110 ResumeThread 33235->33237 33238 7144118 ResumeThread 33235->33238 33237->33236 33238->33236 33241 7144792 WriteProcessMemory 33239->33241 33242 7144798 WriteProcessMemory 33239->33242 33240 71461b3 33240->33133 33241->33240 33242->33240 33244 7145cd2 33243->33244 33244->33133 33245 7145ce4 33244->33245 33246 7144792 WriteProcessMemory 33244->33246 33247 7144798 WriteProcessMemory 33244->33247 33245->33133 33246->33244 33247->33244 33249 7145cd2 33248->33249 33249->33133 33250 7145ce4 33249->33250 33251 7144792 WriteProcessMemory 33249->33251 33252 7144798 WriteProcessMemory 33249->33252 33250->33133 33251->33249 33252->33249 33315 7144a14 33253->33315 33319 7144a20 33253->33319 33261 7145cd2 33260->33261 33261->33133 33261->33260 33262 7145ce4 33261->33262 33263 7144792 WriteProcessMemory 33261->33263 33264 7144798 WriteProcessMemory 33261->33264 33262->33133 33263->33261 33264->33261 33266 7146054 33265->33266 33323 7144880 33266->33323 33327 7144888 33266->33327 33267 7145cd2 33267->33133 33268 7145ce4 33267->33268 33271 7144792 WriteProcessMemory 33267->33271 33272 7144798 WriteProcessMemory 33267->33272 33268->33133 33271->33267 33272->33267 33274 71447e0 WriteProcessMemory 33273->33274 33276 7144837 33274->33276 33276->33202 33278 71447e0 WriteProcessMemory 33277->33278 33280 7144837 33278->33280 33280->33202 33282 71468cd 33281->33282 33291 7144600 33282->33291 33295 71445fa 33282->33295 33283 71468e3 33283->33207 33287 71468cd 33286->33287 33289 7144600 Wow64SetThreadContext 33287->33289 33290 71445fa Wow64SetThreadContext 33287->33290 33288 71468e3 33288->33207 33289->33288 33290->33288 33292 7144645 Wow64SetThreadContext 33291->33292 33294 714468d 33292->33294 33294->33283 33296 7144645 Wow64SetThreadContext 33295->33296 33298 714468d 33296->33298 33298->33283 33300 7144158 ResumeThread 33299->33300 33302 7144189 33300->33302 33302->33216 33304 7144158 ResumeThread 33303->33304 33306 7144189 33304->33306 33306->33216 33308 7144718 VirtualAllocEx 33307->33308 33310 7144755 33308->33310 33310->33221 33312 7144718 VirtualAllocEx 33311->33312 33314 7144755 33312->33314 33314->33221 33316 7144aa9 CreateProcessA 33315->33316 33318 7144c6b 33316->33318 33320 7144aa9 CreateProcessA 33319->33320 33322 7144c6b 33320->33322 33324 71448d3 ReadProcessMemory 33323->33324 33326 7144917 33324->33326 33326->33267 33328 71448d3 ReadProcessMemory 33327->33328 33330 7144917 33328->33330 33330->33267 33331 10ad950 DuplicateHandle 33332 10ad9e6 33331->33332 33363 10aaf70 33364 10aaf7f 33363->33364 33366 10ab058 33363->33366 33367 10ab09c 33366->33367 33368 10ab079 33366->33368 33367->33364 33368->33367 33369 10ab2a0 GetModuleHandleW 33368->33369 33370 10ab2cd 33369->33370 33370->33364 33333 7148a08 CloseHandle 33334 7148a6f 33333->33334 33356 7146bf8 33357 7146d83 33356->33357 33359 7146c1e 33356->33359 33359->33357 33360 7142a74 33359->33360 33361 7146e78 PostMessageW 33360->33361 33362 7146ee4 33361->33362 33362->33359

                                                                                                                        Executed Functions

                                                                                                                        Function 07147B28 Relevance: 1.7, Strings: 1, Instructions: 403COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 215 7147b28-7147b5a 216 7147b60-7147b9b call 7142c20 call 7142c30 call 7147934 215->216 217 7147f0a-7147f0d 215->217 230 7147b9d-7147ba7 216->230 231 7147bae-7147bce 216->231 219 7147f0f 217->219 221 7147f11-7147f13 219->221 222 7147f19-7147f1c 219->222 221->222 225 7147f24-7147f2c 222->225 227 7147f32-7147f39 225->227 230->231 233 7147bd0-7147bda 231->233 234 7147be1-7147c01 231->234 233->234 236 7147c14-7147c34 234->236 237 7147c03-7147c0d 234->237 239 7147c36-7147c40 236->239 240 7147c47-7147c50 call 7147944 236->240 237->236 239->240 243 7147c74-7147c7d call 7147954 240->243 244 7147c52-7147c6d call 7147944 240->244 249 7147ca1-7147caa call 7147964 243->249 250 7147c7f-7147c9a call 7147954 243->250 244->243 256 7147cb5-7147cd1 249->256 257 7147cac-7147cb0 call 7147974 249->257 250->249 261 7147cd3-7147cd9 256->261 262 7147ce9-7147ced 256->262 257->256 263 7147cdd-7147cdf 261->263 264 7147cdb 261->264 265 7147d07-7147d4f 262->265 266 7147cef-7147d00 call 7147984 262->266 263->262 264->262 272 7147d51 265->272 273 7147d73-7147d7a 265->273 266->265 274 7147d54-7147d5a 272->274 275 7147d91-7147d9f call 7147994 273->275 276 7147d7c-7147d8b 273->276 278 7147d60-7147d66 274->278 279 7147f3a-7147f44 274->279 285 7147da1-7147da3 275->285 286 7147da9-7147dd3 call 71479a4 275->286 276->275 282 7147d70-7147d71 278->282 283 7147d68-7147d6a 278->283 279->219 287 7147f46-7147f79 279->287 282->273 282->274 283->282 285->286 297 7147dd5-7147de3 286->297 298 7147e00-7147e1c 286->298 288 7147fd8-7147fe8 287->288 289 7147f7b-7147f9c 287->289 295 71481be-71481c5 288->295 296 7147fee-7147ff8 288->296 289->288 299 7147f9e-7147fa4 289->299 302 71481d4-71481e7 295->302 303 71481c7-71481cf call 7147aa4 295->303 300 7148002-714800c 296->300 301 7147ffa-7148001 296->301 297->298 316 7147de5-7147df9 297->316 314 7147e1e-7147e28 298->314 315 7147e2f-7147e56 call 71479b4 298->315 304 7147fa6-7147fa8 299->304 305 7147fb2-7147fb7 299->305 310 71481f1-7148263 300->310 311 7148012-7148052 300->311 303->302 304->305 307 7147fc4-7147fd1 305->307 308 7147fb9-7147fbd 305->308 307->288 308->307 336 7148054-714805a 311->336 337 714806a-714806e 311->337 314->315 327 7147e6e-7147e72 315->327 328 7147e58-7147e5e 315->328 316->298 329 7147e74-7147e86 327->329 330 7147e8d-7147ea9 327->330 331 7147e60 328->331 332 7147e62-7147e64 328->332 329->330 341 7147ec1-7147ec5 330->341 342 7147eab-7147eb1 330->342 331->327 332->327 339 714805c 336->339 340 714805e-7148060 336->340 343 7148070-7148095 337->343 344 714809b-71480b3 call 7147a94 337->344 339->337 340->337 341->227 349 7147ec7-7147ed5 341->349 347 7147eb5-7147eb7 342->347 348 7147eb3 342->348 343->344 359 71480b5-71480ba 344->359 360 71480c0-71480c8 344->360 347->341 348->341 357 7147ee7-7147eeb 349->357 358 7147ed7-7147ee5 349->358 363 7147ef1-7147f09 357->363 358->357 358->363 359->360 364 71480de-71480fd 360->364 365 71480ca-71480d8 360->365 370 7148115-7148119 364->370 371 71480ff-7148105 364->371 365->364 374 7148172-71481bb 370->374 375 714811b-7148128 370->375 372 7148107 371->372 373 7148109-714810b 371->373 372->370 373->370 374->295 379 714815e-714816b 375->379 380 714812a-714815c 375->380 379->374 380->379
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375779726.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7140000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: x2%
                                                                                                                        • API String ID: 0-2684772200
                                                                                                                        • Opcode ID: 95b11f155a4b5d5d63ddf8e0c4bb4b26d9386baaa89abf6fb89dcded1db19435
                                                                                                                        • Instruction ID: 1f649ba11359eb56e4cbeef2c21a892eb3f325dd51f353ed86233fb258c8f2c0
                                                                                                                        • Opcode Fuzzy Hash: 95b11f155a4b5d5d63ddf8e0c4bb4b26d9386baaa89abf6fb89dcded1db19435
                                                                                                                        • Instruction Fuzzy Hash: 4DE1BBB17017068FDB2ADBB5C460BAEB7FAAF89700F144469D186DB2D0DB35E901CB91
                                                                                                                        Function 05CA3970 Relevance: 1.1, Instructions: 1106COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 3f6d6097359d6f703e7298e490c9c8dbc384c7112316a58e2a39b2fca1706875
                                                                                                                        • Instruction ID: 49592471b5b637ae00c1f8adab871d033a27b3cbd153bf54a5df59539b533078
                                                                                                                        • Opcode Fuzzy Hash: 3f6d6097359d6f703e7298e490c9c8dbc384c7112316a58e2a39b2fca1706875
                                                                                                                        • Instruction Fuzzy Hash: E7A27E72A0420A9FDF15CF68C894AAEBBF2FF88308F158969E4069B351D775ED41CB50
                                                                                                                        Function 05CA0950 Relevance: .6, Instructions: 567COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: f773e5c493da732c54528e4c02e64705368dd0f56fd199b61e0a7e28e25b6f7d
                                                                                                                        • Instruction ID: 230cb7f4cb09a20dbc9e1708e12c30c27f0942418544eb70429a3dc1d3bb1d39
                                                                                                                        • Opcode Fuzzy Hash: f773e5c493da732c54528e4c02e64705368dd0f56fd199b61e0a7e28e25b6f7d
                                                                                                                        • Instruction Fuzzy Hash: D5228C71A002199FDB14DF69D858BAEBBF6FF88344F148929E40AAB351DB34DD41CB90
                                                                                                                        Function 05CA10B8 Relevance: .3, Instructions: 329COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 62993b03d15e136dfeca101778b22069304b841e59d45a36145b53eb9fc934b9
                                                                                                                        • Instruction ID: e0a6db5bfd68af364447c304939bf587ea9310ec22a140ceb85d8701cb75e19d
                                                                                                                        • Opcode Fuzzy Hash: 62993b03d15e136dfeca101778b22069304b841e59d45a36145b53eb9fc934b9
                                                                                                                        • Instruction Fuzzy Hash: 98D13976E0511ADFCB14CFA9D884AADBFF6FF88319F198865E805AB260D730D941CB50
                                                                                                                        Function 05CA9AD7 Relevance: .3, Instructions: 270COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 140e50f1ee75901e2533dfeb9acdd7174ed81109d87dfc211d6902d45e534abe
                                                                                                                        • Instruction ID: 538c063a727614ba425891377f4e23ceccb9337512085811a69d4248a900ec7c
                                                                                                                        • Opcode Fuzzy Hash: 140e50f1ee75901e2533dfeb9acdd7174ed81109d87dfc211d6902d45e534abe
                                                                                                                        • Instruction Fuzzy Hash: 11D1F83192075A8ADB11EBA4D990AEDB7B1FF95300F50C79AE40937211FFB06AC4CB91
                                                                                                                        Function 05CA9AE8 Relevance: .3, Instructions: 264COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 763db3d83aba21062bf99761e3414648631dafc7e4b86dbfa05100c2085d8d14
                                                                                                                        • Instruction ID: bd477620b482aec8fec221234dcf6bde525ad0e5cc7174ce4149d8ed6aa29c14
                                                                                                                        • Opcode Fuzzy Hash: 763db3d83aba21062bf99761e3414648631dafc7e4b86dbfa05100c2085d8d14
                                                                                                                        • Instruction Fuzzy Hash: CDD1F63192075A8ADB11EBA4D990AEDB7B1FF95300F50C79AE4093B611FF706AC4CB91
                                                                                                                        Function 05CA0438 Relevance: .2, Instructions: 231COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 0c25d7b2ccd14ba58692e8c53cb446afcd283e2563ce8e42651b697d9feb685b
                                                                                                                        • Instruction ID: 3eccb7adcbafe56a21b7a6ca071e1e7d86b4f7540e0158100d19451e5487896a
                                                                                                                        • Opcode Fuzzy Hash: 0c25d7b2ccd14ba58692e8c53cb446afcd283e2563ce8e42651b697d9feb685b
                                                                                                                        • Instruction Fuzzy Hash: C4818332A0450ACFDB14CF7AC488AA9BBB2FFC9258B148569D816F7361D731E841CB51
                                                                                                                        Function 010AD6F8 Relevance: 6.1, APIs: 4, Instructions: 135threadCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 010AD786
                                                                                                                        • GetCurrentThread.KERNEL32 ref: 010AD7C3
                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 010AD800
                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 010AD859
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1371016722.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10a0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Current$ProcessThread
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2063062207-0
                                                                                                                        • Opcode ID: 75d91115a5b838795ecd6ec45076a2f2693ddd32f71bc6a1a243a4f7b58364d5
                                                                                                                        • Instruction ID: 71b0325531d0be0c029851ac463641693fab42c293331ee7b93c79a515722701
                                                                                                                        • Opcode Fuzzy Hash: 75d91115a5b838795ecd6ec45076a2f2693ddd32f71bc6a1a243a4f7b58364d5
                                                                                                                        • Instruction Fuzzy Hash: 675164B09017498FDB54CFAAD548BAEBBF1BF48304F20849AE049A73A0DB749945CF65
                                                                                                                        Function 010AD708 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 010AD786
                                                                                                                        • GetCurrentThread.KERNEL32 ref: 010AD7C3
                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 010AD800
                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 010AD859
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1371016722.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10a0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Current$ProcessThread
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2063062207-0
                                                                                                                        • Opcode ID: 475751ba89a9d3666428529cdfe70895c061067474c9792cafc626d935c02b60
                                                                                                                        • Instruction ID: 79a0dbb4f0b4cc1862124d9e1ac1c1486285dca428d48e7b1f51cfad6010636d
                                                                                                                        • Opcode Fuzzy Hash: 475751ba89a9d3666428529cdfe70895c061067474c9792cafc626d935c02b60
                                                                                                                        • Instruction Fuzzy Hash: EE5147B09017498FDB54CFAAD548B9EBBF1BF48304F208459E019B73A0DB74A945CF65
                                                                                                                        Function 07144A14 Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 44 7144a14-7144ab5 46 7144ab7-7144ac1 44->46 47 7144aee-7144b0e 44->47 46->47 48 7144ac3-7144ac5 46->48 54 7144b47-7144b76 47->54 55 7144b10-7144b1a 47->55 49 7144ac7-7144ad1 48->49 50 7144ae8-7144aeb 48->50 52 7144ad5-7144ae4 49->52 53 7144ad3 49->53 50->47 52->52 57 7144ae6 52->57 53->52 63 7144baf-7144c69 CreateProcessA 54->63 64 7144b78-7144b82 54->64 55->54 56 7144b1c-7144b1e 55->56 58 7144b20-7144b2a 56->58 59 7144b41-7144b44 56->59 57->50 61 7144b2c 58->61 62 7144b2e-7144b3d 58->62 59->54 61->62 62->62 65 7144b3f 62->65 75 7144c72-7144cf8 63->75 76 7144c6b-7144c71 63->76 64->63 66 7144b84-7144b86 64->66 65->59 68 7144b88-7144b92 66->68 69 7144ba9-7144bac 66->69 70 7144b94 68->70 71 7144b96-7144ba5 68->71 69->63 70->71 71->71 73 7144ba7 71->73 73->69 86 7144d08-7144d0c 75->86 87 7144cfa-7144cfe 75->87 76->75 88 7144d1c-7144d20 86->88 89 7144d0e-7144d12 86->89 87->86 90 7144d00 87->90 92 7144d30-7144d34 88->92 93 7144d22-7144d26 88->93 89->88 91 7144d14 89->91 90->86 91->88 95 7144d46-7144d4d 92->95 96 7144d36-7144d3c 92->96 93->92 94 7144d28 93->94 94->92 97 7144d64 95->97 98 7144d4f-7144d5e 95->98 96->95 99 7144d65 97->99 98->97 99->99
                                                                                                                        APIs
                                                                                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07144C56
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375779726.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7140000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateProcess
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 963392458-0
                                                                                                                        • Opcode ID: 0876116b097355ffdcbca1b0eb9845a8c8ef44b434494f8ca342dff4a87767ac
                                                                                                                        • Instruction ID: 4b11c3d6d3708237915f960bcc6352a647bcf5e01ffa570eb0c880dc8f00de50
                                                                                                                        • Opcode Fuzzy Hash: 0876116b097355ffdcbca1b0eb9845a8c8ef44b434494f8ca342dff4a87767ac
                                                                                                                        • Instruction Fuzzy Hash: 02A15BB1D0075ACFEB25CFA8C8417EEBBB2BF48314F148569D849A7280DB749985CF91
                                                                                                                        Function 07144A20 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 101 7144a20-7144ab5 103 7144ab7-7144ac1 101->103 104 7144aee-7144b0e 101->104 103->104 105 7144ac3-7144ac5 103->105 111 7144b47-7144b76 104->111 112 7144b10-7144b1a 104->112 106 7144ac7-7144ad1 105->106 107 7144ae8-7144aeb 105->107 109 7144ad5-7144ae4 106->109 110 7144ad3 106->110 107->104 109->109 114 7144ae6 109->114 110->109 120 7144baf-7144c69 CreateProcessA 111->120 121 7144b78-7144b82 111->121 112->111 113 7144b1c-7144b1e 112->113 115 7144b20-7144b2a 113->115 116 7144b41-7144b44 113->116 114->107 118 7144b2c 115->118 119 7144b2e-7144b3d 115->119 116->111 118->119 119->119 122 7144b3f 119->122 132 7144c72-7144cf8 120->132 133 7144c6b-7144c71 120->133 121->120 123 7144b84-7144b86 121->123 122->116 125 7144b88-7144b92 123->125 126 7144ba9-7144bac 123->126 127 7144b94 125->127 128 7144b96-7144ba5 125->128 126->120 127->128 128->128 130 7144ba7 128->130 130->126 143 7144d08-7144d0c 132->143 144 7144cfa-7144cfe 132->144 133->132 145 7144d1c-7144d20 143->145 146 7144d0e-7144d12 143->146 144->143 147 7144d00 144->147 149 7144d30-7144d34 145->149 150 7144d22-7144d26 145->150 146->145 148 7144d14 146->148 147->143 148->145 152 7144d46-7144d4d 149->152 153 7144d36-7144d3c 149->153 150->149 151 7144d28 150->151 151->149 154 7144d64 152->154 155 7144d4f-7144d5e 152->155 153->152 156 7144d65 154->156 155->154 156->156
                                                                                                                        APIs
                                                                                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07144C56
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375779726.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7140000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateProcess
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 963392458-0
                                                                                                                        • Opcode ID: 4068e4bc43e705c15d3e723e50d2eb961b8927aff248ac8ec4c74e952fef8171
                                                                                                                        • Instruction ID: d23db106399af8576fa2a4ec3e32aa62555c04cc26424c85f07b2e87e4933657
                                                                                                                        • Opcode Fuzzy Hash: 4068e4bc43e705c15d3e723e50d2eb961b8927aff248ac8ec4c74e952fef8171
                                                                                                                        • Instruction Fuzzy Hash: 34914AB1D0075ACFEB25CFA8C8417EEBBB2BF44310F148569D849A7280DB749985CF91
                                                                                                                        Function 010AB058 Relevance: 1.7, APIs: 1, Instructions: 202COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 158 10ab058-10ab077 159 10ab079-10ab086 call 10a99e0 158->159 160 10ab0a3-10ab0a7 158->160 167 10ab088 159->167 168 10ab09c 159->168 161 10ab0bb-10ab0fc 160->161 162 10ab0a9-10ab0b3 160->162 169 10ab109-10ab117 161->169 170 10ab0fe-10ab106 161->170 162->161 213 10ab08e call 10ab300 167->213 214 10ab08e call 10ab2f0 167->214 168->160 172 10ab13b-10ab13d 169->172 173 10ab119-10ab11e 169->173 170->169 171 10ab094-10ab096 171->168 174 10ab1d8-10ab298 171->174 175 10ab140-10ab147 172->175 176 10ab129 173->176 177 10ab120-10ab127 call 10aa3b0 173->177 208 10ab29a-10ab29d 174->208 209 10ab2a0-10ab2cb GetModuleHandleW 174->209 179 10ab149-10ab151 175->179 180 10ab154-10ab15b 175->180 178 10ab12b-10ab139 176->178 177->178 178->175 179->180 183 10ab168-10ab171 call 10aa3c0 180->183 184 10ab15d-10ab165 180->184 189 10ab17e-10ab183 183->189 190 10ab173-10ab17b 183->190 184->183 191 10ab1a1-10ab1a5 189->191 192 10ab185-10ab18c 189->192 190->189 196 10ab1ab-10ab1ae 191->196 192->191 194 10ab18e-10ab19e call 10aa3d0 call 10aa3e0 192->194 194->191 199 10ab1b0-10ab1ce 196->199 200 10ab1d1-10ab1d7 196->200 199->200 208->209 210 10ab2cd-10ab2d3 209->210 211 10ab2d4-10ab2e8 209->211 210->211 213->171 214->171
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 010AB2BE
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1371016722.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10a0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: HandleModule
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4139908857-0
                                                                                                                        • Opcode ID: fcbad4b766f6005e9c96efc88e4acd05b073730060e47d3f98e45eeb28e2425c
                                                                                                                        • Instruction ID: 28e33bdd5edb3730c4a3e9550ba2f52723bdb65b218a58d896f11f60bccb33c8
