Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
jyRdJ06Naz.exe

Overview

General Information

Sample name:jyRdJ06Naz.exe
renamed because original name is a hash value
Original sample name:489c9c7de5953234600a72ebe8686633e2e0eceb79c408e772e83d561da4b814.exe
Analysis ID:1554438
MD5:c83b55a55faf5ff57dcfb50c4344521a
SHA1:efa22ba249f339111962fe109b256b215358c8b1
SHA256:489c9c7de5953234600a72ebe8686633e2e0eceb79c408e772e83d561da4b814
Tags:4-251-123-83exeuser-JAMESWT_MHT
Infos:

Detection

Meduza Stealer, PureLog Stealer, RedLine, zgRAT
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Meduza Stealer
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected zgRAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • jyRdJ06Naz.exe (PID: 6900 cmdline: "C:\Users\user\Desktop\jyRdJ06Naz.exe" MD5: C83B55A55FAF5FF57DCFB50C4344521A)
    • jyRdJ06Naz.tmp (PID: 6948 cmdline: "C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmp" /SL5="$2042A,48507756,797184,C:\Users\user\Desktop\jyRdJ06Naz.exe" MD5: 6F170135AEC26A106334B8FEF0F3AB5A)
      • ttgtggt.exe (PID: 2496 cmdline: "C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exe" MD5: C9B68B9567CC9067794E32999C02BFA7)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: RedLine

{"C2 url": "4.251.123.83:6677"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Local\Programs\My Program\is-E8O0B.tmpJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        C:\Users\user\AppData\Local\Programs\My Program\is-E8O0B.tmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          C:\Users\user\AppData\Local\Programs\My Program\is-E8O0B.tmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            C:\Users\user\AppData\Local\Programs\My Program\is-E8O0B.tmpMALWARE_Win_zgRATDetects zgRATditekSHen
            • 0x45c19:$s1: file:///
            • 0x45b51:$s2: {11111-22222-10009-11112}
            • 0x45ba9:$s3: {11111-22222-50001-00000}
            • 0x423fa:$s4: get_Module
            • 0x42864:$s5: Reverse
            • 0x45226:$s6: BlockCopy
            • 0x42c23:$s7: ReadByte
            • 0x45c2b:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000006.00000000.1930311568.00000000003F2000.00000002.00000001.01000000.00000009.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              00000006.00000000.1930311568.00000000003F2000.00000002.00000001.01000000.00000009.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    00000006.00000002.2006656227.00000000027AD000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                      Click to see the 3 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      6.0.ttgtggt.exe.3f0000.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                        6.0.ttgtggt.exe.3f0000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                          6.0.ttgtggt.exe.3f0000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                            6.0.ttgtggt.exe.3f0000.0.unpackMALWARE_Win_zgRATDetects zgRATditekSHen
                            • 0x45c19:$s1: file:///
                            • 0x45b51:$s2: {11111-22222-10009-11112}
                            • 0x45ba9:$s3: {11111-22222-50001-00000}
                            • 0x423fa:$s4: get_Module
                            • 0x42864:$s5: Reverse
                            • 0x45226:$s6: BlockCopy
                            • 0x42c23:$s7: ReadByte
                            • 0x45c2b:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

                            Sigma Signatures

                            No Sigma rule has matched

                            Suricata Signatures

                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-11-12T14:56:17.147993+010020229301A Network Trojan was detected172.202.163.200443192.168.2.449730TCP
                            2024-11-12T14:56:56.284212+010020229301A Network Trojan was detected172.202.163.200443192.168.2.449743TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-11-12T14:56:25.138239+010020460561A Network Trojan was detected4.251.123.836677192.168.2.449736TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-11-12T14:56:24.617611+010020460451A Network Trojan was detected192.168.2.4497364.251.123.836677TCP

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Found malware configuration
                            Source: ttgtggt.exe.2496.6.memstrminMalware Configuration Extractor: RedLine {"C2 url": "4.251.123.83:6677"}
                            Multi AV Scanner detection for dropped file
                            Source: C:\Users\user\AppData\Local\Programs\My Program\is-E8O0B.tmpReversingLabs: Detection: 65%
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exe (copy)ReversingLabs: Detection: 65%
                            Multi AV Scanner detection for submitted file
                            Source: jyRdJ06Naz.exeReversingLabs: Detection: 26%
                            AI detected suspicious sample
                            Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.3% probability
                            Machine Learning detection for dropped file
                            Source: C:\Users\user\AppData\Local\Programs\My Program\is-E8O0B.tmpJoe Sandbox ML: detected
                            Source: jyRdJ06Naz.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{873AD2E0-A2B0-482E-8E07-2D2EF1B74924}_is1Jump to behavior
                            Source: jyRdJ06Naz.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                            Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: is-8QRAK.tmp.1.dr
                            Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb2 source: is-8QRAK.tmp.1.dr
                            Source: Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdbl source: is-8QRAK.tmp.1.dr
                            Source: Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: is-8QRAK.tmp.1.dr

                            Networking

                            barindex
                            Suricata IDS alerts for network traffic
                            Source: Network trafficSuricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.4:49736 -> 4.251.123.83:6677
                            Source: Network trafficSuricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 4.251.123.83:6677 -> 192.168.2.4:49736
                            C2 URLs / IPs found in malware configuration
                            Source: Malware configuration extractorURLs: 4.251.123.83:6677
                            Source: global trafficTCP traffic: 192.168.2.4:49736 -> 4.251.123.83:6677
                            Source: Joe Sandbox ViewIP Address: 4.251.123.83 4.251.123.83
                            Source: Joe Sandbox ViewASN Name: LEVEL3US LEVEL3US
                            Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49743
                            Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49730
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
                            Source: is-8QRAK.tmp.1.drString found in binary or memory: BLShlwapi.dllShell32.dllbinSoftware\JavaSoft\Java Development Kit\JavaHomeSoftware\JavaSoft\Java Runtime Environment\FlashWindowFlashWindowExKernel32.dllGetPackagePathhttp://www.yahoo.comhttp://www.google.comTESThttp://www.example.comtin9999.tmpHEAD.part=attachmentfilename "DLDcharsetPOST123utf-16utf-8US-ASCIIISO-8859-1GETAdvancedInstallerFTP ServerLocal Network ServerHTTP/1.0*/*If-Modified-Since: %s equals www.yahoo.com (Yahoo)
                            Source: ttgtggt.exe, 00000006.00000002.2026705014.000000001BA7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.00000000029C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: qC:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.00000000029C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: qC:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb8 equals www.youtube.com (Youtube)
                            Source: jyRdJ06Naz.tmp, 00000001.00000002.1939184757.0000000000AEC000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                            Source: jyRdJ06Naz.tmp, 00000001.00000002.1939184757.0000000000AEC000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
                            Source: jyRdJ06Naz.tmp, 00000001.00000002.1939184757.0000000000AEC000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                            Source: jyRdJ06Naz.tmp, 00000001.00000002.1939184757.0000000000AEC000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
                            Source: jyRdJ06Naz.tmp, 00000001.00000002.1939184757.0000000000AEC000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                            Source: jyRdJ06Naz.tmp, 00000001.00000002.1939184757.0000000000AEC000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                            Source: jyRdJ06Naz.tmp, 00000001.00000002.1939184757.0000000000AEC000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field1
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field1Response
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field2
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2006656227.00000000027AD000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field2Response
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field3
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002875000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field3Response
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002BE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002BE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.oh
                            Source: ttgtggt.exe, 00000006.00000002.2018682966.000000001288A000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012ADF000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012B38000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012831000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.00000000127D8000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.00000000128E3000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.000000001273E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                            Source: ttgtggt.exe, 00000006.00000002.2018682966.000000001288A000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012ADF000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012B38000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012831000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.00000000127D8000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.00000000128E3000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.000000001273E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                            Source: ttgtggt.exe, 00000006.00000002.2018682966.000000001288A000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012ADF000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012B38000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012831000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.00000000127D8000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.00000000128E3000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.000000001273E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                            Source: ttgtggt.exe, 00000006.00000002.2018682966.000000001288A000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012ADF000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012B38000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012831000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.00000000127D8000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.00000000128E3000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.000000001273E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/users/
                            Source: ttgtggt.exe, 00000006.00000002.2018682966.000000001288A000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012ADF000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012B38000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012831000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.00000000127D8000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.00000000128E3000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.000000001273E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                            Source: ttgtggt.exe, 00000006.00000002.2018682966.000000001288A000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012ADF000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012B38000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012831000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.00000000127D8000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.00000000128E3000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.000000001273E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                            Source: ttgtggt.exe, 00000006.00000002.2018682966.000000001288A000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012ADF000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012B38000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012831000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.00000000127D8000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.00000000128E3000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.000000001273E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                            Source: jyRdJ06Naz.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
                            Source: jyRdJ06Naz.tmp, 00000001.00000002.1939184757.0000000000AEC000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                            Source: ttgtggt.exe, 00000006.00000002.2018682966.000000001288A000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012ADF000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012B38000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012831000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.00000000127D8000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.00000000128E3000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.000000001273E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                            Source: jyRdJ06Naz.exe, 00000000.00000003.1942074613.0000000002873000.00000004.00001000.00020000.00000000.sdmp, jyRdJ06Naz.tmp, 00000001.00000003.1936101669.0000000002843000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.github.com/
                            Source: jyRdJ06Naz.exe, 00000000.00000003.1707261525.0000000002D10000.00000004.00001000.00020000.00000000.sdmp, jyRdJ06Naz.tmp, 00000001.00000003.1713318597.0000000003850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.github.com/.https://www.github.com/.https://www.github.com/
                            Source: jyRdJ06Naz.tmp, 00000001.00000003.1936101669.0000000002843000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.github.com/Q9
                            Source: ttgtggt.exe, 00000006.00000002.2018682966.000000001288A000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012ADF000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012B38000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012831000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.00000000127D8000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.00000000128E3000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.000000001273E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                            Source: jyRdJ06Naz.exe, 00000000.00000003.1708458496.0000000002D10000.00000004.00001000.00020000.00000000.sdmp, jyRdJ06Naz.exe, 00000000.00000003.1708853583.000000007F46B000.00000004.00001000.00020000.00000000.sdmp, jyRdJ06Naz.tmp, 00000001.00000000.1710643781.00000000002B1000.00000020.00000001.01000000.00000004.sdmp, jyRdJ06Naz.tmp.0.drString found in binary or memory: https://www.innosetup.com/
                            Source: jyRdJ06Naz.exe, 00000000.00000003.1708458496.0000000002D10000.00000004.00001000.00020000.00000000.sdmp, jyRdJ06Naz.exe, 00000000.00000003.1708853583.000000007F46B000.00000004.00001000.00020000.00000000.sdmp, jyRdJ06Naz.tmp, 00000001.00000000.1710643781.00000000002B1000.00000020.00000001.01000000.00000004.sdmp, jyRdJ06Naz.tmp.0.drString found in binary or memory: https://www.remobjects.com/ps
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                            System Summary