                                                                                                                        • Opcode Fuzzy Hash: fcbad4b766f6005e9c96efc88e4acd05b073730060e47d3f98e45eeb28e2425c
                                                                                                                        • Instruction Fuzzy Hash: 0D816970A00B058FE764CF69D4447AABBF1FF88304F40896DD486D7A41E775E845CB91
                                                                                                                        Function 010A44D4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 388 10a44d4-10a59e1 CreateActCtxA 391 10a59ea-10a5a44 388->391 392 10a59e3-10a59e9 388->392 399 10a5a53-10a5a57 391->399 400 10a5a46-10a5a49 391->400 392->391 401 10a5a68 399->401 402 10a5a59-10a5a65 399->402 400->399 403 10a5a69 401->403 402->401 403->403
                                                                                                                        APIs
                                                                                                                        • CreateActCtxA.KERNEL32(?), ref: 010A59D1
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1371016722.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10a0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Create
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2289755597-0
                                                                                                                        • Opcode ID: 61d409a94bd903eff0f3a791a7fb84e726140a45dab1827cc58500525bc72282
                                                                                                                        • Instruction ID: 8a47d2f38b5ec1e0c704b5c55ec25c69eeffed9f7a50bcebae2874e988a69a85
                                                                                                                        • Opcode Fuzzy Hash: 61d409a94bd903eff0f3a791a7fb84e726140a45dab1827cc58500525bc72282
                                                                                                                        • Instruction Fuzzy Hash: C841EFB0C00719CBEB24CFA9C844B8EFBF5BF89704F20806AD409AB251DBB56945CF90
                                                                                                                        Function 010A5914 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 405 10a5914-10a59e1 CreateActCtxA 407 10a59ea-10a5a44 405->407 408 10a59e3-10a59e9 405->408 415 10a5a53-10a5a57 407->415 416 10a5a46-10a5a49 407->416 408->407 417 10a5a68 415->417 418 10a5a59-10a5a65 415->418 416->415 419 10a5a69 417->419 418->417 419->419
                                                                                                                        APIs
                                                                                                                        • CreateActCtxA.KERNEL32(?), ref: 010A59D1
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1371016722.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10a0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Create
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2289755597-0
                                                                                                                        • Opcode ID: 15eb8aa77acc66d71e6a92223db1e6bc709bf085822442f8c1e31ca39b154c8d
                                                                                                                        • Instruction ID: 9d1eb781298609c09c3d51d55546312c2f8d374888c5cac21ac46b8f3ef99a0b
                                                                                                                        • Opcode Fuzzy Hash: 15eb8aa77acc66d71e6a92223db1e6bc709bf085822442f8c1e31ca39b154c8d
                                                                                                                        • Instruction Fuzzy Hash: EF41DF70C007198BEB24CFA9C884BDEBBF6BF89704F20806AD448AB255DB755949CF50
                                                                                                                        Function 05CA8422 Relevance: 1.6, Strings: 1, Instructions: 326COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 421 5ca8422-5ca8428 422 5ca842a-5ca8458 421->422 423 5ca83d2-5ca83d4 421->423 426 5ca845a 422->426 427 5ca845f-5ca8496 422->427 424 5ca8410-5ca8417 423->424 425 5ca83d6-5ca83df 423->425 424->425 431 5ca83e1 425->431 432 5ca83f4-5ca8406 425->432 426->427 429 5ca8858-5ca885e 427->429 430 5ca849c-5ca84d1 427->430 434 5ca8864-5ca8879 429->434 433 5ca84d7-5ca84f5 430->433 430->434 438 5ca83ea-5ca83f3 431->438 435 5ca84fc-5ca8501 433->435 436 5ca84f7 433->436 440 5ca8881-5ca8887 434->440 437 5ca8504-5ca850e 435->437 436->435 437->440 441 5ca8514-5ca851b 437->441 442 5ca888d-5ca8896 440->442 443 5ca851d-5ca8536 441->443 444 5ca8553-5ca8564 441->444 447 5ca889c-5ca88ba 442->447 443->442 445 5ca853c-5ca8540 443->445 444->437 446 5ca8566-5ca8571 444->446 448 5ca86c0-5ca8810 445->448 449 5ca8546-5ca8552 445->449 450 5ca8619-5ca8623 446->450 451 5ca8577-5ca857e 446->451 453 5ca88c5-5ca88cb 447->453 481 5ca8812-5ca8815 448->481 482 5ca8821-5ca8857 448->482 452 5ca8629-5ca862a 450->452 450->453 454 5ca862f-5ca8651 451->454 455 5ca8584-5ca8591 451->455 452->448 457 5ca8658-5ca8662 454->457 458 5ca8653 454->458 459 5ca8598-5ca85bf 455->459 460 5ca8665-5ca8686 457->460 458->457 459->447 461 5ca85c5-5ca85fb 459->461 463 5ca8688 460->463 464 5ca868d-5ca86a3 460->464 465 5ca85fd 461->465 466 5ca8602-5ca860e 461->466 463->464 467 5ca86aa-5ca86b8 464->467 468 5ca86a5 464->468 465->466 466->459 469 5ca8610-5ca8616 466->469 467->460 471 5ca86ba-5ca86bd 467->471 468->467 469->450 471->448 481->482
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: @
                                                                                                                        • API String ID: 0-2766056989
                                                                                                                        • Opcode ID: 85863fe06d622264437da29ecc33930ed78438d875d8d6755df038b18f766089
                                                                                                                        • Instruction ID: ac162887d44108df694efb47f89949743bff4aa612ef26382cf483a2612c1db8
                                                                                                                        • Opcode Fuzzy Hash: 85863fe06d622264437da29ecc33930ed78438d875d8d6755df038b18f766089
                                                                                                                        • Instruction Fuzzy Hash: CBE1B475E042198FDB64CFA9C981B9DBBF2FB49314F1485AAD818E7345DB30AA81CF10
                                                                                                                        Function 07144792 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 484 7144792-71447e6 486 71447f6-7144835 WriteProcessMemory 484->486 487 71447e8-71447f4 484->487 489 7144837-714483d 486->489 490 714483e-714486e 486->490 487->486 489->490
                                                                                                                        APIs
                                                                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07144828
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375779726.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7140000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MemoryProcessWrite
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3559483778-0
                                                                                                                        • Opcode ID: 45cf1e8d6d9908c3159299cd2fec2f65746b8afc6aa6cce9bd81d90b9b665d3f
                                                                                                                        • Instruction ID: f882b52c8087dad52ab10f5a5dbb277796031d17fee2a0e4214a7d6c0f7fc6d7
                                                                                                                        • Opcode Fuzzy Hash: 45cf1e8d6d9908c3159299cd2fec2f65746b8afc6aa6cce9bd81d90b9b665d3f
                                                                                                                        • Instruction Fuzzy Hash: F02157B690035ADFDB00CFA9C981BEEBBF1FF48310F14842AE918A7240D7789554CBA0
                                                                                                                        Function 07144798 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 494 7144798-71447e6 496 71447f6-7144835 WriteProcessMemory 494->496 497 71447e8-71447f4 494->497 499 7144837-714483d 496->499 500 714483e-714486e 496->500 497->496 499->500
                                                                                                                        APIs
                                                                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07144828
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375779726.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7140000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MemoryProcessWrite
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3559483778-0
                                                                                                                        • Opcode ID: e8b2ff029d7f27aeadff2c380acc5ce5e8b5af8476969def53a0159ea4b69f7f
                                                                                                                        • Instruction ID: 4a75bb65f149a88e333c31507843f0678ce342a86ddcc7a4ea4cc0d732af9c53
                                                                                                                        • Opcode Fuzzy Hash: e8b2ff029d7f27aeadff2c380acc5ce5e8b5af8476969def53a0159ea4b69f7f
                                                                                                                        • Instruction Fuzzy Hash: 522139B5900359DFDB10CFA9C985BEEBBF5FF48310F14842AE918A7240D7799944CBA0
                                                                                                                        Function 07144880 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 504 7144880-7144915 ReadProcessMemory 507 7144917-714491d 504->507 508 714491e-714494e 504->508 507->508
                                                                                                                        APIs
                                                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07144908
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375779726.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7140000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MemoryProcessRead
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1726664587-0
                                                                                                                        • Opcode ID: 91ebab2148fec501f3c471784e40003626b1fb541be4216a1943dc0b4349e0fd
                                                                                                                        • Instruction ID: 343b0c3902f10cfe44e2e9c0eecc9dec864ab752aa1e9966e62d5535101eb955
                                                                                                                        • Opcode Fuzzy Hash: 91ebab2148fec501f3c471784e40003626b1fb541be4216a1943dc0b4349e0fd
                                                                                                                        • Instruction Fuzzy Hash: EC2134B18003599FDF10CFAAC881BEEBBF1FF48310F14842AE959A7240C7799945CBA1
                                                                                                                        Function 010AD94A Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 512 10ad94a-10ad9e4 DuplicateHandle 513 10ad9ed-10ada0a 512->513 514 10ad9e6-10ad9ec 512->514 514->513
                                                                                                                        APIs
                                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010AD9D7
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1371016722.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10a0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: DuplicateHandle
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3793708945-0
                                                                                                                        • Opcode ID: fab3af67df27fc2e78cf169997e555561614388056c68278085d9684a223a5bc
                                                                                                                        • Instruction ID: 71308850d7a3c1b54cc00f655b62811334f6191860762887c99143b9e70cb723
                                                                                                                        • Opcode Fuzzy Hash: fab3af67df27fc2e78cf169997e555561614388056c68278085d9684a223a5bc
                                                                                                                        • Instruction Fuzzy Hash: AE2103B5900249DFDB10CFAAD984AEEBFF5EB48310F14805AE958A3350C378A945CF60
                                                                                                                        Function 071445FA Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 517 71445fa-714464b 519 714464d-7144659 517->519 520 714465b-714468b Wow64SetThreadContext 517->520 519->520 522 7144694-71446c4 520->522 523 714468d-7144693 520->523 523->522
                                                                                                                        APIs
                                                                                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0714467E
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375779726.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7140000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ContextThreadWow64
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 983334009-0
                                                                                                                        • Opcode ID: 97994ce8a46182f171a5056d012aee6173a3704f7b2e5f427ada62545925e8f2
                                                                                                                        • Instruction ID: d66ae1358dd1fff1f3f57ee90a46057d017529b01ef23b49c4fd3073213d8584
                                                                                                                        • Opcode Fuzzy Hash: 97994ce8a46182f171a5056d012aee6173a3704f7b2e5f427ada62545925e8f2
                                                                                                                        • Instruction Fuzzy Hash: 0E2179B5900349DFDB10CFAAC5847EEBBF4EF48314F14842AD859A7240C7789545CFA0
                                                                                                                        Function 07144600 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 527 7144600-714464b 529 714464d-7144659 527->529 530 714465b-714468b Wow64SetThreadContext 527->530 529->530 532 7144694-71446c4 530->532 533 714468d-7144693 530->533 533->532
                                                                                                                        APIs
                                                                                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0714467E
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375779726.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7140000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ContextThreadWow64
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 983334009-0
                                                                                                                        • Opcode ID: b5f57e73baaa549ad1b7d268f46159cabecc3acf3dc05de4f3ac43b603c1043b
                                                                                                                        • Instruction ID: 3926a679a6b99c0d7731c0cb449eba73b206e996d07afc3a70c737f8fd87655c
                                                                                                                        • Opcode Fuzzy Hash: b5f57e73baaa549ad1b7d268f46159cabecc3acf3dc05de4f3ac43b603c1043b
                                                                                                                        • Instruction Fuzzy Hash: 142147B19003099FDB10CFAAC4857EEBBF4EF48314F14842AD859A7280C778A944CFA1
                                                                                                                        Function 07144888 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07144908
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375779726.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7140000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MemoryProcessRead
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1726664587-0
                                                                                                                        • Opcode ID: 7dc8dd97509c992ef4da43333379556d0aa7e1baff6b03b35fcbd5e57f04733d
                                                                                                                        • Instruction ID: 768f182764c1d72d3903bb574879fbb82f26599b45907f7d8448dc5ef260fb01
                                                                                                                        • Opcode Fuzzy Hash: 7dc8dd97509c992ef4da43333379556d0aa7e1baff6b03b35fcbd5e57f04733d
                                                                                                                        • Instruction Fuzzy Hash: 5E2125B18003599FDB10CFAAC880BEEBBF5FF48310F14842AE958A7240C7799944CBA1
                                                                                                                        Function 010AD950 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010AD9D7
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1371016722.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10a0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: DuplicateHandle
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3793708945-0
                                                                                                                        • Opcode ID: a5196a739afac3a31dca3d40ac84d7a950f15f2f447c215786fd520609505270
                                                                                                                        • Instruction ID: b9e948c77b04aea4ff74d33b3bec002387a3146227a8234170a2b17d871f03c1
                                                                                                                        • Opcode Fuzzy Hash: a5196a739afac3a31dca3d40ac84d7a950f15f2f447c215786fd520609505270
                                                                                                                        • Instruction Fuzzy Hash: 6C21E4B5900349DFDB10CF9AD984ADEBBF5EB48310F14801AE958A3350D378A944CF61
                                                                                                                        Function 071446D2 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07144746
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375779726.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7140000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AllocVirtual
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4275171209-0
                                                                                                                        • Opcode ID: 65ea6adda94278262f06ca05f55a19892bbd9950306bfa6bff68d8c96e997978
                                                                                                                        • Instruction ID: b66d0e6bbb5f6f3a020374dde05f0cff399be921853c65b403a269e9a9e5c8d0
                                                                                                                        • Opcode Fuzzy Hash: 65ea6adda94278262f06ca05f55a19892bbd9950306bfa6bff68d8c96e997978
                                                                                                                        • Instruction Fuzzy Hash: 00115676800249CFDB10CFA9C844BEEBFF5EF48310F14841AE559AB650C7799551CFA0
                                                                                                                        Function 071446D8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07144746
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375779726.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7140000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AllocVirtual
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4275171209-0
                                                                                                                        • Opcode ID: bf3dac8d4800430fdc1eab1fe14ae6cb0d916e7e8e221ef9df5b5b3de60c31cd
                                                                                                                        • Instruction ID: 7a65d0523933425c220b04fb29199093464978d16d6fee92f8dcf3a310319452
                                                                                                                        • Opcode Fuzzy Hash: bf3dac8d4800430fdc1eab1fe14ae6cb0d916e7e8e221ef9df5b5b3de60c31cd
                                                                                                                        • Instruction Fuzzy Hash: 161137768003499FDB10DFAAC844BEEBBF5EF49310F148419E919A7250C779A544CFA1
                                                                                                                        Function 07144110 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ResumeThread.KERNELBASE(?), ref: 0714417A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375779726.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7140000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ResumeThread
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 947044025-0
                                                                                                                        • Opcode ID: 71d70433ca6b00e088e2020030e5b0ff647b0c467a8bf768e93e976e2e329977
                                                                                                                        • Instruction ID: c14342dbb901ea7028ae74acddb426d7f11f8c78dec9f1dd4f39be585a50e8fd
                                                                                                                        • Opcode Fuzzy Hash: 71d70433ca6b00e088e2020030e5b0ff647b0c467a8bf768e93e976e2e329977
                                                                                                                        • Instruction Fuzzy Hash: 861158B5C003498FDB24DFAAD8857EEFBF4AF88314F24842AD859A7240C7796944CF91
                                                                                                                        Function 07144118 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ResumeThread.KERNELBASE(?), ref: 0714417A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375779726.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7140000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ResumeThread
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 947044025-0
                                                                                                                        • Opcode ID: 26afc5f06b1134e8557f750cc02f271048366c470f94b2215fa2d67502c51d2b
                                                                                                                        • Instruction ID: 2c6bb63282810566eaeaaf51f88cae4f1d66554f9c4b2969cf19f4be704b1de3
                                                                                                                        • Opcode Fuzzy Hash: 26afc5f06b1134e8557f750cc02f271048366c470f94b2215fa2d67502c51d2b
                                                                                                                        • Instruction Fuzzy Hash: A21136B5D003498FDB10DFAAC8457EEFBF4EF88224F24842AD519A7240C779A944CBA5
                                                                                                                        Function 07142A74 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 07146ED5
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375779726.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7140000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessagePost
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 410705778-0
                                                                                                                        • Opcode ID: 5b48b9a8288b45257eeee1bcab2b3cccc4aef41274271cff8e838f0ca21fb4d0
                                                                                                                        • Instruction ID: 75c2267b253be2379df1179572c029dfcc5ae71bf394ece05a7f6b81baa7db8a
                                                                                                                        • Opcode Fuzzy Hash: 5b48b9a8288b45257eeee1bcab2b3cccc4aef41274271cff8e838f0ca21fb4d0
                                                                                                                        • Instruction Fuzzy Hash: CA11F2B58003499FDB10CF9AD944BEFBBF8EB49324F10841AE918B7640C379A944CFA5
                                                                                                                        Function 010AB258 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 010AB2BE
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1371016722.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10a0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: HandleModule
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4139908857-0
                                                                                                                        • Opcode ID: b55721ce0bc2cc03e1dbe9781cb1bb9decd6a1a4a1b4c38bd5d903e309377afe
                                                                                                                        • Instruction ID: 98c6b5788d0844b43e052f4fe56f6e3b75831da18771d51952f5020841506c80
                                                                                                                        • Opcode Fuzzy Hash: b55721ce0bc2cc03e1dbe9781cb1bb9decd6a1a4a1b4c38bd5d903e309377afe
                                                                                                                        • Instruction Fuzzy Hash: 8711EDB6C007498FDB14CF9AC844BDEFBF4AF88324F10846AD969A7610D379A545CFA1
                                                                                                                        Function 07146E71 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 07146ED5
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375779726.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7140000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessagePost
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 410705778-0
                                                                                                                        • Opcode ID: 7add88d4f2222e1758bf4603288e590237428ba87fc5aac082675cfc376d87e5
                                                                                                                        • Instruction ID: 962353c0ec6f004a76be4b33e9657185546d4d899ded25be228855069b8dfb15
                                                                                                                        • Opcode Fuzzy Hash: 7add88d4f2222e1758bf4603288e590237428ba87fc5aac082675cfc376d87e5
                                                                                                                        • Instruction Fuzzy Hash: 4311FEB580024ADFDB10CF9AC985BDEBBF4FB48324F24881AE518B7640C379A554CFA1
                                                                                                                        Function 05CA732D Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: (
                                                                                                                        • API String ID: 0-3887548279
                                                                                                                        • Opcode ID: 843b9d7fea2f2dcddad83d8c317e1a77a2f1227b588b16228a55f66f09ddb0e7
                                                                                                                        • Instruction ID: c68a89047473af8fca5261e547b2af47021d2dd8213c5bd6da1eb5811c73e711
                                                                                                                        • Opcode Fuzzy Hash: 843b9d7fea2f2dcddad83d8c317e1a77a2f1227b588b16228a55f66f09ddb0e7
                                                                                                                        • Instruction Fuzzy Hash: EB71E375E042098FDB10DFA9D881AADBBF2FF49314F24956AE919EB345D731A902CF40
                                                                                                                        Function 05CA6718 Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: .
                                                                                                                        • API String ID: 0-3974621797
                                                                                                                        • Opcode ID: d3e3f3ae09ba9b8fc6260a25a14a67bb452cb4c7498dd3a8687dca7d71dd0722
                                                                                                                        • Instruction ID: 6a82105c86fb013dae2e3796d7624cf6bef87d03d126ac5821a223eaaccf1a7f
                                                                                                                        • Opcode Fuzzy Hash: d3e3f3ae09ba9b8fc6260a25a14a67bb452cb4c7498dd3a8687dca7d71dd0722
                                                                                                                        • Instruction Fuzzy Hash: B151D575E052198BDB04CFB9D8849AEBBF6FF49304F15942AD816E7344EB34A941CB50
                                                                                                                        Function 05CA6708 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: .
                                                                                                                        • API String ID: 0-3974621797
                                                                                                                        • Opcode ID: 4dfcd254492f3a05ae4d63b71e6245c77c6085fdacc1ecb74e6d50e0c9d82e90
                                                                                                                        • Instruction ID: fb1ba4d0b8e87fe393bf4f0a13e7bddabcd93ec700caed432785de4c106a8800
                                                                                                                        • Opcode Fuzzy Hash: 4dfcd254492f3a05ae4d63b71e6245c77c6085fdacc1ecb74e6d50e0c9d82e90
                                                                                                                        • Instruction Fuzzy Hash: 6041F975E012598FDB04DFB9D8946AEBBF2FF88304F15842AD806E7344EB349942CB50
                                                                                                                        Function 05CA812C Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: D
                                                                                                                        • API String ID: 0-167290425
                                                                                                                        • Opcode ID: d3ffadbb613148c764b0f3d82866a266d9652797e54799286f7aef2a373cda91
                                                                                                                        • Instruction ID: b80a5a0e243e16155b0a9b88e94e3398c56c0bc01df28aa987a38244face29ef
                                                                                                                        • Opcode Fuzzy Hash: d3ffadbb613148c764b0f3d82866a266d9652797e54799286f7aef2a373cda91
                                                                                                                        • Instruction Fuzzy Hash: 131191B6A006165F9B14DBB99C489BFBBFBFFC4264B144929E415D3340EF70990587A0
                                                                                                                        Function 07148A00 Relevance: 1.3, APIs: 1, Instructions: 49COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CloseHandle.KERNELBASE(?), ref: 07148A60
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375779726.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7140000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseHandle
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2962429428-0
                                                                                                                        • Opcode ID: 09bda4e3ff43fc684dceae54fec2e9fcf6a5a80d92723313c0d46822cf2f5f30
                                                                                                                        • Instruction ID: b2f73dd42bbc6e8d4ecba045df780137a12ecae9117352f2161e8ad6503424f3
                                                                                                                        • Opcode Fuzzy Hash: 09bda4e3ff43fc684dceae54fec2e9fcf6a5a80d92723313c0d46822cf2f5f30
                                                                                                                        • Instruction Fuzzy Hash: CE1125B6800649CFDB20DF99C544BDEBBF4AB48324F24845AD569A7640D378A644CFA1
                                                                                                                        Function 07148A08 Relevance: 1.3, APIs: 1, Instructions: 47COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CloseHandle.KERNELBASE(?), ref: 07148A60
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375779726.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7140000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseHandle
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2962429428-0
                                                                                                                        • Opcode ID: e8af0ddebbee58d4e2e886110424079027b3ccc89d2119690f7ea2ee656b277a
                                                                                                                        • Instruction ID: 8889ee5feb23f86a7170e44c75062ff0b270c3c4909e22dbe290a232af32d848
                                                                                                                        • Opcode Fuzzy Hash: e8af0ddebbee58d4e2e886110424079027b3ccc89d2119690f7ea2ee656b277a
                                                                                                                        • Instruction Fuzzy Hash: F31115B6800349CFDB10DF9AC545BDEBBF4EB48324F24846AD958A7740D378A544CFA5
                                                                                                                        Function 05CA7D40 Relevance: 1.3, Strings: 1, Instructions: 20COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: !
                                                                                                                        • API String ID: 0-2657877971
                                                                                                                        • Opcode ID: 385c8185d4db4722c376b127d5ce5e872f8743a4066ac86edbedc514678fd5ac
                                                                                                                        • Instruction ID: 4fe6989641f7ce9109eed9dcab480a0a9d1a106608d2bca5316404c8fecb5d52
                                                                                                                        • Opcode Fuzzy Hash: 385c8185d4db4722c376b127d5ce5e872f8743a4066ac86edbedc514678fd5ac
                                                                                                                        • Instruction Fuzzy Hash: 64E0EC36E5624D9BCB14EEB4E5486FDBAF5FB05208F104998C80653251E7745E849781
                                                                                                                        Function 05CA68F0 Relevance: 1.3, Strings: 1, Instructions: 20COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: ;
                                                                                                                        • API String ID: 0-1661535913
                                                                                                                        • Opcode ID: 2840964a2635a79f039bbfeda105e4f6c3a17b1a66156099d802b1f3e31213ad
                                                                                                                        • Instruction ID: ea4189665a95ac8c0832ea2fbfb9c8ac111f57c3d5d863f88fad68d5fbcf98e9
                                                                                                                        • Opcode Fuzzy Hash: 2840964a2635a79f039bbfeda105e4f6c3a17b1a66156099d802b1f3e31213ad
                                                                                                                        • Instruction Fuzzy Hash: B8E08C32C0520DDFCB10DFB4E4486ADBBB9E706209F140998C40A97240E7301F85DBC1
                                                                                                                        Function 05CA2C30 Relevance: .5, Instructions: 470COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 441bc42b26031ac6aaeaddadbfa665a39fbaf8d2bfe132a27b95b10e2ef66cce
                                                                                                                        • Instruction ID: a71411ad45d846f3eb5c059cbc3b15010fbf9111ee5974981637bb5a88f6e27c
                                                                                                                        • Opcode Fuzzy Hash: 441bc42b26031ac6aaeaddadbfa665a39fbaf8d2bfe132a27b95b10e2ef66cce
                                                                                                                        • Instruction Fuzzy Hash: A5E1943A3045668FDB259A29C868B397B96FF8470DF180865E503CF3A5DA29CD82C751
                                                                                                                        Function 05CA16A0 Relevance: .4, Instructions: 448COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 85ca4f800202b4cb0b19c7fd4b565263e0dece86ab7c81a971cff8218578cf92
                                                                                                                        • Instruction ID: 3904bbc6753a8d8fe35a62cfcc065e3be9d3daa38faa75c762725140ffbcd517
                                                                                                                        • Opcode Fuzzy Hash: 85ca4f800202b4cb0b19c7fd4b565263e0dece86ab7c81a971cff8218578cf92
                                                                                                                        • Instruction Fuzzy Hash: 13124C35A006499FDB14CF69D984EAEBBF2FF88318F188959E446EB261D730ED41CB50
                                                                                                                        Function 05CA1691 Relevance: .3, Instructions: 274COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: be5028872e5c228711647b3ada07aac9ded9523b653169e63bef0c9857a07aa9
                                                                                                                        • Instruction ID: b4bde5bcd1c50fd41a23c96c3480d12b7773c528784ebb7e45e4fdb9bf32e805
                                                                                                                        • Opcode Fuzzy Hash: be5028872e5c228711647b3ada07aac9ded9523b653169e63bef0c9857a07aa9
                                                                                                                        • Instruction Fuzzy Hash: 20C14B31A0020A9FDB14CF69C984EAEBFF2FF48319F198959E845AB261D730ED41CB50
                                                                                                                        Function 05CA0040 Relevance: .2, Instructions: 204COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 8e88061505482c9d6888875411cb0e322dc762d271774b2aff880aae713dd98b
                                                                                                                        • Instruction ID: 641c01409941ae018b42932661b0e6491edc90a74f51e171a81995ac99b15444
                                                                                                                        • Opcode Fuzzy Hash: 8e88061505482c9d6888875411cb0e322dc762d271774b2aff880aae713dd98b
                                                                                                                        • Instruction Fuzzy Hash: AA61EF327042068FDB159A75D45CB3A7BA3BB88288F148929E506DB391EF74DD42C791
                                                                                                                        Function 05CA1C70 Relevance: .2, Instructions: 201COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 14a7eadca2915c4fb21ecb62983e185010363f58cf6791d03eb2ee243183cba5
                                                                                                                        • Instruction ID: b7b6382bbeb4f0300ef32b8b441b2d856d3cbede684c06ddd5317161208a797a
                                                                                                                        • Opcode Fuzzy Hash: 14a7eadca2915c4fb21ecb62983e185010363f58cf6791d03eb2ee243183cba5
                                                                                                                        • Instruction Fuzzy Hash: 61714A35B046468FDB25DF29C888A6A7BE6BF49348F1908A9E802CB371DB74DD41CB50
                                                                                                                        Function 05CA5F28 Relevance: .2, Instructions: 166COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: ef3900aba3319ce2a8b22cef35aa44aa11d1915057cf0e088f57ef7386fd7a3b
                                                                                                                        • Instruction ID: 07ea00f0f101a120b01c3edc6c65194147deb7fcf1b58f8fc6ced20f181c7150
                                                                                                                        • Opcode Fuzzy Hash: ef3900aba3319ce2a8b22cef35aa44aa11d1915057cf0e088f57ef7386fd7a3b
                                                                                                                        • Instruction Fuzzy Hash: 69612874E01208CFCB04EFE8E5889EEBBB2FF49300F148569E546A7351DB35A915CB95
                                                                                                                        Function 05CA4C70 Relevance: .2, Instructions: 162COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: f566d6687f1b1b3650ad7ee52781899f10287fde617f09599bb528656fcd17a9
                                                                                                                        • Instruction ID: 93995412476cd4e09d151a5a3619e6d60b2fbb51dd427a6e706cb41b13178bd2
                                                                                                                        • Opcode Fuzzy Hash: f566d6687f1b1b3650ad7ee52781899f10287fde617f09599bb528656fcd17a9
                                                                                                                        • Instruction Fuzzy Hash: 23612D71E0474A8FDF1ACFA5C580AADFFF2BF89304F248659D855AB241D7B0AA41CB50
                                                                                                                        Function 05CA5F38 Relevance: .2, Instructions: 160COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 56e0bd77d9a65defb121864d1c323e377e99bb9da693345e54617f98804e4041
                                                                                                                        • Instruction ID: d2e9c7dc1fbdcecaa4962b91d9cb203ffe74ff7020332f2eb43fa6346ccc3e95
                                                                                                                        • Opcode Fuzzy Hash: 56e0bd77d9a65defb121864d1c323e377e99bb9da693345e54617f98804e4041
                                                                                                                        • Instruction Fuzzy Hash: FA612874E01218CFCB04EFE8E5889EDBBB2FF49300F108569E546A7361DB316915CB95
                                                                                                                        Function 05CA4C62 Relevance: .2, Instructions: 152COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: df0356d000bcf92b8b00f4d7208cfb44195e33bbd7a0cf0515f5166a6c4d108c
                                                                                                                        • Instruction ID: a00f10305ae5f31ced8034bedd9f2f8a3bdc925c56ee2ce7c6893b9926d1c122
                                                                                                                        • Opcode Fuzzy Hash: df0356d000bcf92b8b00f4d7208cfb44195e33bbd7a0cf0515f5166a6c4d108c
                                                                                                                        • Instruction Fuzzy Hash: 0E513172E0474A8FDF19CFA5C580AADFFF2BF89304F244A55D815AB241D7B0AA41CB50
                                                                                                                        Function 05CA3E43 Relevance: .1, Instructions: 124COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 6beea63f798b96799f2dd89811c86cd636b29410d3200b552dedde50747e18b4
                                                                                                                        • Instruction ID: 25c0c71b4004909d5664bc8852909119be9224d60585bb302e93dedf372e1c6a
                                                                                                                        • Opcode Fuzzy Hash: 6beea63f798b96799f2dd89811c86cd636b29410d3200b552dedde50747e18b4
                                                                                                                        • Instruction Fuzzy Hash: 5441DD32A0428ADFDF01CFA4CC54AAEBFB2FF89718F008851E815AB291D331E950CB50
                                                                                                                        Function 05CAEEDA Relevance: .1, Instructions: 117COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 072fb341b4fb3476f0ea12dfb33a9dcfe2db1b918df3de586cb764ebed1a2c93
                                                                                                                        • Instruction ID: 3cd1c4ebc5a230bd660f58b2127b9a09548fb7eb5d82d129431588129ab79bac
                                                                                                                        • Opcode Fuzzy Hash: 072fb341b4fb3476f0ea12dfb33a9dcfe2db1b918df3de586cb764ebed1a2c93
                                                                                                                        • Instruction Fuzzy Hash: 64513879D14229CFDB20CF65D884BACBBB6FF48305F409999E80AA7355DB30A981CF50