                            barindex
                            Malicious sample detected (through community Yara rule)
                            Source: 6.0.ttgtggt.exe.3f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                            Source: C:\Users\user\AppData\Local\Programs\My Program\is-E8O0B.tmp, type: DROPPEDMatched rule: Detects zgRAT Author: ditekSHen
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeCode function: 6_2_00007FFD9B98C50A6_2_00007FFD9B98C50A
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeCode function: 6_2_00007FFD9B989D026_2_00007FFD9B989D02
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeCode function: 6_2_00007FFD9B9816B36_2_00007FFD9B9816B3
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeCode function: 6_2_00007FFD9BAE2B306_2_00007FFD9BAE2B30
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeCode function: 6_2_00007FFD9BAE4A996_2_00007FFD9BAE4A99
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeCode function: 6_2_00007FFD9BAE2AD06_2_00007FFD9BAE2AD0
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeCode function: 6_2_00007FFD9BAE1AC76_2_00007FFD9BAE1AC7
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeCode function: 6_2_00007FFD9BAE2AB06_2_00007FFD9BAE2AB0
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeCode function: 6_2_00007FFD9BAD05B16_2_00007FFD9BAD05B1
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeCode function: 6_2_00007FFD9BAE54916_2_00007FFD9BAE5491
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeCode function: 6_2_00007FFD9BADB41D6_2_00007FFD9BADB41D
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeCode function: 6_2_00007FFD9BAE5A2C6_2_00007FFD9BAE5A2C
                            Source: jyRdJ06Naz.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                            Source: is-6IG1B.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                            Source: jyRdJ06Naz.tmp.0.drStatic PE information: Number of sections : 11 > 10
                            Source: is-6IG1B.tmp.1.drStatic PE information: Number of sections : 11 > 10
                            Source: jyRdJ06Naz.exeStatic PE information: Number of sections : 11 > 10
                            Source: jyRdJ06Naz.exe, 00000000.00000003.1708853583.000000007F75B000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs jyRdJ06Naz.exe
                            Source: jyRdJ06Naz.exe, 00000000.00000000.1706974568.0000000000189000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs jyRdJ06Naz.exe
                            Source: jyRdJ06Naz.exe, 00000000.00000003.1708458496.0000000002E1F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs jyRdJ06Naz.exe
                            Source: jyRdJ06Naz.exeBinary or memory string: OriginalFileName vs jyRdJ06Naz.exe
                            Source: jyRdJ06Naz.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: 6.0.ttgtggt.exe.3f0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                            Source: C:\Users\user\AppData\Local\Programs\My Program\is-E8O0B.tmp, type: DROPPEDMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                            Source: classification engineClassification label: mal80.troj.spyw.evad.winEXE@5/11@0/1
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeMutant created: NULL
                            Source: C:\Users\user\Desktop\jyRdJ06Naz.exeFile created: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmpJump to behavior
                            Source: C:\Users\user\Desktop\jyRdJ06Naz.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                            Source: C:\Users\user\Desktop\jyRdJ06Naz.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpFile read: C:\Users\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\jyRdJ06Naz.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
                            Source: jyRdJ06Naz.exeReversingLabs: Detection: 26%
                            Source: jyRdJ06Naz.exeString found in binary or memory: /LOADINF="filename"
                            Source: C:\Users\user\Desktop\jyRdJ06Naz.exeFile read: C:\Users\user\Desktop\jyRdJ06Naz.exeJump to behavior
                            Source: unknownProcess created: C:\Users\user\Desktop\jyRdJ06Naz.exe "C:\Users\user\Desktop\jyRdJ06Naz.exe"
                            Source: C:\Users\user\Desktop\jyRdJ06Naz.exeProcess created: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmp "C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmp" /SL5="$2042A,48507756,797184,C:\Users\user\Desktop\jyRdJ06Naz.exe"
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpProcess created: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exe "C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exe"
                            Source: C:\Users\user\Desktop\jyRdJ06Naz.exeProcess created: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmp "C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmp" /SL5="$2042A,48507756,797184,C:\Users\user\Desktop\jyRdJ06Naz.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpProcess created: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exe "C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exe"Jump to behavior
                            Source: C:\Users\user\Desktop\jyRdJ06Naz.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\Desktop\jyRdJ06Naz.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: mpr.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: winhttp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: iconcodecservice.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: windowscodecs.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: wtsapi32.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: winsta.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: textinputframework.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: coreuicomponents.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: coremessaging.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: coremessaging.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: shfolder.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: rstrtmgr.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: ncrypt.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: ntasn1.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: textshaping.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: msftedit.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: windows.globalization.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: bcp47mrm.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: globinputhost.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: dwmapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: explorerframe.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: sfc.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: sfc_os.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: linkinfo.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: ntshrui.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: cscapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: windows.ui.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: windowmanagementapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: inputhost.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: twinapi.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: twinapi.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: windowscodecs.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                            Source: My Program.lnk.1.drLNK file: ..\..\..\..\..\Local\Programs\My Program\ttgtggt.exe
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpWindow found: window name: TMainFormJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpAutomated click: Next
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpAutomated click: Next
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpAutomated click: Install
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpAutomated click: Next
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpAutomated click: Next
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLLJump to behavior
                            Source: Window RecorderWindow detected: More than 3 window changes detected
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{873AD2E0-A2B0-482E-8E07-2D2EF1B74924}_is1Jump to behavior
                            Source: jyRdJ06Naz.exeStatic file information: File size 49460692 > 1048576
                            Source: jyRdJ06Naz.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                            Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: is-8QRAK.tmp.1.dr
                            Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb2 source: is-8QRAK.tmp.1.dr
                            Source: Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdbl source: is-8QRAK.tmp.1.dr
                            Source: Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: is-8QRAK.tmp.1.dr
                            Source: is-E8O0B.tmp.1.drStatic PE information: 0xE3FEC0F4 [Mon Mar 19 06:19:32 2091 UTC]
                            Source: jyRdJ06Naz.exeStatic PE information: section name: .didata
                            Source: jyRdJ06Naz.tmp.0.drStatic PE information: section name: .didata
                            Source: is-6IG1B.tmp.1.drStatic PE information: section name: .didata
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeCode function: 6_2_00007FFD9B8B6BAF push ebp; ret 6_2_00007FFD9B8B6BB0
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeCode function: 6_2_00007FFD9B8B5CB5 push edx; iretd 6_2_00007FFD9B8B5CBB
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeCode function: 6_2_00007FFD9B982004 pushad ; retf 6_2_00007FFD9B982005
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeCode function: 6_2_00007FFD9B98CB50 push eax; retf 6_2_00007FFD9B98CB61
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpFile created: C:\Users\user\AppData\Local\Temp\is-OJBCC.tmp\_isetup\_setup64.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpFile created: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exe (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpFile created: C:\Users\user\AppData\Local\Programs\My Program\is-6IG1B.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpFile created: C:\Users\user\AppData\Local\Programs\My Program\is-8QRAK.tmpJump to dropped file
                            Source: C:\Users\user\Desktop\jyRdJ06Naz.exeFile created: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpFile created: C:\Users\user\AppData\Local\Programs\My Program\unins000.exe (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpFile created: C:\Users\user\AppData\Local\Programs\My Program\Octo_Browser_latest_win.exe (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpFile created: C:\Users\user\AppData\Local\Programs\My Program\is-E8O0B.tmpJump to dropped file

                            Boot Survival

                            barindex
                            Creates an undocumented autostart registry key
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpKey value created or modified: HKEY_CURRENT_USER_Classes\.exe\OpenWithProgids Win64.exeJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpKey value created or modified: HKEY_CURRENT_USER_Classes\.exe\OpenWithProgids Win64.exeJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\My Program.lnkJump to behavior
                            Source: C:\Users\user\Desktop\jyRdJ06Naz.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                            Malware Analysis System Evasion

                            barindex
                            Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeMemory allocated: B70000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeMemory allocated: 1A700000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeWindow / User API: threadDelayed 1027Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeWindow / User API: threadDelayed 3038Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-OJBCC.tmp\_isetup\_setup64.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\My Program\is-6IG1B.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\My Program\is-8QRAK.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\My Program\unins000.exe (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\My Program\Octo_Browser_latest_win.exe (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exe TID: 4852Thread sleep time: -11068046444225724s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exe TID: 4348Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe
                            Source: jyRdJ06Naz.tmp, 00000001.00000003.1937642336.0000000000C2D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                            Source: is-8QRAK.tmp.1.drBinary or memory string: YqEmu^
                            Source: ttgtggt.exe, 00000006.00000002.2027209937.000000001BADD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpProcess information queried: ProcessInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeMemory allocated: page read and write | page guardJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmpQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeQueries volume information: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                            Stealing of Sensitive Information