                                                                                                                        Function 05CAB420 Relevance: .1, Instructions: 114COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: f4fccd7e27d40adb5000a3c5bb43d36e6fb164c97210a6c44b8b5618a2611542
                                                                                                                        • Instruction ID: e3341cd888829706ee1164ab8f2d8054570db29f9fcf010ecd6ff104778d3950
                                                                                                                        • Opcode Fuzzy Hash: f4fccd7e27d40adb5000a3c5bb43d36e6fb164c97210a6c44b8b5618a2611542
                                                                                                                        • Instruction Fuzzy Hash: DB41E675E00209DFDB14DFA9D540AAEBBF2FB49318F148969D815E7391D731AE02CB50
                                                                                                                        Function 05CAB410 Relevance: .1, Instructions: 107COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: f379d72cd937329274e1840672c441eb1d5bbe13ae3a0065a6cf3531efffc42c
                                                                                                                        • Instruction ID: 4ed95c288ee9751aa9f09d1a653809b87d55e204e6f7302676820a189bf78100
                                                                                                                        • Opcode Fuzzy Hash: f379d72cd937329274e1840672c441eb1d5bbe13ae3a0065a6cf3531efffc42c
                                                                                                                        • Instruction Fuzzy Hash: DC412935E002099FDB14DFB9D450AAEBBF2EB49318F148969D815EB391DB31EE42CB50
                                                                                                                        Function 05CA76E0 Relevance: .1, Instructions: 107COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: c938c63d4c80500719447140d96c490bce2a40ce8b6cc84e238e9885fde6ea1d
                                                                                                                        • Instruction ID: bc8a9c95bd0d99c6526c712043521685bf3c7c15b1957a0916f4eecfe44b654c
                                                                                                                        • Opcode Fuzzy Hash: c938c63d4c80500719447140d96c490bce2a40ce8b6cc84e238e9885fde6ea1d
                                                                                                                        • Instruction Fuzzy Hash: 0141F575E012099FDB05DFA9D9849AEBBF2FB89304F208429E805F7354DB31A902CB50
                                                                                                                        Function 05CAE638 Relevance: .1, Instructions: 107COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 0fcbfa110d5d5e053f5564508182a72f3043387f72a2ac8e6aebfee54596122c
                                                                                                                        • Instruction ID: c020713f9ada384b47c617cd2a5e5861d4823a26305eded964ab184c8ee127e1
                                                                                                                        • Opcode Fuzzy Hash: 0fcbfa110d5d5e053f5564508182a72f3043387f72a2ac8e6aebfee54596122c
                                                                                                                        • Instruction Fuzzy Hash: E7313775E0821A8FDB08CF9AC4046BEFFFAABCD305F14D869D41AA7251D7344A41CB94
                                                                                                                        Function 05CA76D0 Relevance: .1, Instructions: 100COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 9fa295a57104a88798a5726231c7589a8430f7df593bb11603a17bdbd5f4cd63
                                                                                                                        • Instruction ID: 59e9a563de65d7e09cd51b0e5d2ff7298eebc0911f27d0111da86787a21ff208
                                                                                                                        • Opcode Fuzzy Hash: 9fa295a57104a88798a5726231c7589a8430f7df593bb11603a17bdbd5f4cd63
                                                                                                                        • Instruction Fuzzy Hash: 4441F575E011099FDB05DFA9D985AADBBF2FB89304F10882AE815F7354DB31AA02CB50
                                                                                                                        Function 05CA2A90 Relevance: .1, Instructions: 100COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 33063e1350467cbf06bb48e686890ba708f8e8ed8a1f86c6f0041c48242bb7c6
                                                                                                                        • Instruction ID: 40838c6da02d4d75013644a964e5580fdc78d55baefda79c00ad0a0db4e0f666
                                                                                                                        • Opcode Fuzzy Hash: 33063e1350467cbf06bb48e686890ba708f8e8ed8a1f86c6f0041c48242bb7c6
                                                                                                                        • Instruction Fuzzy Hash: 5331B3353042638FDB2A8F75E898B7D7B66FB85318B144CAAD017CB291DE64CC40C791
                                                                                                                        Function 05CAE627 Relevance: .1, Instructions: 98COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 11244a9f945e2a36bbfd40b8237a7a9354a5189f4614906888253f7ddb9e677d
                                                                                                                        • Instruction ID: ef690db14b0b68011f7cf34d5b4c304c8409f4e2bde0b1eb35312eee81f5e0f6
                                                                                                                        • Opcode Fuzzy Hash: 11244a9f945e2a36bbfd40b8237a7a9354a5189f4614906888253f7ddb9e677d
                                                                                                                        • Instruction Fuzzy Hash: 97313A75E092098FDB08CF96C8446EEBFFAABCD305F14D86AD419A3251D7344A41CF94
                                                                                                                        Function 05CAE818 Relevance: .1, Instructions: 93COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: cf9b306723b03f83b847f6c213ae1adc68bd99ce0966eb1d937bde2b8b2c2fab
                                                                                                                        • Instruction ID: 346c05cb03f5421802b4fc32443e922bee32a9fb408af7fb960908a169b488c0
                                                                                                                        • Opcode Fuzzy Hash: cf9b306723b03f83b847f6c213ae1adc68bd99ce0966eb1d937bde2b8b2c2fab
                                                                                                                        • Instruction Fuzzy Hash: C9311AB5D0824ADFCB05CF9AC5809AEBFFAFF49314F109595D819AB312D7309A41CB91
                                                                                                                        Function 05CA1F09 Relevance: .1, Instructions: 89COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: ca4bfb29c0510bdcba282cdc20eeeed4049152cba026d29c648830452b732c65
                                                                                                                        • Instruction ID: 20c096e9812892db3742fad0f6546c94a0028767d25bffe5a19350ff2be53c0d
                                                                                                                        • Opcode Fuzzy Hash: ca4bfb29c0510bdcba282cdc20eeeed4049152cba026d29c648830452b732c65
                                                                                                                        • Instruction Fuzzy Hash: AE21F53A3046164BEB1466769858A3D7A97FFC461CB1C4839E503CB395EF2ACD42D781
                                                                                                                        Function 05CA1F18 Relevance: .1, Instructions: 87COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: f183fdd293f2922df91eb3cfcb676e6adba04960122e6c0cea32db94ee6dd40c
                                                                                                                        • Instruction ID: fc7b59f148fa28f9e53d9a25efb7f1417c05dec1ea691557026f460275958e4d
                                                                                                                        • Opcode Fuzzy Hash: f183fdd293f2922df91eb3cfcb676e6adba04960122e6c0cea32db94ee6dd40c
                                                                                                                        • Instruction Fuzzy Hash: 6B21B63A3042164BEB1466769858A7D7A97FFC4618F184439E503CB399DF26CC42D341
                                                                                                                        Function 05CA8134 Relevance: .1, Instructions: 86COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: a9388a17684dd303205867b09c5cf9f0df9eff0f9445a74d714e84149ae5b334
                                                                                                                        • Instruction ID: a16347cc3cc98d5ce85d9d24d0dea0ed6ff7e7d5bf2654cecb9cd90e9bebdac5
                                                                                                                        • Opcode Fuzzy Hash: a9388a17684dd303205867b09c5cf9f0df9eff0f9445a74d714e84149ae5b334
                                                                                                                        • Instruction Fuzzy Hash: D1219C76B053059FDB05EBB4984867F7BB7FBC4250B144D29E416E3340EE748D0287A0
                                                                                                                        Function 05CADEEF Relevance: .1, Instructions: 86COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 3737a692316bff79a186e5d57bce67ad01b7ffb53555491b41809e596e509f2f
                                                                                                                        • Instruction ID: d5da68eab6b4db28e7a4277d19de0d2aa570be70a80904dda0637f57a61e6f1a
                                                                                                                        • Opcode Fuzzy Hash: 3737a692316bff79a186e5d57bce67ad01b7ffb53555491b41809e596e509f2f
                                                                                                                        • Instruction Fuzzy Hash: D131B275E0521ADFDB04CFE9C884AEDBBB2BF88304F148429E91AAB265D7319945CB50
                                                                                                                        Function 00EFD4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1370616505.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_efd000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: e1590b21199f223dac3fcdbda7f3f34b56419e3d7634d968b11001c0b5337e1a
                                                                                                                        • Instruction ID: 28bf0e88975a77939dd0b4135b5bdcf8cfb4334140fe7a5c201dea79ce8e69dd
                                                                                                                        • Opcode Fuzzy Hash: e1590b21199f223dac3fcdbda7f3f34b56419e3d7634d968b11001c0b5337e1a
                                                                                                                        • Instruction Fuzzy Hash: EC210371508248DFDB05DF10D9C0B7ABF66FB88318F24C569EA091B256C336D856DAA2
                                                                                                                        Function 00EFD3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1370616505.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_efd000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 355141ff879b656eaef6a80d74dff75635aaba641b8a024c452478adc9722ad6
                                                                                                                        • Instruction ID: d92eb6f625936019ec11d313a01f0c7a64071407b8f028d5d16348e6f03b8409
                                                                                                                        • Opcode Fuzzy Hash: 355141ff879b656eaef6a80d74dff75635aaba641b8a024c452478adc9722ad6
                                                                                                                        • Instruction Fuzzy Hash: 72212871508348DFDB04DF10DDC0B66BF66FB94324F24C169DA095B256C336E856CBA2
                                                                                                                        Function 05CA8348 Relevance: .1, Instructions: 74COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 22e2d71247ea3d27c41914ecbeefb46d6f461f4ddffdb483636cd9a28d61a17b
                                                                                                                        • Instruction ID: 3d2a551b1a77ab20e793887a7ff915422af6e373099f9a68fd142ddd8448399c
                                                                                                                        • Opcode Fuzzy Hash: 22e2d71247ea3d27c41914ecbeefb46d6f461f4ddffdb483636cd9a28d61a17b
                                                                                                                        • Instruction Fuzzy Hash: FA313AB5E0520ADFDB40CFA9D5846AEBBF5FB08204F14996AD815F3300E7749A40DFA0
                                                                                                                        Function 05CA02A0 Relevance: .1, Instructions: 74COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 86e66807b4fa9c9931b04a6ad9bb7924be2586b3a99ab480ccff49878d265fbe
                                                                                                                        • Instruction ID: 1f27633948e9e3b09343decd98ef9905d709bb9c39c43710348dbcc0493191c3
                                                                                                                        • Opcode Fuzzy Hash: 86e66807b4fa9c9931b04a6ad9bb7924be2586b3a99ab480ccff49878d265fbe
                                                                                                                        • Instruction Fuzzy Hash: 2621F3323016168BD725DA35D46852EBBA3FF887987148569E917EB350DF31EC02CB80
                                                                                                                        Function 0101D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1370745247.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_101d000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: df2a61f14fc635e1cf1482f31bf529fc896b82dd00d4d179eebc30d17c49f686
                                                                                                                        • Instruction ID: 954bc64ffb9928bb2dcba67005f7cb69c760feb9abb8d507ffc4b4b373073073
                                                                                                                        • Opcode Fuzzy Hash: df2a61f14fc635e1cf1482f31bf529fc896b82dd00d4d179eebc30d17c49f686
                                                                                                                        • Instruction Fuzzy Hash: 96214971504340EFDB01DF94D5C4B69BBA5FB94324F24C6ADE8894B28AC33AD406CB61
                                                                                                                        Function 0101D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1370745247.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_101d000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: f30196f4bb3b4dde9b7ded88eaf6343b1d63ce49633a9627308e457c4296d429
                                                                                                                        • Instruction ID: 4612a2dd6c5bafa73f46026dc99048ca46a45a6d799cb44d2f441aa5b6ee13a7
                                                                                                                        • Opcode Fuzzy Hash: f30196f4bb3b4dde9b7ded88eaf6343b1d63ce49633a9627308e457c4296d429
                                                                                                                        • Instruction Fuzzy Hash: B3212575504340DFDB16DF94D8C8B16BBA5FB84314F24C5ADE88A4B28AC33AD447CB62
                                                                                                                        Function 05CA001D Relevance: .1, Instructions: 71COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 2ca0b2a6eb459a1f6b8814873b64d6a80ebb622eb7922e250e6e49f87f77f55f
                                                                                                                        • Instruction ID: b570e62dba0da5d82680e080eadc58b21660753e297211586f02f0c9e2be53a7
                                                                                                                        • Opcode Fuzzy Hash: 2ca0b2a6eb459a1f6b8814873b64d6a80ebb622eb7922e250e6e49f87f77f55f
                                                                                                                        • Instruction Fuzzy Hash: 292105323053468FD7119B71D8A8B7A7FB6FF85248F18486AE042DB242EB35CD01CB90
                                                                                                                        Function 05CA832B Relevance: .1, Instructions: 71COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: b8684251939128da14df4d390bed8799c519df41596d59e89b1253a4ebc598ec
                                                                                                                        • Instruction ID: b84139b9b27501b8eb731a27b85be595d98ebd6297d57ec05f0a672754085125
                                                                                                                        • Opcode Fuzzy Hash: b8684251939128da14df4d390bed8799c519df41596d59e89b1253a4ebc598ec
                                                                                                                        • Instruction Fuzzy Hash: 3031A4B5D0524A9FDB41CFB9C9456AEBBF1FB09204F14886AD814E7340E7389A41CF61
                                                                                                                        Function 05CADE60 Relevance: .1, Instructions: 71COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 9fa1cd57ed21145c5ad2f4b81fb3e756c2e741d867c53dd3dfa15aefe99982df
                                                                                                                        • Instruction ID: 526664ec60d95391237b2c31947dc50a68382e89632d83d731b57181c0b434f8
                                                                                                                        • Opcode Fuzzy Hash: 9fa1cd57ed21145c5ad2f4b81fb3e756c2e741d867c53dd3dfa15aefe99982df
                                                                                                                        • Instruction Fuzzy Hash: FF2105B5D042598BDB08DFEAC8546EEBFF6AF89300F14842AD415AB359EB701906CB91
                                                                                                                        Function 05CAFA91 Relevance: .1, Instructions: 68COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 8bf83ad0b0ab363633eabcd09b8073c8b796ffb6259edfc8e0c41b7417dad248
                                                                                                                        • Instruction ID: 600096ff9870046b157ffaa3f7db0b529934dd075836b04b975d0e0f981b006a
                                                                                                                        • Opcode Fuzzy Hash: 8bf83ad0b0ab363633eabcd09b8073c8b796ffb6259edfc8e0c41b7417dad248
                                                                                                                        • Instruction Fuzzy Hash: D411B67590D14ADFC704CB56C544AFDBFFAEF4A309B14A9D9D8099B21AD7308E01DB90
                                                                                                                        Function 05CAE761 Relevance: .1, Instructions: 65COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 6667243e9169aaed12c716005b4f4c49ce966657ed7c0f41969a571762e09a7e
                                                                                                                        • Instruction ID: 95706e624993ce1469e41d7892494a6474c934419fcd1acef7c4d3bfd24e7709
                                                                                                                        • Opcode Fuzzy Hash: 6667243e9169aaed12c716005b4f4c49ce966657ed7c0f41969a571762e09a7e
                                                                                                                        • Instruction Fuzzy Hash: C1213C7890824ACFCB41CFA9C5819AEBFF6FF49310F205599D415E7352D7309A41CB91
                                                                                                                        Function 05CA32F9 Relevance: .1, Instructions: 65COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 447f8d8b6947d33485b908546f5576d9ce1d1a21a0fa54247ff8bbb8ac15a100
                                                                                                                        • Instruction ID: 8fcda48f2d9e86b64658963ef6309a3b315a9f2af048bff9c705a6cc0107caf7
                                                                                                                        • Opcode Fuzzy Hash: 447f8d8b6947d33485b908546f5576d9ce1d1a21a0fa54247ff8bbb8ac15a100
                                                                                                                        • Instruction Fuzzy Hash: D9218D71A062499FDB15CFA9E654AEDBFF2FF48604F148819E411E7250DB309A01DF60
                                                                                                                        Function 05CA0291 Relevance: .1, Instructions: 64COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: d343827616644027b6674f3698139a7f0747ae19d4c2208846e4b8286937e033
                                                                                                                        • Instruction ID: 5272f5205f4a7f7a367b45118ff3fdaf0dacab6d55703d02619f338fa8a8c807
                                                                                                                        • Opcode Fuzzy Hash: d343827616644027b6674f3698139a7f0747ae19d4c2208846e4b8286937e033
                                                                                                                        • Instruction Fuzzy Hash: B61127323016129BD715DA35D86863EBBA3FF887987094568D907EB351DF31EC02C780
                                                                                                                        Function 05CA8D08 Relevance: .1, Instructions: 64COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 28344dbed08afe11ec73322fc0f74c15a45069bf017bbd23fbb330831584777a
                                                                                                                        • Instruction ID: cb3ffbf7e977b9002004d9adf1247ec1dc65a56fe7d609e1f0d8b67858f8ff7a
                                                                                                                        • Opcode Fuzzy Hash: 28344dbed08afe11ec73322fc0f74c15a45069bf017bbd23fbb330831584777a
                                                                                                                        • Instruction Fuzzy Hash: 3E21CEB1D012599FDB20CF99C584B8EBFF5BB48318F24842AE404AB240C7B95945CB95
                                                                                                                        Function 05CADE70 Relevance: .1, Instructions: 63COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 0cbdfb56989415c2fbf12d38779806a037b6ac2eb8bbc12a58ea0fdd6de38092
                                                                                                                        • Instruction ID: 0367a3cde9cb4156d5d5e0fcd5ab8f5b0e3639c5f09ecfadef35b2b9c9a5d2ef
                                                                                                                        • Opcode Fuzzy Hash: 0cbdfb56989415c2fbf12d38779806a037b6ac2eb8bbc12a58ea0fdd6de38092
                                                                                                                        • Instruction Fuzzy Hash: A521E9B5D042588BDB08DFE6C4547EEFFF6AF89300F149429D415AB358DB7019459B90
                                                                                                                        Function 05CA538A Relevance: .1, Instructions: 62COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: e6a693aaa5356c84b1c138f14342504ee284c8afcf370ee638464aa9a69fc68f
                                                                                                                        • Instruction ID: 1e04d67a089e2f0c20c350934a52eb9bf77892074e9a0dfbf5ffcd1bacba839c
                                                                                                                        • Opcode Fuzzy Hash: e6a693aaa5356c84b1c138f14342504ee284c8afcf370ee638464aa9a69fc68f
                                                                                                                        • Instruction Fuzzy Hash: B3117C76B002089BDB148F64D888B9EBBF6FF8C215F148429E916E7390CA71ED10CB90
                                                                                                                        Function 05CA8D07 Relevance: .1, Instructions: 62COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: b593ba039115cf2956afde1ea0a07da991564db60dacba3fcc0dbe5af8183cbf
                                                                                                                        • Instruction ID: abb12365c91920502f0757ff8a1f9610f6e04eb08db09bbe25ed9fd8da480b9d
                                                                                                                        • Opcode Fuzzy Hash: b593ba039115cf2956afde1ea0a07da991564db60dacba3fcc0dbe5af8183cbf
                                                                                                                        • Instruction Fuzzy Hash: 4C21ACB5D01259DFDB20CF99C588B8EBFB5BB08318F24846AE408BB240C7B95945CB95
                                                                                                                        Function 05CAF0BE Relevance: .1, Instructions: 59COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 7fe61b7a54f04c6e05b6d031e1b84d0ed676904f7fc5ce06de01bcb5a2f8c4d7
                                                                                                                        • Instruction ID: 0ea713f3c79fa3a153aca440dac958b0a7736915d5a1dfbcf3c090b39225c7d8
                                                                                                                        • Opcode Fuzzy Hash: 7fe61b7a54f04c6e05b6d031e1b84d0ed676904f7fc5ce06de01bcb5a2f8c4d7
                                                                                                                        • Instruction Fuzzy Hash: C521293990821ADFCB14CF56C5809EDBBBAFB8C304F10E99AD40AB7215C730A9418F54
                                                                                                                        Function 05CA5398 Relevance: .1, Instructions: 58COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: fa020cd4e945b1ecba73b6160651a7f0ab5107aa082ba968f8ce22ca39271e87
                                                                                                                        • Instruction ID: bf7c77bd8f69bd1d41f1193eee02300d924f12a59c4162365961584b7b7a8af6
                                                                                                                        • Opcode Fuzzy Hash: fa020cd4e945b1ecba73b6160651a7f0ab5107aa082ba968f8ce22ca39271e87
                                                                                                                        • Instruction Fuzzy Hash: 91116036B002089BDB149F65D884BDEBBF6FB8C715F148429E916E7390CA71AD10CB90
                                                                                                                        Function 05CA9248 Relevance: .1, Instructions: 58COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 15f4daf0c42f0733dd3040c6b89a7edaca37d1cbf2cf251a4aaa8aa5a19ea780
                                                                                                                        • Instruction ID: 9067f1a4b3fb53491a6ad903a98f2b5562572b22a1f4264e1dcb79fecc1a0e77
                                                                                                                        • Opcode Fuzzy Hash: 15f4daf0c42f0733dd3040c6b89a7edaca37d1cbf2cf251a4aaa8aa5a19ea780
                                                                                                                        • Instruction Fuzzy Hash: 752136B5804349DFCB10CFAAD844ADEBFF4FB48314F10846AE918A7210D378A954CFA5
                                                                                                                        Function 05CA920B Relevance: .1, Instructions: 58COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 7d343d1a51d0e3cafdc3cbe56a96ea182cd5749ab2e33a5d6e5bdd91ff26162d
                                                                                                                        • Instruction ID: db1d8321784a41e2f8f3b77c285f8e9dc905b20d720f3d8089678dc3c079e03f
                                                                                                                        • Opcode Fuzzy Hash: 7d343d1a51d0e3cafdc3cbe56a96ea182cd5749ab2e33a5d6e5bdd91ff26162d
                                                                                                                        • Instruction Fuzzy Hash: 872103B680434ADFCB10CF9AD844ADEBFF4FB48314F10842AE919A3600D378A944CFA5
                                                                                                                        Function 05CAEC89 Relevance: .1, Instructions: 58COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: ca5d1c1ef0db750b6c06a96056c577ad247b68a8e34072b0be39cc921103badf
                                                                                                                        • Instruction ID: 33399a9a1e9d3ab3421f7879aad96a3e7572adbe86397f3a0cf2a9b94303c0ca
                                                                                                                        • Opcode Fuzzy Hash: ca5d1c1ef0db750b6c06a96056c577ad247b68a8e34072b0be39cc921103badf
                                                                                                                        • Instruction Fuzzy Hash: 722114B1D046588BEB18CF9BC9597DEFFF6AF89304F04C06AD409AA264EB7409458F91
                                                                                                                        Function 05CA8A78 Relevance: .1, Instructions: 58COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 7861b10c21d05a4ee2ff67e48e5bb8a7f9a457d77fd8d5dc80d749f458aa4c6e
                                                                                                                        • Instruction ID: d3d6e0f83bd757188dbb33636f502edb234505aab037e5c86f182928dca40dfe
                                                                                                                        • Opcode Fuzzy Hash: 7861b10c21d05a4ee2ff67e48e5bb8a7f9a457d77fd8d5dc80d749f458aa4c6e
                                                                                                                        • Instruction Fuzzy Hash: 8E112172B0021A8BCB54EBB9A8106EEBBF6BF88355F104479C505E7344EB718E15CBA5
                                                                                                                        Function 00EFD4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1370616505.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_efd000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                                                                                                                        • Instruction ID: d4b13c6277b317a72482a618de6a7026d6ca14387cc1f7f97e72ce1a0f4b33eb
                                                                                                                        • Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                                                                                                                        • Instruction Fuzzy Hash: E8112672404284CFCF01CF10D9C0B66BF72FB84328F24C6A9D9090B656C336D85ACBA2
                                                                                                                        Function 00EFD3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1370616505.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_efd000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                                                                                                                        • Instruction ID: 95426e05b2bd62fee0dc1d2249eec391206e496940078b092dec77ac9189f0e2
                                                                                                                        • Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                                                                                                                        • Instruction Fuzzy Hash: A5112672404244CFCF11CF00D9C0B66BF72FB94328F24C2A9D9090B656C33AE856CBA2
                                                                                                                        Function 05CA924C Relevance: .1, Instructions: 56COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 588280e1c717b891f8af7a6c16febf6536370913ba43ed8c2ce3a6ffbd1c582e
                                                                                                                        • Instruction ID: 8cf6aff676e92c1874f5bafc88f41f74089a780686a3295920b258f40d3d1cf2
                                                                                                                        • Opcode Fuzzy Hash: 588280e1c717b891f8af7a6c16febf6536370913ba43ed8c2ce3a6ffbd1c582e
                                                                                                                        • Instruction Fuzzy Hash: AB2100B68003499FDB10CF9AD884ADEBFF4FB48314F10842AE919A7200D378A954CFA5
                                                                                                                        Function 0101D017 Relevance: .1, Instructions: 53COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1370745247.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_101d000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                                                                                                        • Instruction ID: 3094a24bcad1ac7375b10ec728941a7705934b2af73d4ee0b19ada7a321a17af
                                                                                                                        • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                                                                                                        • Instruction Fuzzy Hash: 57118E75504280DFDB16CF54D5C4B15BBA2FB44314F24C6AAE8494B69AC33AD44ACB62
                                                                                                                        Function 0101D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1370745247.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_101d000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                                                                                                        • Instruction ID: 52c4e030545ed9c2980995f2eeb44f1d2fc811d1d3b6b6c44bbe094fd1f51d8d
                                                                                                                        • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                                                                                                        • Instruction Fuzzy Hash: A611BB75504280DFCB02CF54C5C4B55BBA1FB84224F28C6AAD8894B69AC33AD44ACB61
                                                                                                                        Function 05CA8B57 Relevance: .1, Instructions: 53COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 2bf726c6ec72013164939f21b646909647eba0784ecfeaf1105d4fd4644b1da8
                                                                                                                        • Instruction ID: 388406a1555df52286afb9e356f08cc169eeb27f859cb5bc155efb0dfe7aca13
                                                                                                                        • Opcode Fuzzy Hash: 2bf726c6ec72013164939f21b646909647eba0784ecfeaf1105d4fd4644b1da8
                                                                                                                        • Instruction Fuzzy Hash: B401C4B6B006165F9B14DFB99844ABFBBF7FFC42607144A29E415E3340EF308A0187A0
                                                                                                                        Function 05CAA4AF Relevance: .1, Instructions: 51COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: fb55df54c19425655ff160360b88d8f312694bfda0bb0dac2457c666a8d37a34
                                                                                                                        • Instruction ID: 0b309f753b23a63b37fcf9410b1195afe0486d52af11e80e501df64e7bf4f1cd
                                                                                                                        • Opcode Fuzzy Hash: fb55df54c19425655ff160360b88d8f312694bfda0bb0dac2457c666a8d37a34
                                                                                                                        • Instruction Fuzzy Hash: D611E2B6800349DFCB10CF9AD984BDEBBF4FB48314F10841AE919A7610D378A554CFA5
                                                                                                                        Function 05CADEDF Relevance: .1, Instructions: 51COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 2d3b8d6861512d5eaf4e3190bfa77d3485d13e6778c7d780aef290aeed9830dc
                                                                                                                        • Instruction ID: 9c93688f1375747f800367bf0a0f16924b3ce24eb6a1daf461469cd034758103
                                                                                                                        • Opcode Fuzzy Hash: 2d3b8d6861512d5eaf4e3190bfa77d3485d13e6778c7d780aef290aeed9830dc
                                                                                                                        • Instruction Fuzzy Hash: B3117F75E00209DFDF04CFE8D480AEDBBB2FF88314F208129E919AB355C631A945DB50
                                                                                                                        Function 05CAEC98 Relevance: .0, Instructions: 49COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 2f84d1abc0d1d173548fafe172b6d8b1dd52e0d177efbcae9fe11258c627a366
                                                                                                                        • Instruction ID: 913d377dcc59e2bd46b5d6aa99bb711c04976e7e44925fdefd2ba923091eebd0
                                                                                                                        • Opcode Fuzzy Hash: 2f84d1abc0d1d173548fafe172b6d8b1dd52e0d177efbcae9fe11258c627a366
                                                                                                                        • Instruction Fuzzy Hash: EA11D2B1D006188BEB18CF9BC9047DEFAF6AFC8304F04C06AD40976254DB7509458F90
                                                                                                                        Function 05CAE828 Relevance: .0, Instructions: 48COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: b48b2a160ae58a3134086360ae4b3b4a5650a8cacd77361db2815c5465dba3d1
                                                                                                                        • Instruction ID: 5a792a9523499bfe7e70f0d70cdea6d5401172b7e57cde9f0fc9bef3fefe63ba
                                                                                                                        • Opcode Fuzzy Hash: b48b2a160ae58a3134086360ae4b3b4a5650a8cacd77361db2815c5465dba3d1
                                                                                                                        • Instruction Fuzzy Hash: 841105B5E09209DFDB04DFAAC540AADBFFAFB89304F1099A5D418A7315D730AA40CB80
                                                                                                                        Function 00EFD759 Relevance: .0, Instructions: 45COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1370616505.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_efd000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: d01fd4216906680ddb121942bf8181b1aea8f8e6b0bd498a7f18e92d2eefe8c3
                                                                                                                        • Instruction ID: 460217d321db24e0045c50eaccc7897516fd231d2508097f73b9d8fb2482ca24
                                                                                                                        • Opcode Fuzzy Hash: d01fd4216906680ddb121942bf8181b1aea8f8e6b0bd498a7f18e92d2eefe8c3
                                                                                                                        • Instruction Fuzzy Hash: 6501A2311083489BE710AB26CD84B76FF99DF41325F28855BEE096E2C6D6799840CAB2
                                                                                                                        Function 05CAA448 Relevance: .0, Instructions: 43COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 9db14d55c2e02894b949a36d8ff1d3f7e17b25c944b3dbffa0c54f07c14d943e
                                                                                                                        • Instruction ID: 71f5adb3763d1f153b511e236d68ce4d0eeb2e00ceb46d5e0bbfa1ad9d189461
                                                                                                                        • Opcode Fuzzy Hash: 9db14d55c2e02894b949a36d8ff1d3f7e17b25c944b3dbffa0c54f07c14d943e
                                                                                                                        • Instruction Fuzzy Hash: 4AF0BB72704208AFDF09DF74E80999D7FAAEF84214F50857AE805D7350FA71DD508790
                                                                                                                        Function 05CAED6F Relevance: .0, Instructions: 43COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 05e568426c5ce14372a140b02c224544a33f24f2278b26ccfd74e19a12ae4276
                                                                                                                        • Instruction ID: 82fe96224aa130cb016312a5c2791b45ed00ea46da0e224622dd18ba3482cfda
                                                                                                                        • Opcode Fuzzy Hash: 05e568426c5ce14372a140b02c224544a33f24f2278b26ccfd74e19a12ae4276
                                                                                                                        • Instruction Fuzzy Hash: BE11F379D0925ACFDB10CFA4D944BADBFB5BB4A309F10598AD40AB7301C7745A80CFA1
                                                                                                                        Function 05CA8E0D Relevance: .0, Instructions: 43COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 77e41dc236154f7bf3b3586e22ef16b6676dfe2d0cc4ce7b5accc63200d8df14
                                                                                                                        • Instruction ID: 6e222baaddfeefdc49b08d6ec9bad42bdd1857937f8da7b5aae5b6eb1512ba3f
                                                                                                                        • Opcode Fuzzy Hash: 77e41dc236154f7bf3b3586e22ef16b6676dfe2d0cc4ce7b5accc63200d8df14
                                                                                                                        • Instruction Fuzzy Hash: 2D116176800209DFDB15CF99C4897DDBFF1BF48314F24C929D528AB291C3748A44CB90
                                                                                                                        Function 05CAF6E7 Relevance: .0, Instructions: 41COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: f6f5fc89482fc02fde5e53beaec29e14e9b796951398a80b6620c45dd1aac155
                                                                                                                        • Instruction ID: deb8d2fb962189ad832d193c8f8bb65a3cd6a8b568eee1eb6b91a763d5b8a573
                                                                                                                        • Opcode Fuzzy Hash: f6f5fc89482fc02fde5e53beaec29e14e9b796951398a80b6620c45dd1aac155
                                                                                                                        • Instruction Fuzzy Hash: 45011375E052149FDB09CFAAD544AEDBBF6AF8D301F049429E409AB314DB309841CBA0
                                                                                                                        Function 05CA8E18 Relevance: .0, Instructions: 41COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 5beba596d6b86edfcd48b2511d24a3bce074000a0fd52d1299037f27d10e4d50
                                                                                                                        • Instruction ID: 84516559e5152efe2f7d8540255c3238807bc92d2071ec01a22d510c69e84d27
                                                                                                                        • Opcode Fuzzy Hash: 5beba596d6b86edfcd48b2511d24a3bce074000a0fd52d1299037f27d10e4d50
                                                                                                                        • Instruction Fuzzy Hash: 52014075900209DFDB14CF9AC4487DEBFF1FB48324F24C529E928AB291C7708A80CB94
                                                                                                                        Function 05CAB358 Relevance: .0, Instructions: 40COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 9e3cf2a1b4ef7e4fbb47718742e3aca225a2b276d92bf865bd1c6d5ededa7668
                                                                                                                        • Instruction ID: 27d53931225a636a056874add9029191a6f26895094b80a4084998d8e68d69cc
                                                                                                                        • Opcode Fuzzy Hash: 9e3cf2a1b4ef7e4fbb47718742e3aca225a2b276d92bf865bd1c6d5ededa7668
                                                                                                                        • Instruction Fuzzy Hash: AE01D674E0520ADFCB44DFB9D5416AEBBF5FB49308F1095AA8819E3345EB309E01CB51
                                                                                                                        Function 05CA4A08 Relevance: .0, Instructions: 40COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: f5c648dd131bce353739a3a11c065d067d76ee04694f9ca9acd35f821319d2e9