                            barindex
                            Yara detected Meduza Stealer
                            Source: Yara matchFile source: Process Memory Space: ttgtggt.exe PID: 2496, type: MEMORYSTR
                            Yara detected PureLog Stealer
                            Source: Yara matchFile source: 6.0.ttgtggt.exe.3f0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000006.00000000.1930311568.00000000003F2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Programs\My Program\is-E8O0B.tmp, type: DROPPED
                            Yara detected RedLine Stealer
                            Source: Yara matchFile source: dump.pcap, type: PCAP
                            Source: Yara matchFile source: 6.0.ttgtggt.exe.3f0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000006.00000000.1930311568.00000000003F2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: ttgtggt.exe PID: 2496, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Programs\My Program\is-E8O0B.tmp, type: DROPPED
                            Yara detected zgRAT
                            Source: Yara matchFile source: 6.0.ttgtggt.exe.3f0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Programs\My Program\is-E8O0B.tmp, type: DROPPED
                            Found many strings related to Crypto-Wallets (likely being stolen)
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: hieplnfojfccegoloniefimmbfjdgcgp|Electrum
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectronCashE#
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: mhonjhhcgphdphdjcdoeodfdliikapmj|Jaxx Liberty
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: idkppnahnmmggbmfkjhiakkbkdpnmnon|Exodus
                            Source: ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: EthereumE#
                            Source: ttgtggt.exe, 00000006.00000000.1930311568.00000000003F2000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: set_UseMachineKeyStore
                            Tries to harvest and steal browser information (history, passwords, etc)
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                            Tries to steal Crypto Currency Wallets
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                            Source: Yara matchFile source: 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000006.00000002.2006656227.00000000027AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: ttgtggt.exe PID: 2496, type: MEMORYSTR

                            Remote Access Functionality

                            barindex
                            Yara detected Meduza Stealer
                            Source: Yara matchFile source: Process Memory Space: ttgtggt.exe PID: 2496, type: MEMORYSTR
                            Yara detected PureLog Stealer
                            Source: Yara matchFile source: 6.0.ttgtggt.exe.3f0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000006.00000000.1930311568.00000000003F2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Programs\My Program\is-E8O0B.tmp, type: DROPPED
                            Yara detected RedLine Stealer
                            Source: Yara matchFile source: dump.pcap, type: PCAP
                            Source: Yara matchFile source: 6.0.ttgtggt.exe.3f0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000006.00000000.1930311568.00000000003F2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: ttgtggt.exe PID: 2496, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Programs\My Program\is-E8O0B.tmp, type: DROPPED
                            Yara detected zgRAT
                            Source: Yara matchFile source: 6.0.ttgtggt.exe.3f0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Programs\My Program\is-E8O0B.tmp, type: DROPPED

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                            Windows Management Instrumentation                            		1
                            Windows Service                            		1
                            Windows Service                            		1
                            Masquerading                            		1
                            OS Credential Dumping                            		421
                            Security Software Discovery                            		Remote Services1
                            Archive Collected Data                            		1
                            Encrypted Channel                            		Exfiltration Over Other Network MediumAbuse Accessibility Features
                            CredentialsDomainsDefault Accounts2
                            Command and Scripting Interpreter                            		11
                            Registry Run Keys / Startup Folder                            		1
                            Process Injection                            		1
                            Disable or Modify Tools                            		LSASS Memory1
                            Process Discovery                            		Remote Desktop Protocol3
                            Data from Local System                            		1
                            Non-Standard Port                            		Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain AccountsAt1
                            DLL Side-Loading                            		11
                            Registry Run Keys / Startup Folder                            		241
                            Virtualization/Sandbox Evasion                            		Security Account Manager241
                            Virtualization/Sandbox Evasion                            		SMB/Windows Admin Shares1
                            Clipboard Data                            		1
                            Application Layer Protocol                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                            DLL Side-Loading                            		1
                            Process Injection                            		NTDS1
                            Application Window Discovery                            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                            Obfuscated Files or Information                            		LSA Secrets2
                            System Owner/User Discovery                            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                            Timestomp                            		Cached Domain Credentials1
                            File and Directory Discovery                            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                            DLL Side-Loading                            		DCSync113
                            System Information Discovery                            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            jyRdJ06Naz.exe26%ReversingLabsByteCode-MSIL.Trojan.Mamut

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\Users\user\AppData\Local\Programs\My Program\is-E8O0B.tmp100%Joe Sandbox ML
                            C:\Users\user\AppData\Local\Programs\My Program\Octo_Browser_latest_win.exe (copy)0%ReversingLabs
                            C:\Users\user\AppData\Local\Programs\My Program\is-6IG1B.tmp0%ReversingLabs
                            C:\Users\user\AppData\Local\Programs\My Program\is-8QRAK.tmp0%ReversingLabs
                            C:\Users\user\AppData\Local\Programs\My Program\is-E8O0B.tmp66%ReversingLabsByteCode-MSIL.Ransomware.RedLine
                            C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exe (copy)66%ReversingLabsByteCode-MSIL.Ransomware.RedLine
                            C:\Users\user\AppData\Local\Programs\My Program\unins000.exe (copy)0%ReversingLabs
                            C:\Users\user\AppData\Local\Temp\is-OJBCC.tmp\_isetup\_setup64.tmp0%ReversingLabs

                            Unpacked PE Files

                            No Antivirus matches

                            Domains

                            No Antivirus matches

                            URLs

                            No Antivirus matches

                            Domains and IPs

                            Contacted Domains

                            No contacted domains info

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Textttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/02/sc/sctttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://duckduckgo.com/chrome_newtabttgtggt.exe, 00000006.00000002.2018682966.000000001288A000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012ADF000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012B38000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012831000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.00000000127D8000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.00000000128E3000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.000000001273E000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUjyRdJ06Naz.exefalse
                                    		high
                                    http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://duckduckgo.com/ac/?q=ttgtggt.exe, 00000006.00000002.2018682966.000000001288A000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012ADF000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012B38000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012831000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.00000000127D8000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.00000000128E3000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.000000001273E000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0jyRdJ06Naz.tmp, 00000001.00000002.1939184757.0000000000AEC000.00000004.00000010.00020000.00000000.sdmpfalse
                                          		high
                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://tempuri.org/ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrapttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Preparettgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licensettgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuettgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Abortedttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequencettgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://www.remobjects.com/psjyRdJ06Naz.exe, 00000000.00000003.1708458496.0000000002D10000.00000004.00001000.00020000.00000000.sdmp, jyRdJ06Naz.exe, 00000000.00000003.1708853583.000000007F46B000.00000004.00001000.00020000.00000000.sdmp, jyRdJ06Naz.tmp, 00000001.00000000.1710643781.00000000002B1000.00000020.00000001.01000000.00000004.sdmp, jyRdJ06Naz.tmp.0.drfalse
                                                                  		high
                                                                  https://www.innosetup.com/jyRdJ06Naz.exe, 00000000.00000003.1708458496.0000000002D10000.00000004.00001000.00020000.00000000.sdmp, jyRdJ06Naz.exe, 00000000.00000003.1708853583.000000007F46B000.00000004.00001000.00020000.00000000.sdmp, jyRdJ06Naz.tmp, 00000001.00000000.1710643781.00000000002B1000.00000020.00000001.01000000.00000004.sdmp, jyRdJ06Naz.tmp.0.drfalse
                                                                    		high
                                                                    https://discord.com/api/v9/users/ttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/faultttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsatttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://tempuri.org/example/Field1Responsettgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namettgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renewttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wscoor/Registerttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://api.ip.sb/ipttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2004/04/scttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancelttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=ttgtggt.exe, 00000006.00000002.2018682966.000000001288A000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012ADF000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012B38000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012831000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.00000000127D8000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.00000000128E3000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.000000001273E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://www.github.com/jyRdJ06Naz.exe, 00000000.00000003.1942074613.0000000002873000.00000004.00001000.00020000.00000000.sdmp, jyRdJ06Naz.tmp, 00000001.00000003.1936101669.0000000002843000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issuettgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://www.ecosia.org/newtab/ttgtggt.exe, 00000006.00000002.2018682966.000000001288A000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012ADF000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012B38000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012831000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.00000000127D8000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.00000000128E3000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.000000001273E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/Replayttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegottgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://www.w3.ohttgtggt.exe, 00000006.00000002.2006656227.0000000002BE9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://www.github.com/.https://www.github.com/.https://www.github.com/jyRdJ06Naz.exe, 00000000.00000003.1707261525.0000000002D10000.00000004.00001000.00020000.00000000.sdmp, jyRdJ06Naz.tmp, 00000001.00000003.1713318597.0000000003850000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binaryttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://schemas.xmlsoap.org/ws/2004/08/addressingttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuettgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/Completionttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/trustttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponsettgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancelttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/Noncettgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/Renewttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://ocsp.sectigo.com0jyRdJ06Naz.tmp, 00000001.00000002.1939184757.0000000000AEC000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://tempuri.org/example/Field1ttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://schemas.xmlsoap.org/ws/2006/02/addressingidentityttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://schemas.xmlsoap.org/soap/envelope/ttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://tempuri.org/example/Field2ttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://tempuri.org/example/Field3ttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=ttgtggt.exe, 00000006.00000002.2018682966.000000001288A000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012ADF000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012B38000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012831000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.00000000127D8000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.00000000128E3000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.000000001273E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trustttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#jyRdJ06Naz.tmp, 00000001.00000002.1939184757.0000000000AEC000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollbackttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCTttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/06/addressingexttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wscoorttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/Noncettgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponsettgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/08/addressing/faultttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renewttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKeyttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchttgtggt.exe, 00000006.00000002.2018682966.000000001288A000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012ADF000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012B38000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.0000000012831000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.00000000127D8000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.00000000128E3000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2018682966.000000001273E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    http://www.w3.ottgtggt.exe, 00000006.00000002.2006656227.0000000002BE9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Committedttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              http://tempuri.org/example/Field3Responsettgtggt.exe, 00000006.00000002.2006656227.0000000002875000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wscoor/faultttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1ttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/sc/sctttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponsettgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/Cancelttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            		high
                                                                                                                                                                                                                            https://sectigo.com/CPS0jyRdJ06Naz.tmp, 00000001.00000002.1939184757.0000000000AEC000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                              		high
                                                                                                                                                                                                                              https://www.github.com/Q9jyRdJ06Naz.tmp, 00000001.00000003.1936101669.0000000002843000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                		high
                                                                                                                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgementttgtggt.exe, 00000006.00000002.2006656227.0000000002701000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCTttgtggt.exe, 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                    		high

                                                                                                                                                                                                                                    World Map of Contacted IPs

                                                                                                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                                                                                                    Public IPs

                                                                                                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                                    4.251.123.83
                                                                                                                                                                                                                                    		unknownUnited States
                                                                                                                                                                                                                                    		3356LEVEL3UStrue

                                                                                                                                                                                                                                    General Information

                                                                                                                                                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                                    Analysis ID:1554438
                                                                                                                                                                                                                                    Start date and time:2024-11-12 14:55:03 +01:00
                                                                                                                                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                                    Overall analysis duration:0h 5m 31s
                                                                                                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                                    Report type:full
                                                                                                                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                                    Number of analysed new started processes analysed:8
                                                                                                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                                                                                                                    Technologies:
                                                                                                                                                                                                                                    • HCA enabled
                                                                                                                                                                                                                                    • EGA enabled
                                                                                                                                                                                                                                    • AMSI enabled
                                                                                                                                                                                                                                    Analysis Mode:default
                                                                                                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                                                                                                    Sample name:jyRdJ06Naz.exe
                                                                                                                                                                                                                                    renamed because original name is a hash value
                                                                                                                                                                                                                                    Original Sample Name:489c9c7de5953234600a72ebe8686633e2e0eceb79c408e772e83d561da4b814.exe
                                                                                                                                                                                                                                    Detection:MAL
                                                                                                                                                                                                                                    Classification:mal80.troj.spyw.evad.winEXE@5/11@0/1
                                                                                                                                                                                                                                    EGA Information:
                                                                                                                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                                                                                                                    HCA Information:Failed
                                                                                                                                                                                                                                    Cookbook Comments:
                                                                                                                                                                                                                                    • Found application associated with file extension: .exe
                                                                                                                                                                                                                                    • Stop behavior analysis, all processes terminated

                                                                                                                                                                                                                                    Warnings

                                                                                                                                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                                    • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                                    • VT rate limit hit for: jyRdJ06Naz.exe

                                                                                                                                                                                                                                    Simulations

                                                                                                                                                                                                                                    Behavior and APIs

                                                                                                                                                                                                                                    TimeTypeDescription
                                                                                                                                                                                                                                    08:56:26API Interceptor19x Sleep call for process: ttgtggt.exe modified

                                                                                                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                                                                                                    IPs

                                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                    4.251.123.83VJoillkb6X.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                      9LrEuTWP8s.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                        HAeAec7no3.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                          EUFOvMxM2H.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                            i4w1K6ft2F.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                              xMYbN0Yd2a.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                                FaZM14kDMN.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                                  j7movK82QT.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                                    Z4uyrnCQ8L.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                                      file.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse

                                                                                                                                                                                                                                                        Domains

                                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                                        ASNs

                                                                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                        LEVEL3USVJoillkb6X.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                                        • 4.251.123.83
                                                                                                                                                                                                                                                        9LrEuTWP8s.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                                        • 4.251.123.83
                                                                                                                                                                                                                                                        HAeAec7no3.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                                        • 4.251.123.83
                                                                                                                                                                                                                                                        EUFOvMxM2H.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                                        • 4.251.123.83
                                                                                                                                                                                                                                                        i4w1K6ft2F.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                                        • 4.251.123.83
                                                                                                                                                                                                                                                        xMYbN0Yd2a.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                                        • 4.251.123.83
                                                                                                                                                                                                                                                        FaZM14kDMN.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                                        • 4.251.123.83
                                                                                                                                                                                                                                                        j7movK82QT.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                                        • 4.251.123.83
                                                                                                                                                                                                                                                        Z4uyrnCQ8L.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                                        • 4.251.123.83
                                                                                                                                                                                                                                                        botnet.x86.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                                                                                                        • 65.90.191.211

                                                                                                                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                                        Dropped Files

                                                                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\is-OJBCC.tmp\_isetup\_setup64.tmpOrder PO#2024010080.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                          Order PO#2024010080.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                            file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, Vidar, Zhark RATBrowse
                                                                                                                                                                                                                                                              SecuriteInfo.com.Win32.Application.Agent.NSIF6L.17895.28880.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                SecuriteInfo.com.Win32.Application.Agent.NSIF6L.17895.28880.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                  KC0uZWwr8p.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                                                                                                                                    KC0uZWwr8p.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                                                                                                                                                      $RC8PW8J.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                        https://raw.githubusercontent.com/EthanBrooks1955/2x4Q/main/OCPEC.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                          gxjIKuKnu7.exeGet hashmaliciousSocks5SystemzBrowse

                                                                                                                                                                                                                                                                            Created / dropped Files

                                                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ttgtggt.exe.log

                                                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exe
                                                                                                                                                                                                                                                                            File Type:CSV text
                                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                                            Size (bytes):2611
                                                                                                                                                                                                                                                                            Entropy (8bit):5.363358188931451
                                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                                            SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkafHKWA1eXrHKlT48BHK7HKmTHlHNW:iq+wmj0qCYqGSI6oPtzHeqKkGqhA7qZR
                                                                                                                                                                                                                                                                            MD5:CEA017D10C4D437981D19F21660A47FA
                                                                                                                                                                                                                                                                            SHA1:61AAFCECB5325DE172857CEF7C7E1F230F73AFFD
                                                                                                                                                                                                                                                                            SHA-256:60B099420455DECD1878FE84F217CFE478BA0BA5E6E574077150D08355A1DD96
                                                                                                                                                                                                                                                                            SHA-512:413384BF9D2EDC9BC2DF6D5175D09A33B91CCF9C53FE3CB21892CB57AF4FD8A9BE0608E9BCA57AF4A7F2709A4C110148719DA3210460DF433CFD77FA753B9CF8
                                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                                            Reputation:moderate, very likely benign file
                                                                                                                                                                                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Programs\My Program\Octo_Browser_latest_win.exe (copy)

                                                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmp
                                                                                                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                                            Size (bytes):50972704
                                                                                                                                                                                                                                                                            Entropy (8bit):7.975657545907245
                                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                                            SSDEEP:1572864:WPf/ytnQGQWXGdgiGwhFGkOz2pttD7y0/RS:efqteW3m7xdDe0/
                                                                                                                                                                                                                                                                            MD5:568140EFDEA9501CAF6B5D3DC0125453
                                                                                                                                                                                                                                                                            SHA1:9B4074B9E60540EE1B328BEF934D9D2B6C4692F7
                                                                                                                                                                                                                                                                            SHA-256:61E89BFC707CCFC999131C30AEC69E050EFF59F1ACF316A85919B9080DF6A5D4
                                                                                                                                                                                                                                                                            SHA-512:114A9265E1BBC789AE2FDD47DF80326C3826382F5E9019952065D848CD53BCA27509F761EBB73D3D2A0544AA4A02813E311AF22CE555DA36A851790D794B25DE
                                                                                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}..&9..u9..u9..u-..t4..u-..t...u-..t8..uk..t*..uk..t...uk..t[..u-..t ..u-..t:..u-..t8..u9..u...ua..t...ua..u8..u9.zu8..ua..t8..uRich9..u................PE..L...v..a.........."......b...(......a.............@...........................%...........@..................................m..(........0..........p........0$.h...(...p...............................@...................8D..`....................text....a.......b.................. ..`.rdata...............f..............@..@.data....n.......V...d..............@....rsrc....0.......2..................@..@.reloc..h....0$.......#.............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Programs\My Program\is-6IG1B.tmp

                                                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmp
                                                                                                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                                            Size (bytes):3311677
                                                                                                                                                                                                                                                                            Entropy (8bit):6.571428369605009
                                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                                            SSDEEP:49152:MdJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQL33308:uJYVM+LtVt3P/KuG2ONG9iqLRQL333n
                                                                                                                                                                                                                                                                            MD5:FFB61779AA03F1D68DA83DFAB4824B6A
                                                                                                                                                                                                                                                                            SHA1:C8F029F3DDC12CF3F0D307E3FA3E91C744532536
                                                                                                                                                                                                                                                                            SHA-256:E9E132299F1184D65A18D9079A9EF2EE363F529C7E3AD3376F3DA7DEC1D224BF
                                                                                                                                                                                                                                                                            SHA-512:85D91B5AE47EE0887D675ACE5CD6D970869F5C24014B8EBDB56F4B1F1F0CEE584FF41E68881E6CE142EB4738BFDAD35DB308C68C192D5087A9791AEBA32D7BC5
                                                                                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                                                                                            Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*..d........*.......*...@...........................3...........@......@...................P,.n.....,.j:...P0. .....................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc... ....P0......./.............@..@.............04......`3.............@..@................