                                                                                                                        • Instruction ID: 7e14a8aee7c9a60db82c71202ad80025cbbf2e1ec32f029e5f4e407cc5f0d706
                                                                                                                        • Opcode Fuzzy Hash: f5c648dd131bce353739a3a11c065d067d76ee04694f9ca9acd35f821319d2e9
                                                                                                                        • Instruction Fuzzy Hash: 62F02477B042129BCF28CA1DD480ABE7BAAEB84220F01847AE116C7350DA75CD40C7A0
                                                                                                                        Function 05CAB34A Relevance: .0, Instructions: 39COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: be15f3e380c931cdc24e3741878c6d904fd89295e2a2cc20edc04187f98d4104
                                                                                                                        • Instruction ID: cfc54f0c3bdde0b664e7e4dcdd207e44eb10fe6853f9cef362687bf8e23c2790
                                                                                                                        • Opcode Fuzzy Hash: be15f3e380c931cdc24e3741878c6d904fd89295e2a2cc20edc04187f98d4104
                                                                                                                        • Instruction Fuzzy Hash: D2012474E06249DFDB44DFB8D5017AEBBF2EB49208F1495AA8819E3345EB31DE02CB50
                                                                                                                        Function 05CAFB17 Relevance: .0, Instructions: 39COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 509188dd9fce85182740a5d7ee342eb1e47faffaa457786860c241121f628b06
                                                                                                                        • Instruction ID: ebd3551265d3ad30a42ac203735b5636350d2f856f22c89d4b2bbcec531e1eee
                                                                                                                        • Opcode Fuzzy Hash: 509188dd9fce85182740a5d7ee342eb1e47faffaa457786860c241121f628b06
                                                                                                                        • Instruction Fuzzy Hash: 16014F79648149DFD704CBA5D654AA9BFF6EB4D204F14C5C8A4495B3A2CB709E01DB40
                                                                                                                        Function 05CAFAA0 Relevance: .0, Instructions: 39COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 7629fc0633813e2a944f56ba30f24ebd3d3135d9d58b977fe5eab6b3e562fbe2
                                                                                                                        • Instruction ID: 6f4416783e56b2c9c2bd7a53d8f1dc99974ccc5cb76b15651f13678afcd48cba
                                                                                                                        • Opcode Fuzzy Hash: 7629fc0633813e2a944f56ba30f24ebd3d3135d9d58b977fe5eab6b3e562fbe2
                                                                                                                        • Instruction Fuzzy Hash: E8F08C7A90C20ADBD704CB96C540AFDBFBAAB4A308F0099A9D4095B219D7309E04DB90
                                                                                                                        Function 00EFD758 Relevance: .0, Instructions: 36COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1370616505.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_efd000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: c27d44c74fd4a277b08b4cc9498fe10122b634b8031e04e14efbc24e23823095
                                                                                                                        • Instruction ID: 0ea5b3c244dfa366787a891a3bb4ba40d852951e045b1f6231d5d7a40c2f65fc
                                                                                                                        • Opcode Fuzzy Hash: c27d44c74fd4a277b08b4cc9498fe10122b634b8031e04e14efbc24e23823095
                                                                                                                        • Instruction Fuzzy Hash: 40F0C2310083449EE7108A06CD84B62FFA8EF50725F18C45BED085E2C6C2799840CAB1
                                                                                                                        Function 05CA94D0 Relevance: .0, Instructions: 34COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 73746eeee12d151a22821bf1ce16601ba8601654dc2ccb79df5624b2ae13e1ee
                                                                                                                        • Instruction ID: 507c13d72f89c1ba1ba5974b4c44b4a4d0d3d04a28460ac03649aca57d4eb93e
                                                                                                                        • Opcode Fuzzy Hash: 73746eeee12d151a22821bf1ce16601ba8601654dc2ccb79df5624b2ae13e1ee
                                                                                                                        • Instruction Fuzzy Hash: 2501FB7180421EDFDB15DF6AC44A7AEBFF1FF48354F208A25E425AA290D7744A44CF90
                                                                                                                        Function 05CAA439 Relevance: .0, Instructions: 34COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 0ccc00529e7e5c58eb15b25359a7138ae843f8d529ae238d00da450e33d26cef
                                                                                                                        • Instruction ID: 35c4a3228c96852de569654c17b8a24e55bfa76db4377e8ba6692da2525656d4
                                                                                                                        • Opcode Fuzzy Hash: 0ccc00529e7e5c58eb15b25359a7138ae843f8d529ae238d00da450e33d26cef
                                                                                                                        • Instruction Fuzzy Hash: 8DF082736042096FDF09DF98EC5AE9F7FEAEF44218F0485AAE808D7225E671DD109790
                                                                                                                        Function 05CAA559 Relevance: .0, Instructions: 33COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: c57bf8c73f094f659e59cce78a2115219475457502f0403cb7ffa0a2bda6906b
                                                                                                                        • Instruction ID: a10a5680914b38af17ed1f714983471c4bd3f2f23b5babec1bc5e2d49244e2ec
                                                                                                                        • Opcode Fuzzy Hash: c57bf8c73f094f659e59cce78a2115219475457502f0403cb7ffa0a2bda6906b
                                                                                                                        • Instruction Fuzzy Hash: 1CF02733C047098FDB20DF6AE805396FBF4AB80229F1488ABD80997250D7BAD415CBA1
                                                                                                                        Function 05CA9570 Relevance: .0, Instructions: 32COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 198deea1b2ca8d6f1c79381127fd0e597532206aac504db4b5ae04f7c771ed1e
                                                                                                                        • Instruction ID: 0dd67c4b8dce922277d383164e617cdd5aaba73c8b07c70edd866f094acbef6d
                                                                                                                        • Opcode Fuzzy Hash: 198deea1b2ca8d6f1c79381127fd0e597532206aac504db4b5ae04f7c771ed1e
                                                                                                                        • Instruction Fuzzy Hash: 0AE030727001285F5304966ED884D6BB7EDEBCC6703118079F508D7314D9319C0086A0
                                                                                                                        Function 05CA94CF Relevance: .0, Instructions: 32COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: eb9c64be302b22e5b0b3dbc2f1e9185fcb2c78ed79fee8d6faaa138a1639ebee
                                                                                                                        • Instruction ID: b2747dad86cd87d3cb9f834f0c652f917556ba6375a10547fea13e6a11baf921
                                                                                                                        • Opcode Fuzzy Hash: eb9c64be302b22e5b0b3dbc2f1e9185fcb2c78ed79fee8d6faaa138a1639ebee
                                                                                                                        • Instruction Fuzzy Hash: 43011D72C0021ADFDB15CF6AD5463AEBFF1FF48314F248A25E425AA2A0D3744A44CF90
                                                                                                                        Function 05CA956F Relevance: .0, Instructions: 30COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 0b7a6e7edd38e513ead25f04100faa9966d09d97dc202142fb085f8995b4d43f
                                                                                                                        • Instruction ID: dbc9282f461d0ca555f17c6a3f20d95a01bd02491b45f804017fc6cfa5820eb8
                                                                                                                        • Opcode Fuzzy Hash: 0b7a6e7edd38e513ead25f04100faa9966d09d97dc202142fb085f8995b4d43f
                                                                                                                        • Instruction Fuzzy Hash: 72E06DB6B001245FA304DBAED884E7BA7EEFBCC270315807AF508D7324D9309C0086A0
                                                                                                                        Function 05CADF27 Relevance: .0, Instructions: 23COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 72f5b5de15fcf0815894f7abfabb24931cd73beeb2893a5cb62893157958b377
                                                                                                                        • Instruction ID: 6bacdcb27a74b4a47b4ee64ef2b913322bec469283637fa5bea60db5940c5d8e
                                                                                                                        • Opcode Fuzzy Hash: 72f5b5de15fcf0815894f7abfabb24931cd73beeb2893a5cb62893157958b377
                                                                                                                        • Instruction Fuzzy Hash: 58E01A74E08205CFCB04CFA1C844AEDBBBABF4D305F10A818E406AB3A5C7B1A841CF80
                                                                                                                        Function 05CAF57B Relevance: .0, Instructions: 22COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 620253966cae943950db04380e1976301549886c6b14a7653a6ccf48cdb0b610
                                                                                                                        • Instruction ID: 25f41cb8301cb9dcfc2da185c386028e86baa66613e16db38fee673f3b662c55
                                                                                                                        • Opcode Fuzzy Hash: 620253966cae943950db04380e1976301549886c6b14a7653a6ccf48cdb0b610
                                                                                                                        • Instruction Fuzzy Hash: 32F08234418115CFD710DF54C885BECB776FB44301F0189E4C80E26156C7306A44CF50
                                                                                                                        Function 05CAF942 Relevance: .0, Instructions: 20COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: c46b3d6e3d4030ce0a8c3bb55e75b9012b1866ea5bc60e2668625c36d8f18899
                                                                                                                        • Instruction ID: a3d5d2790d83bba6be90e3992eaa21668eae521f4c18f6aa7322fe7800bfcf9e
                                                                                                                        • Opcode Fuzzy Hash: c46b3d6e3d4030ce0a8c3bb55e75b9012b1866ea5bc60e2668625c36d8f18899
                                                                                                                        • Instruction Fuzzy Hash: E7E01239A082089FCB00CFA9D5908EC7FFAEF49265B051644E8599B351CB30E882CF90
                                                                                                                        Function 05CA06D7 Relevance: .0, Instructions: 18COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 71f962826883151ce34f50b3b4a30dafdec636c9f1effc5ea1a0f82fc7eda8b1
                                                                                                                        • Instruction ID: f98ed26851fe517441e9bd64b95651c67306b9f6ac7c52d4a8d99339ea4e982a
                                                                                                                        • Opcode Fuzzy Hash: 71f962826883151ce34f50b3b4a30dafdec636c9f1effc5ea1a0f82fc7eda8b1
                                                                                                                        • Instruction Fuzzy Hash: DED0A772026B084FD702FB30F85A6553772EB8C304B005670F0198B92FEEB8CD068B96
                                                                                                                        Function 05CA91D3 Relevance: .0, Instructions: 18COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 187fca2e1adb53f698026bc986d2dfbe820ddc7752be461d034299c64fc6ac27
                                                                                                                        • Instruction ID: 8dced3e19ff376e606bd6e69809d555256f704c0ae87035f079ce37ba5f67067
                                                                                                                        • Opcode Fuzzy Hash: 187fca2e1adb53f698026bc986d2dfbe820ddc7752be461d034299c64fc6ac27
                                                                                                                        • Instruction Fuzzy Hash: 64D09E370193A167F601BAB89866BCE7B529F95219F048443968459041E411455DD2EF
                                                                                                                        Function 05CAD441 Relevance: .0, Instructions: 17COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 050f3a918edd844e1040a02f746ce1ba6734ec81b21b5c99b549f9ea84b3e8a3
                                                                                                                        • Instruction ID: 0b69d224f51156c38753acc07c330e0988cd5a6da9090534d5f01054e3f197ae
                                                                                                                        • Opcode Fuzzy Hash: 050f3a918edd844e1040a02f746ce1ba6734ec81b21b5c99b549f9ea84b3e8a3
                                                                                                                        • Instruction Fuzzy Hash: 62D05E7205A3844FD716ABF8A90E7A47FB8EB03221F450096F0858B453EFA15650CBEA
                                                                                                                        Function 05CAF4EF Relevance: .0, Instructions: 16COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 1f647a666a75ea604c1691618adf444baf05e5168ce30971898fc4a778e01257
                                                                                                                        • Instruction ID: da563d2590e96257c8444b44c46eb3e634ad60a90452c3cc82cf102ac034aabd
                                                                                                                        • Opcode Fuzzy Hash: 1f647a666a75ea604c1691618adf444baf05e5168ce30971898fc4a778e01257
                                                                                                                        • Instruction Fuzzy Hash: 75E01234428612CFEB10EF18D48CAA8BB79FF41304F0184E6D80A6B22ACB30A940CF60
                                                                                                                        Function 05CAD893 Relevance: .0, Instructions: 14COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 8195d93b3d5eece1b04408dd98171984ebe5d57351adb3808cec0596293fd23c
                                                                                                                        • Instruction ID: df0ca10a54d5679390186dfd93386f8b807bc740fbd2e6d904aa89332cacba77
                                                                                                                        • Opcode Fuzzy Hash: 8195d93b3d5eece1b04408dd98171984ebe5d57351adb3808cec0596293fd23c
                                                                                                                        • Instruction Fuzzy Hash: C4D05271A0220ACFEB20CB64EC41BD8BB38FB88229F1052E1D00D93200CA301A908F60
                                                                                                                        Function 05CAD471 Relevance: .0, Instructions: 13COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 5fd5d5d80db96e360b1128df0eb12d224865fe17555a4c643c144e0746611935
                                                                                                                        • Instruction ID: 72f443f6a556c16baec816b4c78a3951a10f16d4071f974ea04c5b1d307e3038
                                                                                                                        • Opcode Fuzzy Hash: 5fd5d5d80db96e360b1128df0eb12d224865fe17555a4c643c144e0746611935
                                                                                                                        • Instruction Fuzzy Hash: CFC09B5308F29C1EC217423C3C302D1AF2284431143C516D3D4D5DF557C10596C7C5B9
                                                                                                                        Function 05CA06E8 Relevance: .0, Instructions: 12COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 655177715dda899b8da274f15ff8425cab5543a29345762a280141076dff4a92
                                                                                                                        • Instruction ID: 8ffb2744767dae79334d75e3498f580c26d8d5128587cad56ec6a52d23b1a306
                                                                                                                        • Opcode Fuzzy Hash: 655177715dda899b8da274f15ff8425cab5543a29345762a280141076dff4a92
                                                                                                                        • Instruction Fuzzy Hash: 9BC0803101070C47D901F771F946515337BF6C82047405720E1050792FDF746D1587D5
                                                                                                                        Function 05CAEF46 Relevance: .0, Instructions: 12COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 7a93b8cfa694ac488c71918b1376c07a24e06baf6e4e067501e246edeb56bffe
                                                                                                                        • Instruction ID: 56a8e3535b410be73307825c77f62540fc70d97f8d7a64a4bebad9fd7d14af46
                                                                                                                        • Opcode Fuzzy Hash: 7a93b8cfa694ac488c71918b1376c07a24e06baf6e4e067501e246edeb56bffe
                                                                                                                        • Instruction Fuzzy Hash: D1D09235915210CFD314CF21D444BA83B7AFF4A206F8028DDE40B9B261CB31E880CF40
                                                                                                                        Function 05CA8A40 Relevance: .0, Instructions: 11COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: a085345f580ffa3e378ad5e1a5dfc5e5bb732a526cc18aafef65ffa47ae85260
                                                                                                                        • Instruction ID: 5836a4bff8d51af31dee0bfefe86a8eb8d366762bef7890afcc1a3d67865ce91
                                                                                                                        • Opcode Fuzzy Hash: a085345f580ffa3e378ad5e1a5dfc5e5bb732a526cc18aafef65ffa47ae85260
                                                                                                                        • Instruction Fuzzy Hash: D4C08C7B0204005BD650DB10CE07B81BFE0BB0824CF85CC20928441070D236C817EB20
                                                                                                                        Function 05CAD450 Relevance: .0, Instructions: 10COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: b9ce91f9a3c015cfb33ada1635bafcdd837503521a30dc313d694f5aa7d0edf5
                                                                                                                        • Instruction ID: 0264e2538fc867fa4cc260b99fa2678014566f91b825d6112c62e9d08dfab541
                                                                                                                        • Opcode Fuzzy Hash: b9ce91f9a3c015cfb33ada1635bafcdd837503521a30dc313d694f5aa7d0edf5
                                                                                                                        • Instruction Fuzzy Hash: B3C04C724557048BE6186BE4E60E7A47FACF706606F400014F50A468519FA15550C7EA
                                                                                                                        Function 05CA8113 Relevance: .0, Instructions: 10COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: f01d44d0882c23737a9eafc344da47206f83d66e2bc354edcaa74daf10c441b9
                                                                                                                        • Instruction ID: 4d3af4f75693858606693689511ac93612483b32c787429c55e4ebca12476aaf
                                                                                                                        • Opcode Fuzzy Hash: f01d44d0882c23737a9eafc344da47206f83d66e2bc354edcaa74daf10c441b9
                                                                                                                        • Instruction Fuzzy Hash: D5C02B7F9004009FC60ADB00C900C40BFF2FB5A70470C8C22618D41030F232C819E710
                                                                                                                        Function 05CA91F4 Relevance: .0, Instructions: 8COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 808e17ba3eeb0e9392dbe7616dda02d0bf94cf83b036a6402a02ab522ea30544
                                                                                                                        • Instruction ID: fe3f2fde566c9c511cfc5eb6049ebe4f1d860f1f620b86edd03c151977d5dd29
                                                                                                                        • Opcode Fuzzy Hash: 808e17ba3eeb0e9392dbe7616dda02d0bf94cf83b036a6402a02ab522ea30544
                                                                                                                        • Instruction Fuzzy Hash: 46B01277255282A36440E2704D8DB2F7E51FBE9B08F80DD0272491000094728C28F11B
                                                                                                                        Function 05CAA41F Relevance: .0, Instructions: 4COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375467611.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_5ca0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 580de179d0ed96c5b5abe1a417ed255755adf57f193460a3643c6e0cb2ea37be