                                                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Programs\My Program\is-8QRAK.tmp

                                                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmp
                                                                                                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                                            Size (bytes):50972704
                                                                                                                                                                                                                                                                            Entropy (8bit):7.975657545907245
                                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                                            SSDEEP:1572864:WPf/ytnQGQWXGdgiGwhFGkOz2pttD7y0/RS:efqteW3m7xdDe0/
                                                                                                                                                                                                                                                                            MD5:568140EFDEA9501CAF6B5D3DC0125453
                                                                                                                                                                                                                                                                            SHA1:9B4074B9E60540EE1B328BEF934D9D2B6C4692F7
                                                                                                                                                                                                                                                                            SHA-256:61E89BFC707CCFC999131C30AEC69E050EFF59F1ACF316A85919B9080DF6A5D4
                                                                                                                                                                                                                                                                            SHA-512:114A9265E1BBC789AE2FDD47DF80326C3826382F5E9019952065D848CD53BCA27509F761EBB73D3D2A0544AA4A02813E311AF22CE555DA36A851790D794B25DE
                                                                                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}..&9..u9..u9..u-..t4..u-..t...u-..t8..uk..t*..uk..t...uk..t[..u-..t ..u-..t:..u-..t8..u9..u...ua..t...ua..u8..u9.zu8..ua..t8..uRich9..u................PE..L...v..a.........."......b...(......a.............@...........................%...........@..................................m..(........0..........p........0$.h...(...p...............................@...................8D..`....................text....a.......b.................. ..`.rdata...............f..............@..@.data....n.......V...d..............@....rsrc....0.......2..................@..@.reloc..h....0$.......#.............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Programs\My Program\is-E8O0B.tmp

                                                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmp
                                                                                                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                                            Size (bytes):346112
                                                                                                                                                                                                                                                                            Entropy (8bit):6.572244662396641
                                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                                            SSDEEP:6144:2DKXJVqDD/qxgATuaBNt1BrivR0V4TBjgYxs1wl206gBawFV2ceSb0BQ/GfM/4Qx:2DgYDzqxdXBNt1BrivR0V4TBjgYxs1wQ
                                                                                                                                                                                                                                                                            MD5:C9B68B9567CC9067794E32999C02BFA7
                                                                                                                                                                                                                                                                            SHA1:D999F0701086E1ECC87380CF002F37F985C6DE4C
                                                                                                                                                                                                                                                                            SHA-256:8DBCECF4F09CDB10EF4F2AC2AC3F66A28D148A63A381877F413CD5F5B39DB4E0
                                                                                                                                                                                                                                                                            SHA-512:9E24E7FAB933FBD5AD500B0759582D3417CCD571C248010BE486C53574F21E38A5D10DD2B14128CC4D4B4D922DC25806A14D46793B9E2FFE951B8C797F458C6A
                                                                                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                                                                                            Yara Hits:
                                                                                                                                                                                                                                                                            • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Programs\My Program\is-E8O0B.tmp, Author: Joe Security
                                                                                                                                                                                                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Programs\My Program\is-E8O0B.tmp, Author: Joe Security
                                                                                                                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Programs\My Program\is-E8O0B.tmp, Author: Joe Security
                                                                                                                                                                                                                                                                            • Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: C:\Users\user\AppData\Local\Programs\My Program\is-E8O0B.tmp, Author: ditekSHen
                                                                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 66%
                                                                                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc...............F..............@..B........................H........K........../.......)...........................................*.(O...(....*..{....*..{....*.~....(....~....(.....(......}......}....*.0..<........u......,0(.....{.....{....o....,.(.....{.....{....o....+..*. ..L0(.....{....o....X )UU.Z(.....{....o....X*..0...........r...p......%..{.....................-.q.............-.&.+.......o.....%..{.....................-.q.............-.&.+.......o.....(....*..{....*..{....*.~....(....~....(.....(......}......}....*...0..<...

                                                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exe (copy)

                                                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmp
                                                                                                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                                            Size (bytes):346112
                                                                                                                                                                                                                                                                            Entropy (8bit):6.572244662396641
                                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                                            SSDEEP:6144:2DKXJVqDD/qxgATuaBNt1BrivR0V4TBjgYxs1wl206gBawFV2ceSb0BQ/GfM/4Qx:2DgYDzqxdXBNt1BrivR0V4TBjgYxs1wQ
                                                                                                                                                                                                                                                                            MD5:C9B68B9567CC9067794E32999C02BFA7
                                                                                                                                                                                                                                                                            SHA1:D999F0701086E1ECC87380CF002F37F985C6DE4C
                                                                                                                                                                                                                                                                            SHA-256:8DBCECF4F09CDB10EF4F2AC2AC3F66A28D148A63A381877F413CD5F5B39DB4E0
                                                                                                                                                                                                                                                                            SHA-512:9E24E7FAB933FBD5AD500B0759582D3417CCD571C248010BE486C53574F21E38A5D10DD2B14128CC4D4B4D922DC25806A14D46793B9E2FFE951B8C797F458C6A
                                                                                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 66%
                                                                                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc...............F..............@..B........................H........K........../.......)...........................................*.(O...(....*..{....*..{....*.~....(....~....(.....(......}......}....*.0..<........u......,0(.....{.....{....o....,.(.....{.....{....o....+..*. ..L0(.....{....o....X )UU.Z(.....{....o....X*..0...........r...p......%..{.....................-.q.............-.&.+.......o.....%..{.....................-.q.............-.&.+.......o.....(....*..{....*..{....*.~....(....~....(.....(......}......}....*...0..<...

                                                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Programs\My Program\unins000.dat

                                                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmp
                                                                                                                                                                                                                                                                            File Type:InnoSetup Log My Program {873AD2E0-A2B0-482E-8E07-2D2EF1B74924}, version 0x418, 2208 bytes, 580913\37\user\376, C:\Users\user\AppData\Local\Programs\My P
                                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                                            Size (bytes):2208
                                                                                                                                                                                                                                                                            Entropy (8bit):3.4837352046569734
                                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                                            SSDEEP:48:8H9GQj9GQniCy1O9GQlU9GQN9GQqz6iCyQfiCyQMHxvKxPxeUhe:LC08zvCUCeHAtHhe
                                                                                                                                                                                                                                                                            MD5:4C874CEB6A2B370E9DA5800391177B74
                                                                                                                                                                                                                                                                            SHA1:98D6F41C95C54DF53080A6B2752D29F09AAE46B3
                                                                                                                                                                                                                                                                            SHA-256:A27859793875C05684F645D3EAEA23BC830C5F0B3A2EBDC438317C2EB424D99C
                                                                                                                                                                                                                                                                            SHA-512:8F2634A232D300E5B7334972BBF61DCDC5D778684110D8C4B8B1FB7B6C0499B2C381D8C9E1DFC6E6D37031D8C22ABABD7B93B76B063331DB2A968D4F0D9657BA
                                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                                                                                            Preview:Inno Setup Uninstall Log (b)....................................{873AD2E0-A2B0-482E-8E07-2D2EF1B74924}..........................................................................................My Program..................................................................................................................................%................................................................................................................%.>....+...(.qk...............5.8.0.9.1.3......j.o.n.e.s......C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.P.r.o.g.r.a.m.s.\.M.y. .P.r.o.g.r.a.m................8...... .....@..................C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.P.r.o.g.r.a.m.s.\.M.y. .P.r.o.g.r.a.m..d...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.S.t.a.r.t. .M.e.n.u.\.P.r.o.g.r.a.m.s.\.(.D.e.f.a.u.l.t.)......(.D.e.f.a.u.l.t.)......e.n.g.l.i.s.h.............................f........C.:.\.U.s.e.r.

                                                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Programs\My Program\unins000.exe (copy)

                                                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmp
                                                                                                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                                            Size (bytes):3311677
                                                                                                                                                                                                                                                                            Entropy (8bit):6.571428369605009
                                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                                            SSDEEP:49152:MdJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQL33308:uJYVM+LtVt3P/KuG2ONG9iqLRQL333n
                                                                                                                                                                                                                                                                            MD5:FFB61779AA03F1D68DA83DFAB4824B6A
                                                                                                                                                                                                                                                                            SHA1:C8F029F3DDC12CF3F0D307E3FA3E91C744532536
                                                                                                                                                                                                                                                                            SHA-256:E9E132299F1184D65A18D9079A9EF2EE363F529C7E3AD3376F3DA7DEC1D224BF
                                                                                                                                                                                                                                                                            SHA-512:85D91B5AE47EE0887D675ACE5CD6D970869F5C24014B8EBDB56F4B1F1F0CEE584FF41E68881E6CE142EB4738BFDAD35DB308C68C192D5087A9791AEBA32D7BC5
                                                                                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                                                                                            Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*..d........*.......*...@...........................3...........@......@...................P,.n.....,.j:...P0. .....................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc... ....P0......./.............@..@.............04......`3.............@..@................