                                                                                                                        • Instruction ID: b7b433aad1f79eae800977dc7c34e3c2941b2afeb2044cd54450a22ab56f965a
                                                                                                                        • Opcode Fuzzy Hash: 580de179d0ed96c5b5abe1a417ed255755adf57f193460a3643c6e0cb2ea37be
                                                                                                                        • Instruction Fuzzy Hash: 65900267360582513508E1608807B2A7810A6F170875485121B1960144D9609065A037

                                                                                                                        Non-executed Functions

                                                                                                                        Function 07141D58 Relevance: .3, Instructions: 312COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375779726.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7140000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 9e37f1fa99c46f2b73b502393849c6718f1011c0c8918def46895807308dee2f
                                                                                                                        • Instruction ID: ae70267811f34206a65c79d10ad4f7e3cf8dc36a65785b34894dd67573ed52a9
                                                                                                                        • Opcode Fuzzy Hash: 9e37f1fa99c46f2b73b502393849c6718f1011c0c8918def46895807308dee2f
                                                                                                                        • Instruction Fuzzy Hash: D6E1F9B4E002198FDB14DFA9C590AAEFBF2BF89305F248169D414AB356DB31AD41CF64
                                                                                                                        Function 07143460 Relevance: .3, Instructions: 312COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375779726.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7140000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 01886b351d1ccf3210bc24a938c4eb2ce9ebfc692efd6e03eb8b94cdfd65789f
                                                                                                                        • Instruction ID: 3813dd330fc803d9e61eef46dd7430059351b1b0d578915871607ff670933f1f
                                                                                                                        • Opcode Fuzzy Hash: 01886b351d1ccf3210bc24a938c4eb2ce9ebfc692efd6e03eb8b94cdfd65789f
                                                                                                                        • Instruction Fuzzy Hash: 5FE107B4E002198FDB14DFA8C591AAEFBB2BF89305F248169D454AB356DB30AD41CF60
                                                                                                                        Function 07141920 Relevance: .3, Instructions: 312COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375779726.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7140000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 8efb7981adee47644ab4811a3604bf71a760083f48c519bf29093ca130d2d365
                                                                                                                        • Instruction ID: 81fb16219cfe25478bf4bdaf9bf8e39c94c07f4cf9d6c6f9192533a3ff29ca15
                                                                                                                        • Opcode Fuzzy Hash: 8efb7981adee47644ab4811a3604bf71a760083f48c519bf29093ca130d2d365
                                                                                                                        • Instruction Fuzzy Hash: D9E119B4E002599FDB14DFA8C590AAEFBB2FF89305F248169D414AB356DB30AD41CF60
                                                                                                                        Function 071441C8 Relevance: .3, Instructions: 312COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375779726.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7140000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 38710cfd16e286e06c632d144f79e824538365b7f1b2ef9d03d355e2c9a04bfd
                                                                                                                        • Instruction ID: f954d410f9cdf47a5208c14957dfd279611f2558c450157ad5eb0e794d099d04
                                                                                                                        • Opcode Fuzzy Hash: 38710cfd16e286e06c632d144f79e824538365b7f1b2ef9d03d355e2c9a04bfd
                                                                                                                        • Instruction Fuzzy Hash: EFE1FBB4E002598FDB14DFA9C590AAEFBF2BF89305F248169D814AB356DB309D41CF64
                                                                                                                        Function 07143898 Relevance: .3, Instructions: 312COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375779726.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7140000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 5f146104ef191020d10c9bf84ea2855a7f683de63bd98737288265885a8cf8d2
                                                                                                                        • Instruction ID: 6c8931c63d922691343e44c5dac4aae80ba483bd9ea3ee6d72c28522e1bd0e3d
                                                                                                                        • Opcode Fuzzy Hash: 5f146104ef191020d10c9bf84ea2855a7f683de63bd98737288265885a8cf8d2
                                                                                                                        • Instruction Fuzzy Hash: 5AE1E8B4E002198FDB14DFA9C590AAEFBB2FF89305F248169D414AB356DB31AD41CF64
                                                                                                                        Function 07149968 Relevance: .3, Instructions: 298COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375779726.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7140000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 948ad485db53988c9cc78845dbd4ee4b727be2449bd1584425bc786a00b77df4
                                                                                                                        • Instruction ID: 743f89e21a2e681105f0c7875528595a17c66a5da83d6cbf31abecb91a997adc
                                                                                                                        • Opcode Fuzzy Hash: 948ad485db53988c9cc78845dbd4ee4b727be2449bd1584425bc786a00b77df4
                                                                                                                        • Instruction Fuzzy Hash: 71D1B5B4A00605CFDB18DF69C598EAAB7F1BF4D711F2580A8E445AB3A5DB31AD40CF60
                                                                                                                        Function 010AD6C4 Relevance: .3, Instructions: 264COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1371016722.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10a0000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 4c76a650a137d38768844d6aa56dd3d811d3b0ab80cb2a342e4a56b0efffd495
                                                                                                                        • Instruction ID: 9a2fb9d268298d97f1641c1b70dc1260851ff724f60ab6b5f566bd1dceb00afb
                                                                                                                        • Opcode Fuzzy Hash: 4c76a650a137d38768844d6aa56dd3d811d3b0ab80cb2a342e4a56b0efffd495
                                                                                                                        • Instruction Fuzzy Hash: A2A18032E002069FCF15DFB5C8505EEBBF2FF84300B5585AAE946AB261DB75E916CB40
                                                                                                                        Function 071418E7 Relevance: .2, Instructions: 156COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375779726.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7140000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 22b2fa139d76461dfb479d76338e6c1aec5a9e3475e87d97c213ce958d38dcb5
                                                                                                                        • Instruction ID: 16c583a21913c60431d6d520b90e6e7a2a3968dafe3030cd7e8cfbe9d10797e6
                                                                                                                        • Opcode Fuzzy Hash: 22b2fa139d76461dfb479d76338e6c1aec5a9e3475e87d97c213ce958d38dcb5
                                                                                                                        • Instruction Fuzzy Hash: 635130B1D042598FDB15CF69C9905AEFBF2BF89305F2481AAD408AB356D7309D41CFA1
                                                                                                                        Function 071441B8 Relevance: .1, Instructions: 131COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375779726.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7140000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: bb2f7b36f0644803991cb7f1c887b27dbe803a13bd507d1b5db39309d9e964c8
                                                                                                                        • Instruction ID: a471955c977eca53126397649d47008d251325f28fb06dedff753198cf61c928
                                                                                                                        • Opcode Fuzzy Hash: bb2f7b36f0644803991cb7f1c887b27dbe803a13bd507d1b5db39309d9e964c8
                                                                                                                        • Instruction Fuzzy Hash: 645140B4E002598FDB14CFA9D5806AEFBF2BF89305F248169D818A7356D7309D41CFA1
                                                                                                                        Function 07141D57 Relevance: .1, Instructions: 125COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1375779726.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_7140000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: d80cf623839cc23889528a30846c1fb3b729c7730b811c925c48396f8751ac97
                                                                                                                        • Instruction ID: ade226e675d387ee09eabc4dda6a5df82f84cc528b476475600f9092027dc8e7
                                                                                                                        • Opcode Fuzzy Hash: d80cf623839cc23889528a30846c1fb3b729c7730b811c925c48396f8751ac97
                                                                                                                        • Instruction Fuzzy Hash: 90510AB4E002198FDB18CFA9C6916AEFBF2BF89305F248169D418B7355DB319941CFA4

                                                                                                                        Execution Graph

                                                                                                                        Execution Coverage:15.7%
                                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                                        Signature Coverage:6.3%
                                                                                                                        Total number of Nodes:63
                                                                                                                        Total number of Limit Nodes:8
                                                                                                                        execution_graph 28075 159ad38 28079 159ae2f 28075->28079 28084 159ae30 28075->28084 28076 159ad47 28080 159ae64 28079->28080 28082 159ae41 28079->28082 28080->28076 28081 159b068 GetModuleHandleW 28083 159b095 28081->28083 28082->28080 28082->28081 28083->28076 28085 159ae64 28084->28085 28087 159ae41 28084->28087 28085->28076 28086 159b068 GetModuleHandleW 28088 159b095 28086->28088 28087->28085 28087->28086 28088->28076 28089 159d0b8 28090 159d0fe 28089->28090 28094 159d289 28090->28094 28097 159d298 28090->28097 28091 159d1eb 28095 159d2c6 28094->28095 28100 159c9a0 28094->28100 28095->28091 28098 159c9a0 DuplicateHandle 28097->28098 28099 159d2c6 28098->28099 28099->28091 28101 159d300 DuplicateHandle 28100->28101 28102 159d396 28101->28102 28102->28095 28134 1594668 28135 1594684 28134->28135 28136 1594696 28135->28136 28138 15947a0 28135->28138 28139 15947c5 28138->28139 28143 15948a1 28139->28143 28147 15948b0 28139->28147 28145 15948b0 28143->28145 28144 15949b4 28144->28144 28145->28144 28151 1594248 28145->28151 28149 15948d7 28147->28149 28148 15949b4 28148->28148 28149->28148 28150 1594248 CreateActCtxA 28149->28150 28150->28148 28152 1595940 CreateActCtxA 28151->28152 28154 1595a03 28152->28154 28103 7b3d7d9 28104 7b3d774 28103->28104 28105 7b3d7e2 28103->28105 28109 7b3e869 28104->28109 28113 7b3e878 28104->28113 28106 7b3d795 28110 7b3e8c0 28109->28110 28111 7b3e8c9 28110->28111 28117 7b3e410 28110->28117 28111->28106 28114 7b3e8c0 28113->28114 28115 7b3e8c9 28114->28115 28116 7b3e410 LoadLibraryW 28114->28116 28115->28106 28116->28115 28118 7b3e9c0 LoadLibraryW 28117->28118 28120 7b3ea35 28118->28120 28120->28111 28121 7b361b8 28122 7b361df 28121->28122 28123 7b36264 28122->28123 28126 7b37580 28122->28126 28130 7b38ae6 28122->28130 28128 7b37585 28126->28128 28127 7b38ad0 28128->28127 28129 7b37f83 LdrInitializeThunk 28128->28129 28129->28128 28133 7b37768 28130->28133 28131 7b38ad0 28132 7b37f83 LdrInitializeThunk 28132->28133 28133->28131 28133->28132

                                                                                                                        Executed Functions

                                                                                                                        Function 07B38D98 Relevance: 2.9, Strings: 2, Instructions: 364COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 128 7b38d98-7b38dca 129 7b38dd1-7b38e9d 128->129 130 7b38dcc 128->130 135 7b38eb2 129->135 136 7b38e9f-7b38ead 129->136 130->129 199 7b38eb8 call 7b39bc2 135->199 200 7b38eb8 call 7b39a59 135->200 201 7b38eb8 call 7b39b08 135->201 202 7b38eb8 call 7b39bde 135->202 203 7b38eb8 call 7b39c6c 135->203 137 7b39360-7b3936d 136->137 138 7b38ebe-7b38f6e 146 7b392ef-7b39319 138->146 148 7b38f73-7b39189 146->148 149 7b3931f-7b3935e 146->149 176 7b39195-7b391df 148->176 149->137 179 7b391e1 176->179 180 7b391e7-7b391e9 176->180 181 7b391e3-7b391e5 179->181 182 7b391eb 179->182 183 7b391f0-7b391f7 180->183 181->180 181->182 182->183 184 7b39271-7b39297 183->184 185 7b391f9-7b39270 183->185 187 7b392a4-7b392b0 184->187 188 7b39299-7b392a2 184->188 185->184 190 7b392b6-7b392d5 187->190 188->190 195 7b392d7-7b392ea 190->195 196 7b392eb-7b392ec 190->196 195->196 196->146 199->138 200->138 201->138 202->138 203->138
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000005.00000002.1543243220.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_5_2_7b30000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: .$1
                                                                                                                        • API String ID: 0-1839485796
                                                                                                                        • Opcode ID: 57fdbc45e143bf7a982f1b4b27fa0c19eb5cfc2d3400d235bca9cf2570f54aa9
                                                                                                                        • Instruction ID: e201b6cf203df61260e8f38ab7a582837542c1614808534d0891e4e21045e3fb
                                                                                                                        • Opcode Fuzzy Hash: 57fdbc45e143bf7a982f1b4b27fa0c19eb5cfc2d3400d235bca9cf2570f54aa9
                                                                                                                        • Instruction Fuzzy Hash: F0F1DF74E01228CFEB28DF69C984B9DBBB2FF89305F1081A9D50AA7250DB755E85CF10
                                                                                                                        Function 07B37580 Relevance: 2.7, APIs: 1, Instructions: 1151COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 204 7b37580-7b375fa 215 7b37602 204->215 216 7b375fc 204->216 217 7b37604-7b37609 215->217 218 7b3760a-7b37633 215->218 216->215 217->218 219 7b37635 218->219 220 7b3763a-7b376d6 218->220 219->220 223 7b37728-7b37763 220->223 224 7b376d8-7b37722 220->224 229 7b38ab1-7b38aca 223->229 224->223 232 7b38ad0-7b38af6 229->232 233 7b37768-7b378f7 call 7b33dc0 229->233 235 7b38b05 232->235 236 7b38af8-7b38b04 232->236 252 7b38a69-7b38a83 233->252 239 7b38b06 235->239 236->235 239->239 254 7b38a89-7b38aad 252->254 255 7b378fc-7b37a40 call 7b309ec call 7b309fc 252->255 254->229 273 7b37a73-7b37aba 255->273 274 7b37a42-7b37a6e 255->274 279 7b37adf-7b37aee 273->279 280 7b37abc-7b37add call 7b34f58 273->280 277 7b37b01-7b37cb8 call 7b35148 274->277 304 7b37d0a-7b37d15 277->304 305 7b37cba-7b37d04 277->305 287 7b37af4-7b37b00 279->287 280->287 287->277 468 7b37d1b call 7b38c20 304->468 469 7b37d1b call 7b38c10 304->469 305->304 307 7b37d21-7b37d85 312 7b37dd7-7b37de2 307->312 313 7b37d87-7b37dd1 307->313 464 7b37de8 call 7b38c20 312->464 465 7b37de8 call 7b38c10 312->465 313->312 314 7b37dee-7b37e51 320 7b37ea3-7b37eae 314->320 321 7b37e53-7b37e9d 314->321 462 7b37eb4 call 7b38c20 320->462 463 7b37eb4 call 7b38c10 320->463 321->320 322 7b37eba-7b37ef3 326 7b37ef9-7b37f5c 322->326 327 7b3836c-7b383f3 322->327 335 7b37f63-7b37fb5 LdrInitializeThunk call 7b374dc 326->335 336 7b37f5e 326->336 338 7b38451-7b3845c 327->338 339 7b383f5-7b3844b 327->339 346 7b37fba-7b380e2 call 7b366c8 call 7b37018 335->346 336->335 466 7b38462 call 7b38c20 338->466 467 7b38462 call 7b38c10 338->467 339->338 343 7b38468-7b384f5 356 7b38553-7b3855e 343->356 357 7b384f7-7b3854d 343->357 378 7b380e8-7b3813a 346->378 379 7b3834f-7b3836b 346->379 460 7b38564 call 7b38c20 356->460 461 7b38564 call 7b38c10 356->461 357->356 361 7b3856a-7b385e2 370 7b38640-7b3864b 361->370 371 7b385e4-7b3863a 361->371 472 7b38651 call 7b38c20 370->472 473 7b38651 call 7b38c10 370->473 371->370 375 7b38657-7b386c3 387 7b38715-7b38720 375->387 388 7b386c5-7b3870f 375->388 389 7b3818c-7b38207 378->389 390 7b3813c-7b38186 378->390 379->327 470 7b38726 call 7b38c20 387->470 471 7b38726 call 7b38c10 387->471 388->387 405 7b38259-7b382d3 389->405 406 7b38209-7b38253 389->406 390->389 394 7b3872c-7b38771 403 7b388a7-7b38a50 394->403 404 7b38777-7b388a6 394->404 457 7b38a52-7b38a67 403->457 458 7b38a68 403->458 404->403 420 7b38325-7b3834e 405->420 421 7b382d5-7b3831f 405->421 406->405 420->379 421->420 457->458 458->252 460->361 461->361 462->322 463->322 464->314 465->314 466->343 467->343 468->307 469->307 470->394 471->394 472->375 473->375
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000005.00000002.1543243220.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_5_2_7b30000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: d0d4d48497341891dc1fca2495528ca99a9dbc82323b2088e89e561c5d7c49b5
                                                                                                                        • Instruction ID: 9f3457daae2d18d7714028498f6edf3f82eb776f4d3abfb84f6ab1d625fd991b
                                                                                                                        • Opcode Fuzzy Hash: d0d4d48497341891dc1fca2495528ca99a9dbc82323b2088e89e561c5d7c49b5
                                                                                                                        • Instruction Fuzzy Hash: CCC2A1B4A022299FDB65DF28D998B9DBBB2FF49300F1085E9D409A7350DB306E85CF54
                                                                                                                        Function 07B31080 Relevance: .5, Instructions: 496COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000005.00000002.1543243220.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_5_2_7b30000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: e96401be9841e50295617ceac1031cc47a5c7de3d865cf31971f0d355a326271
                                                                                                                        • Instruction ID: 9eaa96ceb27a30461ccb602e88db554bcad94bbc3572f81cfa6016c9b5094580
                                                                                                                        • Opcode Fuzzy Hash: e96401be9841e50295617ceac1031cc47a5c7de3d865cf31971f0d355a326271
                                                                                                                        • Instruction Fuzzy Hash: 733281B4D01229CFEB64DFA5C850BDEB7B2BB89301F5085EAC409AB254DB359E81CF54
                                                                                                                        Function 07B366C8 Relevance: .4, Instructions: 426COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000005.00000002.1543243220.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_5_2_7b30000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 1ef314dabe3d7185830e7f7511d175632bbfcceabc609df6c2f0cbe16451d39a
                                                                                                                        • Instruction ID: f5040e8546fe2672d765e32c72f710f1a41c41f2c38df24cd96e497c5e09338c
                                                                                                                        • Opcode Fuzzy Hash: 1ef314dabe3d7185830e7f7511d175632bbfcceabc609df6c2f0cbe16451d39a
                                                                                                                        • Instruction Fuzzy Hash: 96227CB4D00229DFDB65DF69C890BD9B7B2AF89304F1085EAD549AB250EB319EC5CF40
                                                                                                                        Function 07B35BF0 Relevance: .3, Instructions: 271COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000005.00000002.1543243220.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_5_2_7b30000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: fee1008282b5492580847a16aac2d0ea7b95ea8f6416bb593e552d4d65ff33e6
                                                                                                                        • Instruction ID: 8aa8c83dc880fd9de5c90cb344c0866489eb58b9cc926baae3472c9872e909d0
                                                                                                                        • Opcode Fuzzy Hash: fee1008282b5492580847a16aac2d0ea7b95ea8f6416bb593e552d4d65ff33e6
                                                                                                                        • Instruction Fuzzy Hash: 35C1D6B4E0021DCFEB64DFB5C894B9EBBB2BF89300F5085A9D419AB254DB349985CF50
                                                                                                                        Function 07B36360 Relevance: .2, Instructions: 190COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000005.00000002.1543243220.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_5_2_7b30000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 644310e462e777a50cbd02a75137a25bc17973cb5a528241622a3a9db32594e1
                                                                                                                        • Instruction ID: 9788e67fbe50fc49f8e22587d4249d8f4bc198a0cab5ca853813330a8a376219
                                                                                                                        • Opcode Fuzzy Hash: 644310e462e777a50cbd02a75137a25bc17973cb5a528241622a3a9db32594e1
                                                                                                                        • Instruction Fuzzy Hash: DF910470D01229DFDB64DFA8D994B9DBBB2BF89304F1081AAD409B7341DB306A85CF11
                                                                                                                        Function 07B32288 Relevance: .2, Instructions: 181COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000005.00000002.1543243220.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_5_2_7b30000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 93702b623a57909b3dc63d927da72808ba51efd88951b5793d23e3acf9727d4b
                                                                                                                        • Instruction ID: cfcf53cbe8156b67cc01a26081b1857ca330fc24ba9f692cfb2b6f6e471c6eb7
                                                                                                                        • Opcode Fuzzy Hash: 93702b623a57909b3dc63d927da72808ba51efd88951b5793d23e3acf9727d4b
                                                                                                                        • Instruction Fuzzy Hash: 1271C2B4D00219DFEB18DFA9D890ADDBBB2BF89300F60956AD415BB354DB349881CF50
                                                                                                                        Function 0159AE30 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 207COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 0159B086
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000005.00000002.1526692808.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_5_2_1590000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: HandleModule
                                                                                                                        • String ID: A$Pw
                                                                                                                        • API String ID: 4139908857-1232254899
                                                                                                                        • Opcode ID: 026a88c0c3789ba54a768f1fe488d67475bbf3804b58b06568393b438a8c3e2b
                                                                                                                        • Instruction ID: 7ca60b9cdef9efaa256880ca6de97ff041cfc3553d62b8933dfb72ec5732ad61
                                                                                                                        • Opcode Fuzzy Hash: 026a88c0c3789ba54a768f1fe488d67475bbf3804b58b06568393b438a8c3e2b
                                                                                                                        • Instruction Fuzzy Hash: A3816BB0A00B058FEB24DF69D14575ABBF1FF88304F00892DD55ADBA50D775E849CBA2
                                                                                                                        Function 01595935 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 61 1595935-159593c 62 1595944-1595a01 CreateActCtxA 61->62 64 1595a0a-1595a64 62->64 65 1595a03-1595a09 62->65 72 1595a73-1595a77 64->72 73 1595a66-1595a69 64->73 65->64 74 1595a79-1595a85 72->74 75 1595a88 72->75 73->72 74->75 77 1595a89 75->77 77->77
                                                                                                                        APIs
                                                                                                                        • CreateActCtxA.KERNEL32(?), ref: 015959F1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000005.00000002.1526692808.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_5_2_1590000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Create
                                                                                                                        • String ID: A$Pw
                                                                                                                        • API String ID: 2289755597-1232254899
                                                                                                                        • Opcode ID: a244c5f4b4901fa8aa69d55459053b5ff3f753e87b5edf6dd6d2bcb86878eafa
                                                                                                                        • Instruction ID: b8cb46f3349ec5a7ca29501b2e4b4a364b1f347da8532d7e9af68a0571212d51
                                                                                                                        • Opcode Fuzzy Hash: a244c5f4b4901fa8aa69d55459053b5ff3f753e87b5edf6dd6d2bcb86878eafa
                                                                                                                        • Instruction Fuzzy Hash: 3F41CDB0C00719CFEB25CFA9C884BCEBBB5BF49304F24846AD408AB251EBB55945CF95
                                                                                                                        Function 01594248 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 78 1594248-1595a01 CreateActCtxA 81 1595a0a-1595a64 78->81 82 1595a03-1595a09 78->82 89 1595a73-1595a77 81->89 90 1595a66-1595a69 81->90 82->81 91 1595a79-1595a85 89->91 92 1595a88 89->92 90->89 91->92 94 1595a89 92->94 94->94
                                                                                                                        APIs
                                                                                                                        • CreateActCtxA.KERNEL32(?), ref: 015959F1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000005.00000002.1526692808.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_5_2_1590000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Create
                                                                                                                        • String ID: A$Pw
                                                                                                                        • API String ID: 2289755597-1232254899
                                                                                                                        • Opcode ID: 2ce5941ca761c06767019f04517860b679caa5b16151105402685b83fbfd20ae
                                                                                                                        • Instruction ID: 9dd353f7668989a1488a6d5bfad9bac96b6f327063886c372f41f3610f1b7308
                                                                                                                        • Opcode Fuzzy Hash: 2ce5941ca761c06767019f04517860b679caa5b16151105402685b83fbfd20ae
                                                                                                                        • Instruction Fuzzy Hash: 2641E170C00719CBDB25CFA9C884BCEBBF5BF45304F20806AD408AB251EBB56945CF95
                                                                                                                        Function 0159C9A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 95 159c9a0-159d394 DuplicateHandle 97 159d39d-159d3ba 95->97 98 159d396-159d39c 95->98 98->97
                                                                                                                        APIs
                                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0159D2C6,?,?,?,?,?), ref: 0159D387
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000005.00000002.1526692808.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_5_2_1590000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: DuplicateHandle
                                                                                                                        • String ID: A$Pw
                                                                                                                        • API String ID: 3793708945-1232254899
                                                                                                                        • Opcode ID: e6ea62765e4a320fa91056de42caa588be5c5986771a995eec85ad47f005b5ee
                                                                                                                        • Instruction ID: 92604a2af1bb16663a399eafe3e361d0485cac4358c9953720251260ba562e28
                                                                                                                        • Opcode Fuzzy Hash: e6ea62765e4a320fa91056de42caa588be5c5986771a995eec85ad47f005b5ee
                                                                                                                        • Instruction Fuzzy Hash: 5821B3B5900249EFDB10CFAAD984ADEBBF4FB48310F14845AE918A7350D378A954CFA5
                                                                                                                        Function 0159D2F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 101 159d2f9-159d394 DuplicateHandle 102 159d39d-159d3ba 101->102 103 159d396-159d39c 101->103 103->102
                                                                                                                        APIs
                                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0159D2C6,?,?,?,?,?), ref: 0159D387
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000005.00000002.1526692808.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_5_2_1590000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: DuplicateHandle
                                                                                                                        • String ID: A$Pw
                                                                                                                        • API String ID: 3793708945-1232254899
                                                                                                                        • Opcode ID: e062d073861ac3be5aa31162dc016d9677ef7aed2fe5599792e0024aa201a6d6
                                                                                                                        • Instruction ID: c9f3ec8d517d289fdbb8bc7cafb2c9e47887f5a2236f666b80556f21489afcf6
                                                                                                                        • Opcode Fuzzy Hash: e062d073861ac3be5aa31162dc016d9677ef7aed2fe5599792e0024aa201a6d6
                                                                                                                        • Instruction Fuzzy Hash: 2821E0B5900209EFDB10CFAAD584ADEBBF4FB48310F24841AE958B7350D378A954CF61
                                                                                                                        Function 07B3E410 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53libraryCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 106 7b3e410-7b3ea00 108 7b3ea02-7b3ea05 106->108 109 7b3ea08-7b3ea33 LoadLibraryW 106->109 108->109 110 7b3ea35-7b3ea3b 109->110 111 7b3ea3c-7b3ea59 109->111 110->111
                                                                                                                        APIs
                                                                                                                        • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,07B3E91E), ref: 07B3EA26
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000005.00000002.1543243220.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_5_2_7b30000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: LibraryLoad
                                                                                                                        • String ID: A$Pw
                                                                                                                        • API String ID: 1029625771-1232254899
                                                                                                                        • Opcode ID: 953ec4836e35051f6854e0d880b89e5d8d2127dba3a91ccbc60e799164bd8b6e
                                                                                                                        • Instruction ID: b23694fd6acdf78222e99b6b6446876558be2a6d66c6fc781d21e4b24ce02ec8
                                                                                                                        • Opcode Fuzzy Hash: 953ec4836e35051f6854e0d880b89e5d8d2127dba3a91ccbc60e799164bd8b6e
                                                                                                                        • Instruction Fuzzy Hash: 291123B5D003498BEB10DF9AC444BDEFBF4EB88310F10846AD829B7610D375A545CFA5
                                                                                                                        Function 07B3E9BF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51libraryCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 114 7b3e9bf-7b3ea00 116 7b3ea02-7b3ea05 114->116 117 7b3ea08-7b3ea33 LoadLibraryW 114->117 116->117 118 7b3ea35-7b3ea3b 117->118 119 7b3ea3c-7b3ea59 117->119 118->119
                                                                                                                        APIs
                                                                                                                        • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,07B3E91E), ref: 07B3EA26
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000005.00000002.1543243220.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_5_2_7b30000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: LibraryLoad
                                                                                                                        • String ID: A$Pw
                                                                                                                        • API String ID: 1029625771-1232254899
                                                                                                                        • Opcode ID: 4af4cc8a9d6bc723481ee30a901a697bde93e0600514a7c99355413ee1c85b3f
                                                                                                                        • Instruction ID: fad4ad8fe93bb2bcd5d1bc3518d26e4a931e98f208e46ce32bf4212ed790c32f
                                                                                                                        • Opcode Fuzzy Hash: 4af4cc8a9d6bc723481ee30a901a697bde93e0600514a7c99355413ee1c85b3f
                                                                                                                        • Instruction Fuzzy Hash: 1711F0B6D002498BEB10CFAAD444BDEFBF4AB88210F14846AD829A7610D379A545CFA5
                                                                                                                        Function 0159B020 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 122 159b020-159b060 123 159b068-159b093 GetModuleHandleW 122->123 124 159b062-159b065 122->124 125 159b09c-159b0b0 123->125 126 159b095-159b09b 123->126 124->123 126->125
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 0159B086
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000005.00000002.1526692808.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_5_2_1590000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: HandleModule
                                                                                                                        • String ID: A$Pw
                                                                                                                        • API String ID: 4139908857-1232254899
                                                                                                                        • Opcode ID: 501263bf52112187839b199461a591879b3900c54c3b758264e6a666cdabf5df
                                                                                                                        • Instruction ID: 5ae7c1fec07beca996503ab7497928544c909964032b57e54a24042f19236ab2
                                                                                                                        • Opcode Fuzzy Hash: 501263bf52112187839b199461a591879b3900c54c3b758264e6a666cdabf5df
                                                                                                                        • Instruction Fuzzy Hash: 3011E0B5C007498FEB20CF9AD444BDEFBF4AB88314F10842AD969B7610D379A545CFA5
                                                                                                                        Function 0129D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000005.00000002.1526443190.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_5_2_129d000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 50342ee59a35a7755051f8e3bceb5a97d097889ae08e6bcdb8209b9e3809dd99
                                                                                                                        • Instruction ID: 8f3430631e7bde17e8ecc36ab997fd04d9f28919438d5a93c732045032549720
                                                                                                                        • Opcode Fuzzy Hash: 50342ee59a35a7755051f8e3bceb5a97d097889ae08e6bcdb8209b9e3809dd99
                                                                                                                        • Instruction Fuzzy Hash: EE214571510248DFDF01DF58E9C0B26BF65FB88318F24C169E9090B256C336D406DBA2
                                                                                                                        Function 012AD01C Relevance: .1, Instructions: 72COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000005.00000002.1526487054.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_5_2_12ad000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 1da0b0db46cbfeb3ca7926101df281161a5f3233425f51044cc68fe3c3fc52a6
                                                                                                                        • Instruction ID: 22715534ed523906fa319450cc787ed849ea75aac8fc1f70a41d30063c212a86
                                                                                                                        • Opcode Fuzzy Hash: 1da0b0db46cbfeb3ca7926101df281161a5f3233425f51044cc68fe3c3fc52a6
                                                                                                                        • Instruction Fuzzy Hash: 82216471654308DFDB10DF64D8C0B26BB61FB88314F60C5ADD90A4B682C377D807CA62
                                                                                                                        Function 012AD006 Relevance: .1, Instructions: 63COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000005.00000002.1526487054.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_5_2_12ad000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 19027add937eb6fcc6659b7c592322ff735ff463d0e3db1e8f8398594f6316b5
                                                                                                                        • Instruction ID: 22f6b73d7d1ee573de56d01d6eaa384e56d763a64606908361e8d5b91cc10d04
                                                                                                                        • Opcode Fuzzy Hash: 19027add937eb6fcc6659b7c592322ff735ff463d0e3db1e8f8398594f6316b5
                                                                                                                        • Instruction Fuzzy Hash: 6321B0714483849FCB02CF64D994711BF71EB46314F28C5DAD9498F6A7C33A980ACB62
                                                                                                                        Function 0129D4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000005.00000002.1526443190.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_5_2_129d000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                                                                                                                        • Instruction ID: b24963eed141b3369afcad6af8e6b56b226844d52f18343e92265fe40beaab03
                                                                                                                        • Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                                                                                                                        • Instruction Fuzzy Hash: 9611DF76404284CFCF12CF58D5C0B16BF71FB84318F24C6A9D9090B656C336D45ADBA1
                                                                                                                        Function 0129D989 Relevance: .0, Instructions: 45COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000005.00000002.1526443190.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_5_2_129d000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: d6f26d981c8a01a10d3e6d3d82d5440dc228cc900ae5e442dd3a9e8797fc3122
                                                                                                                        • Instruction ID: c8435390b29915fabaa6a3bf454d5ccbbceceda7c7a7f444b0d4bb538a149a93
                                                                                                                        • Opcode Fuzzy Hash: d6f26d981c8a01a10d3e6d3d82d5440dc228cc900ae5e442dd3a9e8797fc3122
                                                                                                                        • Instruction Fuzzy Hash: 49012631114348EFFF10AFAECD84B26BF98DF41220F08C51AEE094A282C7799840DA72
                                                                                                                        Function 0129D988 Relevance: .0, Instructions: 36COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000005.00000002.1526443190.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_5_2_129d000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 16a1a8da0a7aedc383390a773d34be95d57e2d2ce0d2532dbc5b06622d9a868d
                                                                                                                        • Instruction ID: 84dfe7519956067ff6a8e44b6759a18eb15bf857fa1aad4ded380be5cd7b567c
                                                                                                                        • Opcode Fuzzy Hash: 16a1a8da0a7aedc383390a773d34be95d57e2d2ce0d2532dbc5b06622d9a868d
                                                                                                                        • Instruction Fuzzy Hash: B9F0C231404344AEFB108E1EC984B62FF98EF40224F18C15AEE484A283C2799840DA71

                                                                                                                        Non-executed Functions

                                                                                                                        Function 07B34E13 Relevance: .0, Instructions: 25COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000005.00000002.1543243220.0000000007B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B30000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_5_2_7b30000_vhFZk5qPZd.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: eecec9babcb397ac0e24ff5db35aa52e9378fe56ecbe2efcd60585c3a21a6639
                                                                                                                        • Instruction ID: 6ccf7dd430faa1d1f39a52b99cc20968f1ce9397198a51ed6422e43c34f522ed
                                                                                                                        • Opcode Fuzzy Hash: eecec9babcb397ac0e24ff5db35aa52e9378fe56ecbe2efcd60585c3a21a6639
                                                                                                                        • Instruction Fuzzy Hash: 9FE09AB0C5615EDEEB28DF95C054BBEFA74AB86344F2068C5840673240CB74468A8FA1