                                                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\is-OJBCC.tmp\_isetup\_setup64.tmp

                                                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmp
                                                                                                                                                                                                                                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                                            Size (bytes):6144
                                                                                                                                                                                                                                                                            Entropy (8bit):4.720366600008286
                                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                                                                                                                                                                                                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                                                                                                                                                                                                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                                                                                                                                                                                                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                                                                                                                                                                                                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                            Joe Sandbox View:
                                                                                                                                                                                                                                                                            • Filename: Order PO#2024010080.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                            • Filename: Order PO#2024010080.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                            • Filename: SecuriteInfo.com.Win32.Application.Agent.NSIF6L.17895.28880.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                            • Filename: SecuriteInfo.com.Win32.Application.Agent.NSIF6L.17895.28880.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                            • Filename: KC0uZWwr8p.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                            • Filename: KC0uZWwr8p.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                            • Filename: $RC8PW8J.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                            • Filename: , Detection: malicious, Browse
                                                                                                                                                                                                                                                                            • Filename: gxjIKuKnu7.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                            Reputation:high, very likely benign file
                                                                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmp

                                                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\jyRdJ06Naz.exe
                                                                                                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                                            Size (bytes):3287552
                                                                                                                                                                                                                                                                            Entropy (8bit):6.584850392937076
                                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                                            SSDEEP:49152:0dJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQL3330n:WJYVM+LtVt3P/KuG2ONG9iqLRQL333u
                                                                                                                                                                                                                                                                            MD5:6F170135AEC26A106334B8FEF0F3AB5A
                                                                                                                                                                                                                                                                            SHA1:5A83B20CEBFF633D7223D140ECD2F704B976EBF9
                                                                                                                                                                                                                                                                            SHA-256:CCB3E5E44557337A34C89CF7B16B49229A3B2674220D387950E1C1A3705161B6
                                                                                                                                                                                                                                                                            SHA-512:C72D97A10CFF05498CD9D16EF6F53054A22A45D6ED0430D5CF87C77FAFEA8A9A1DB0F2DACD06CD97F4996DD9AD2D6417948069D29D4F47E056422BDC79C1E684
                                                                                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                                                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*..d........*.......*...@...........................3...........@......@...................P,.n.....,.j:...P0. .....................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc... ....P0......./.............@..@.............04......`3.............@..@................

                                                                                                                                                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\My Program.lnk

                                                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmp
                                                                                                                                                                                                                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Nov 12 12:56:07 2024, mtime=Tue Nov 12 12:56:07 2024, atime=Sun Nov 10 04:07:02 2024, length=346112, window=hide
                                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                                            Size (bytes):1279
                                                                                                                                                                                                                                                                            Entropy (8bit):4.814718568181584
                                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                                            SSDEEP:24:8mxHIdhR2+bO0w+xek0Sm88ANfWpGQz9GQHMfqyFm:8mxHITR2+bO0petI9uGQz9GQnyF
                                                                                                                                                                                                                                                                            MD5:1862F1CD7D6C6EB86F7F455882D3DE74
                                                                                                                                                                                                                                                                            SHA1:2E68852D48FB57E46F328253308F5D82538B58BC
                                                                                                                                                                                                                                                                            SHA-256:392CA6F86212E0D3C31A965F816235A6DB35D4C6C7BE136512B090D5935A4F70
                                                                                                                                                                                                                                                                            SHA-512:60DB2E9504E21870CF1984E99FA9EAAC93BDD76316C06B47ABBEB096ABA120475D47B815FCBEDC1B4231F5C8DDD41C01047712896436A00432D613E9BBD42B2F
                                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                                            Preview:L..................F.... ........5...b...5..._.`.3...H......................(.:..DG..Yr?.D..U..k0.&...&......vk.v......[..5....I..5......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^lY.n...........................%..A.p.p.D.a.t.a...B.P.1.....lY.o..Local.<......CW.^lY.o....b......................o^.L.o.c.a.l.....Z.1.....lY.o..Programs..B......lY.olY.o....;......................o^.P.r.o.g.r.a.m.s.....^.1.....lY.o..MYPROG~1..F......lY.olY.o...........................T..M.y. .P.r.o.g.r.a.m.....b.2..H..jY.( .ttgtggt.exe.H......lY.olY.o..............................t.t.g.t.g.g.t...e.x.e.......k...............-.......j...........=..g.....C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exe..4.....\.....\.....\.....\.....\.L.o.c.a.l.\.P.r.o.g.r.a.m.s.\.M.y. .P.r.o.g.r.a.m.\.t.t.g.t.g.g.t...e.x.e.0.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.P.r.o.g.r.a.m.s.\.M.y. .P.r.o.g.r.a.m.........|....I.J.H..K..:...`.......X.......580913.........

                                                                                                                                                                                                                                                                            Static File Info

                                                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                            Entropy (8bit):7.9985671904914115
                                                                                                                                                                                                                                                                            TrID:
                                                                                                                                                                                                                                                                            • Win32 Executable (generic) a (10002005/4) 98.45%
                                                                                                                                                                                                                                                                            • Inno Setup installer (109748/4) 1.08%
                                                                                                                                                                                                                                                                            • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                                                                                                                                                                                                                                                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                                                                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                                                                            File name:jyRdJ06Naz.exe
                                                                                                                                                                                                                                                                            File size:49'460'692 bytes
                                                                                                                                                                                                                                                                            MD5:c83b55a55faf5ff57dcfb50c4344521a
                                                                                                                                                                                                                                                                            SHA1:efa22ba249f339111962fe109b256b215358c8b1
                                                                                                                                                                                                                                                                            SHA256:489c9c7de5953234600a72ebe8686633e2e0eceb79c408e772e83d561da4b814
                                                                                                                                                                                                                                                                            SHA512:e4187182b1f50fccc1230e24a0ff650b22626e9ef20e3d3c54c147736b4da2c1e3c650c0dbfa6343e0fb7b18972f97356228ab7a28965e19147c151b7966b8a3
                                                                                                                                                                                                                                                                            SSDEEP:786432:n+uDmhiEVVJYMbNrxPLmkGpegNGXA+Ih1ZMGH5j+xjWa3fQ1wb9UrS:nFKhhVl9oOgYAn159+NHPR+S
                                                                                                                                                                                                                                                                            TLSH:D1B73323B3CB943DE06E473F1A61715454F7A620B827BE2699F4846CCF564A10E7FA23
                                                                                                                                                                                                                                                                            File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                                                                                                                                                                                            File Icon

                                                                                                                                                                                                                                                                            Icon Hash:0f0575e0c8713133

                                                                                                                                                                                                                                                                            Static PE Info

                                                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                                                            Entrypoint:0x4a83bc
                                                                                                                                                                                                                                                                            Entrypoint Section:.itext
                                                                                                                                                                                                                                                                            Digitally signed:false
                                                                                                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                                                                                                            Subsystem:windows gui
                                                                                                                                                                                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                                                            Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                                                                                                                                                                                                                                                                            TLS Callbacks:
                                                                                                                                                                                                                                                                            CLR (.Net) Version:
                                                                                                                                                                                                                                                                            OS Version Major:6
                                                                                                                                                                                                                                                                            OS Version Minor:1
                                                                                                                                                                                                                                                                            File Version Major:6
                                                                                                                                                                                                                                                                            File Version Minor:1
                                                                                                                                                                                                                                                                            Subsystem Version Major:6
                                                                                                                                                                                                                                                                            Subsystem Version Minor:1
                                                                                                                                                                                                                                                                            Import Hash:40ab50289f7ef5fae60801f88d4541fc

                                                                                                                                                                                                                                                                            Entrypoint Preview

                                                                                                                                                                                                                                                                            Instruction
                                                                                                                                                                                                                                                                            push ebp
                                                                                                                                                                                                                                                                            mov ebp, esp
                                                                                                                                                                                                                                                                            add esp, FFFFFFA4h
                                                                                                                                                                                                                                                                            push ebx
                                                                                                                                                                                                                                                                            push esi
                                                                                                                                                                                                                                                                            push edi
                                                                                                                                                                                                                                                                            xor eax, eax
                                                                                                                                                                                                                                                                            mov dword ptr [ebp-3Ch], eax
                                                                                                                                                                                                                                                                            mov dword ptr [ebp-40h], eax
                                                                                                                                                                                                                                                                            mov dword ptr [ebp-5Ch], eax
                                                                                                                                                                                                                                                                            mov dword ptr [ebp-30h], eax
                                                                                                                                                                                                                                                                            mov dword ptr [ebp-38h], eax
                                                                                                                                                                                                                                                                            mov dword ptr [ebp-34h], eax
                                                                                                                                                                                                                                                                            mov dword ptr [ebp-2Ch], eax
                                                                                                                                                                                                                                                                            mov dword ptr [ebp-28h], eax
                                                                                                                                                                                                                                                                            mov dword ptr [ebp-14h], eax
                                                                                                                                                                                                                                                                            mov eax, 004A2EBCh
                                                                                                                                                                                                                                                                            call 00007FB75905C975h
                                                                                                                                                                                                                                                                            xor eax, eax
                                                                                                                                                                                                                                                                            push ebp
                                                                                                                                                                                                                                                                            push 004A8AC1h
                                                                                                                                                                                                                                                                            push dword ptr fs:[eax]
                                                                                                                                                                                                                                                                            mov dword ptr fs:[eax], esp
                                                                                                                                                                                                                                                                            xor edx, edx
                                                                                                                                                                                                                                                                            push ebp
                                                                                                                                                                                                                                                                            push 004A8A7Bh
                                                                                                                                                                                                                                                                            push dword ptr fs:[edx]
                                                                                                                                                                                                                                                                            mov dword ptr fs:[edx], esp
                                                                                                                                                                                                                                                                            mov eax, dword ptr [004B0634h]
                                                                                                                                                                                                                                                                            call 00007FB7590EE2FBh
                                                                                                                                                                                                                                                                            call 00007FB7590EDE4Eh
                                                                                                                                                                                                                                                                            lea edx, dword ptr [ebp-14h]
                                                                                                                                                                                                                                                                            xor eax, eax
                                                                                                                                                                                                                                                                            call 00007FB7590E8B28h
                                                                                                                                                                                                                                                                            mov edx, dword ptr [ebp-14h]
                                                                                                                                                                                                                                                                            mov eax, 004B41F4h
                                                                                                                                                                                                                                                                            call 00007FB759056A23h
                                                                                                                                                                                                                                                                            push 00000002h
                                                                                                                                                                                                                                                                            push 00000000h
                                                                                                                                                                                                                                                                            push 00000001h
                                                                                                                                                                                                                                                                            mov ecx, dword ptr [004B41F4h]
                                                                                                                                                                                                                                                                            mov dl, 01h
                                                                                                                                                                                                                                                                            mov eax, dword ptr [0049CD14h]
                                                                                                                                                                                                                                                                            call 00007FB7590E9E53h
                                                                                                                                                                                                                                                                            mov dword ptr [004B41F8h], eax
                                                                                                                                                                                                                                                                            xor edx, edx
                                                                                                                                                                                                                                                                            push ebp
                                                                                                                                                                                                                                                                            push 004A8A27h
                                                                                                                                                                                                                                                                            push dword ptr fs:[edx]
                                                                                                                                                                                                                                                                            mov dword ptr fs:[edx], esp
                                                                                                                                                                                                                                                                            call 00007FB7590EE383h
                                                                                                                                                                                                                                                                            mov dword ptr [004B4200h], eax
                                                                                                                                                                                                                                                                            mov eax, dword ptr [004B4200h]
                                                                                                                                                                                                                                                                            cmp dword ptr [eax+0Ch], 01h
                                                                                                                                                                                                                                                                            jne 00007FB7590F506Ah
                                                                                                                                                                                                                                                                            mov eax, dword ptr [004B4200h]
                                                                                                                                                                                                                                                                            mov edx, 00000028h
                                                                                                                                                                                                                                                                            call 00007FB7590EA748h
                                                                                                                                                                                                                                                                            mov edx, dword ptr [004B4200h]

                                                                                                                                                                                                                                                                            Data Directories

                                                                                                                                                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                                                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                                                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x5184.rsrc
                                                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                                                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                                                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                                                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                                                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                                                            Sections

                                                                                                                                                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                                                            .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                                            .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                                            .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                            .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                            .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                            .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                            .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                                            .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                            .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                                            .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                                            .rsrc0xcb0000x51840x52005387b5990969ed6ef136c9bcfb958efcFalse0.5677877286585366data5.999416150640438IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                                                            Resources

                                                                                                                                                                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                                                            RT_ICON0xcb4380x1c30PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0015243902439024
                                                                                                                                                                                                                                                                            RT_STRING0xcd0680x3f8data0.3198818897637795
                                                                                                                                                                                                                                                                            RT_STRING0xcd4600x2dcdata0.36475409836065575
                                                                                                                                                                                                                                                                            RT_STRING0xcd73c0x430data0.40578358208955223
                                                                                                                                                                                                                                                                            RT_STRING0xcdb6c0x44cdata0.38636363636363635
                                                                                                                                                                                                                                                                            RT_STRING0xcdfb80x2d4data0.39226519337016574
                                                                                                                                                                                                                                                                            RT_STRING0xce28c0xb8data0.6467391304347826
                                                                                                                                                                                                                                                                            RT_STRING0xce3440x9cdata0.6410256410256411
                                                                                                                                                                                                                                                                            RT_STRING0xce3e00x374data0.4230769230769231
                                                                                                                                                                                                                                                                            RT_STRING0xce7540x398data0.3358695652173913
                                                                                                                                                                                                                                                                            RT_STRING0xceaec0x368data0.3795871559633027
                                                                                                                                                                                                                                                                            RT_STRING0xcee540x2a4data0.4275147928994083
                                                                                                                                                                                                                                                                            RT_RCDATA0xcf0f80x10data1.5
                                                                                                                                                                                                                                                                            RT_RCDATA0xcf1080x310data0.6173469387755102
                                                                                                                                                                                                                                                                            RT_RCDATA0xcf4180x2cdata1.1590909090909092
                                                                                                                                                                                                                                                                            RT_GROUP_ICON0xcf4440x14dataEnglishUnited States1.2
                                                                                                                                                                                                                                                                            RT_VERSION0xcf4580x584dataEnglishUnited States0.2577903682719547
                                                                                                                                                                                                                                                                            RT_MANIFEST0xcf9dc0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                                                                                                                                                                                                                                                                            Imports

                                                                                                                                                                                                                                                                            DLLImport
                                                                                                                                                                                                                                                                            kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                                                                                                                                                                                                                                                            comctl32.dllInitCommonControls
                                                                                                                                                                                                                                                                            user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                                                                                                                                                                                                                                                            oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                                                                                                                                                                                                                                                            advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

                                                                                                                                                                                                                                                                            Exports

                                                                                                                                                                                                                                                                            NameOrdinalAddress
                                                                                                                                                                                                                                                                            __dbk_fcall_wrapper20x40fc10
                                                                                                                                                                                                                                                                            dbkFCallWrapperAddr10x4b063c

                                                                                                                                                                                                                                                                            Possible Origin

                                                                                                                                                                                                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                                                                            EnglishUnited States

                                                                                                                                                                                                                                                                            Network Behavior

                                                                                                                                                                                                                                                                            Suricata IDS Alerts

                                                                                                                                                                                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                                                            2024-11-12T14:56:17.147993+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow1172.202.163.200443192.168.2.449730TCP
                                                                                                                                                                                                                                                                            2024-11-12T14:56:24.617611+01002046045ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)1192.168.2.4497364.251.123.836677TCP
                                                                                                                                                                                                                                                                            2024-11-12T14:56:25.138239+01002046056ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)14.251.123.836677192.168.2.449736TCP
                                                                                                                                                                                                                                                                            2024-11-12T14:56:56.284212+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow1172.202.163.200443192.168.2.449743TCP

                                                                                                                                                                                                                                                                            Network Port Distribution

                                                                                                                                                                                                                                                                            TCP Packets

                                                                                                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:23.750904083 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:23.756189108 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:23.756454945 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:23.758364916 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:23.763330936 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:24.600723982 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:24.617610931 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:24.622750998 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:24.882369995 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:24.892250061 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:24.897186041 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:25.138079882 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:25.138096094 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:25.138111115 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:25.138129950 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:25.138140917 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:25.138154030 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:25.138154984 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:25.138225079 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:25.138238907 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:25.138250113 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:25.138261080 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:25.138273001 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:25.138284922 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:25.138293982 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:25.138317108 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:25.138638020 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:25.143171072 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:25.143233061 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:25.143249989 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:25.143284082 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:25.257930994 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:25.257946968 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:25.257966042 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:25.257977962 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:25.257988930 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:25.258001089 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:25.258065939 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:25.258403063 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:25.310770035 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.539526939 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.547005892 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.547070026 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.547238111 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.547249079 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.547264099 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.547274113 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.547282934 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.547291994 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.547303915 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.547307014 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.547327995 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.547324896 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.547344923 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.547380924 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.547410011 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.553138971 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.553149939 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.553158998 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.553169012 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.553179026 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.553195953 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.553205013 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.553208113 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.553215027 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.553232908 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.553239107 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.553242922 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.553267956 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.553303957 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.553323984 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.553353071 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.553423882 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.558171034 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.558197975 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.558245897 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.558299065 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.558764935 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.558774948 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.558784008 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.558882952 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.558892965 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.558903933 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.558976889 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.558986902 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.559000015 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.559055090 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.559144974 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.559171915 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.559191942 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.559220076 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.563306093 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.563333035 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.563369036 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.563389063 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.563397884 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.563416004 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.563452005 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.563463926 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.563488960 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.563499928 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.563544035 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.563563108 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.563647985 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.563777924 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.563827991 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.564552069 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.564613104 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.564680099 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.564773083 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.564811945 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.564861059 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.564994097 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.565004110 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.565054893 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.565083981 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.565113068 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.565135956 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.565162897 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.565201998 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.565212011 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.565233946 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.565243959 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.565252066 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.565319061 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.565386057 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.565447092 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.565455914 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.565521955 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.565531015 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.565540075 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.565550089 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.565581083 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.565821886 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.565831900 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.565908909 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.565918922 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.565927982 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.565937042 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.565946102 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.566018105 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.566028118 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.566063881 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.566102028 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.566251040 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.566261053 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.566272020 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.566343069 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.566354036 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.566363096 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.566370010 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.566374063 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.566395044 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.566417933 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.566494942 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.566546917 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.566556931 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.566694021 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.566703081 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.566706896 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.566715956 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.566725969 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.566803932 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.566818953 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.568519115 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.568527937 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.568567038 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.568577051 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.568628073 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.568638086 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.568669081 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.568732023 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.568742037 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.568758965 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.568768024 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.568877935 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.568888903 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.568897009 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.568912983 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.568922997 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.569561005 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.569570065 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.569581032 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.569627047 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.569863081 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.569879055 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.569936037 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.570019007 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.570028067 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.570044994 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.570055962 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.570065022 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.570164919 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.570174932 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.570225000 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.570234060 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.570249081 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.570499897 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.570570946 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.571252108 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.571263075 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.571280956 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.571290970 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.571372032 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.571381092 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.571389914 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.571399927 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.571528912 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.571605921 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.571624041 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.571652889 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.571662903 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.571679115 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.571690083 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.571777105 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.571787119 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.571834087 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.571842909 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.571852922 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.571913958 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.571923971 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.571932077 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.572048903 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.572144985 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.572154999 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.572206020 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.572247982 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.572264910 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.572273970 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.572283030 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.572338104 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.572348118 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.572355986 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.572365999 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.572384119 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.572393894 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.572403908 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.572443962 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.572453022 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.572462082 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.572504044 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.572514057 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.572546959 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.572557926 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.572561979 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.572566986 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.572582960 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.572592020 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.572608948 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.572618008 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.572654009 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.572690010 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.572700024 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.572922945 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.573012114 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.575412035 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.575423002 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.575464010 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.575479031 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.575928926 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.575952053 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.575965881 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.575974941 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.575984955 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.575993061 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.576003075 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.576013088 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.576030970 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.576040030 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.576049089 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.576060057 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.576069117 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.576081038 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.576090097 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.618463993 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.618722916 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.618798971 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.618798971 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.618849039 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.666119099 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.666461945 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.666523933 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.666523933 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.666569948 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.690574884 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.690871000 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.691041946 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.691041946 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.691123009 CET497366677192.168.2.44.251.123.83
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.696078062 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.696089029 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.696098089 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.696106911 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.696213961 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.696388006 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.696472883 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.696496010 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.696506023 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.696557999 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.696567059 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.696703911 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:28.738173962 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:29.426928043 CET6677497364.251.123.83192.168.2.4
                                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:29.438647985 CET497366677192.168.2.44.251.123.83

                                                                                                                                                                                                                                                                            Statistics

                                                                                                                                                                                                                                                                            CPU Usage

                                                                                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                                                                                            Memory Usage

                                                                                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                                                                                            High Level Behavior Distribution

                                                                                                                                                                                                                                                                            Click to dive into process behavior distribution

                                                                                                                                                                                                                                                                            Behavior

                                                                                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                                                                                            System Behavior

                                                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                                                            Target ID:0
                                                                                                                                                                                                                                                                            Start time:08:55:58
                                                                                                                                                                                                                                                                            Start date:12/11/2024
                                                                                                                                                                                                                                                                            Path:C:\Users\user\Desktop\jyRdJ06Naz.exe
                                                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\jyRdJ06Naz.exe"
                                                                                                                                                                                                                                                                            Imagebase:0xd0000
                                                                                                                                                                                                                                                                            File size:49'460'692 bytes
                                                                                                                                                                                                                                                                            MD5 hash:C83B55A55FAF5FF57DCFB50C4344521A
                                                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                                                            Programmed in:Borland Delphi
                                                                                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                                                            Target ID:1
                                                                                                                                                                                                                                                                            Start time:08:55:58
                                                                                                                                                                                                                                                                            Start date:12/11/2024
                                                                                                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmp
                                                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                                                            Commandline:"C:\Users\user\AppData\Local\Temp\is-PUDAC.tmp\jyRdJ06Naz.tmp" /SL5="$2042A,48507756,797184,C:\Users\user\Desktop\jyRdJ06Naz.exe"
                                                                                                                                                                                                                                                                            Imagebase:0x2b0000
                                                                                                                                                                                                                                                                            File size:3'287'552 bytes
                                                                                                                                                                                                                                                                            MD5 hash:6F170135AEC26A106334B8FEF0F3AB5A
                                                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                                                            Programmed in:Borland Delphi
                                                                                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                                                            Target ID:6
                                                                                                                                                                                                                                                                            Start time:08:56:20
                                                                                                                                                                                                                                                                            Start date:12/11/2024
                                                                                                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exe
                                                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                                                            Commandline:"C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exe"
                                                                                                                                                                                                                                                                            Imagebase:0x3f0000
                                                                                                                                                                                                                                                                            File size:346'112 bytes
                                                                                                                                                                                                                                                                            MD5 hash:C9B68B9567CC9067794E32999C02BFA7
                                                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000000.1930311568.00000000003F2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000006.00000000.1930311568.00000000003F2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000006.00000002.2006656227.0000000002794000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2006656227.00000000027AD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                                                            Disassembly

                                                                                                                                                                                                                                                                            Reset < >

                                                                                                                                                                                                                                                                              Execution Graph

                                                                                                                                                                                                                                                                              Execution Coverage:16.8%
                                                                                                                                                                                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                                              Signature Coverage:0%
                                                                                                                                                                                                                                                                              Total number of Nodes:6
                                                                                                                                                                                                                                                                              Total number of Limit Nodes:0
                                                                                                                                                                                                                                                                              execution_graph 13952 7ffd9bad8a5a 13953 7ffd9bad8a5f CreateFileA 13952->13953 13955 7ffd9bad8c22 13953->13955 13956 7ffd9bad9551 13957 7ffd9bad956f ReadFile 13956->13957 13959 7ffd9bad966d 13957->13959

                                                                                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                                                                                              Function 00007FFD9BAE4A99 Relevance: 4.2, Strings: 1, Instructions: 2909COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                                                              control_flow_graph 0 7ffd9bae4a99-7ffd9bae4aea 1 7ffd9bae4aec 0->1 2 7ffd9bae4af1-7ffd9bae4b2a 0->2 1->2 5 7ffd9bae4bd8-7ffd9bae4c06 2->5 6 7ffd9bae4b30-7ffd9bae4bc2 2->6 8 7ffd9bae4c0f-7ffd9bae4c46 5->8 6->5 11 7ffd9bae7570-7ffd9bae7593 8->11 14 7ffd9bae7599-7ffd9bae75c4 call 7ffd9bae76e1 11->14 15 7ffd9bae4c4b-7ffd9bae4c82 11->15 20 7ffd9bae4c88-7ffd9bae4d25 15->20 21 7ffd9bae4d30-7ffd9bae4d77 15->21 20->21 24 7ffd9bae4e5c-7ffd9bae4ec8 21->24 25 7ffd9bae4d7d-7ffd9bae4dfc 21->25 34 7ffd9bae4ed1-7ffd9bae4f08 24->34 51 7ffd9bae4e07-7ffd9bae4e1c 25->51 38 7ffd9bae753b-7ffd9bae755e 34->38 43 7ffd9bae7564-7ffd9bae756f call 7ffd9bae7681 38->43 44 7ffd9bae4f0d-7ffd9bae4f44 38->44 43->11 48 7ffd9bae4f4a-7ffd9bae50a1 44->48 49 7ffd9bae50ac-7ffd9bae50f3 44->49 48->49 52 7ffd9bae51fa-7ffd9bae528e 49->52 53 7ffd9bae50f9-7ffd9bae518c 49->53 56 7ffd9bae4e27-7ffd9bae4e46 51->56 65 7ffd9bae5294-7ffd9bae53b5 52->65 66 7ffd9bae53c0-7ffd9bae547e 52->66 96 7ffd9bae518d-7ffd9bae51a1 53->96 56->24 65->66 74 7ffd9bae558c-7ffd9bae5635 66->74 75 7ffd9bae5484-7ffd9bae5490 66->75 80 7ffd9bae563b-7ffd9bae573b 74->80 81 7ffd9bae5746-7ffd9bae580b 74->81 80->81 84 7ffd9bae5811-7ffd9bae5882 81->84 85 7ffd9bae58f0-7ffd9bae5964 81->85 120 7ffd9bae5883-7ffd9bae58d5 84->120 99 7ffd9bae596d-7ffd9bae5a17 85->99 102 7ffd9bae51ac-7ffd9bae51ba 96->102 100 7ffd9bae5afc-7ffd9bae5bf3 99->100 101 7ffd9bae5a1d-7ffd9bae5a26 99->101 128 7ffd9bae5bfc-7ffd9bae5c36 100->128 101->100 109 7ffd9bae51c5-7ffd9bae51df 102->109 109->96 116 7ffd9bae51e1-7ffd9bae51ef 109->116 116->52 136 7ffd9bae58d7-7ffd9bae58e5 120->136 130 7ffd9bae5c3c-7ffd9bae5d10 128->130 131 7ffd9bae5d1b-7ffd9bae5d4c 128->131 130->131 137 7ffd9bae5d55-7ffd9bae5d9d 131->137 136->85 138 7ffd9bae5e7c-7ffd9bae5eed 137->138 139 7ffd9bae5da3-7ffd9bae5e09 137->139 141 7ffd9bae5fd2-7ffd9bae6003 138->141 142 7ffd9bae5ef3-7ffd9bae5f64 138->142 161 7ffd9bae5e0f-7ffd9bae5e1d 139->161 148 7ffd9bae600c-7ffd9bae603e 141->148 165 7ffd9bae5f65-7ffd9bae5fb7 142->165 153 7ffd9bae6047-7ffd9bae6089 148->153 155 7ffd9bae60ca-7ffd9bae6102 153->155 156 7ffd9bae608b-7ffd9bae60c8 153->156 159 7ffd9bae6109-7ffd9bae6142 155->159 156->159 164 7ffd9bae614b-7ffd9bae6169 159->164 169 7ffd9bae5e28-7ffd9bae5e3c 161->169 167 7ffd9bae6217-7ffd9bae6288 164->167 168 7ffd9bae616f-7ffd9bae61ab 164->168 186 7ffd9bae5fb9-7ffd9bae5fc7 165->186 176 7ffd9bae7503-7ffd9bae7526 167->176 180 7ffd9bae61ad-7ffd9bae620c 168->180 174 7ffd9bae5e47-7ffd9bae5e61 169->174 174->161 182 7ffd9bae5e63-7ffd9bae5e71 174->182 184 7ffd9bae752c-7ffd9bae7539 call 7ffd9bae75f3 176->184 185 7ffd9bae628d-7ffd9bae62e0 176->185 180->167 182->138 184->38 191 7ffd9bae62e6-7ffd9bae63d0 185->191 192 7ffd9bae63e7-7ffd9bae6414 185->192 186->141 197 7ffd9bae63d6-7ffd9bae63dc 191->197 192->197 198 7ffd9bae6416-7ffd9bae646d 192->198 197->192 203 7ffd9bae6552-7ffd9bae65d6 198->203 204 7ffd9bae6473-7ffd9bae6547 198->204 213 7ffd9bae65d9-7ffd9bae6608 203->213 204->203 214 7ffd9bae66b6-7ffd9bae66d8 213->214 215 7ffd9bae660e-7ffd9bae6619 213->215 217 7ffd9bae66db-7ffd9bae670b 214->217 215->213 222 7ffd9bae661b-7ffd9bae6650 215->222 220 7ffd9bae6711-7ffd9bae671c 217->220 221 7ffd9bae686e-7ffd9bae68ba 217->221 220->217 228 7ffd9bae671e-7ffd9bae6852 220->228 226 7ffd9bae68bd-7ffd9bae68df 221->226 222->214 229 7ffd9bae68e5-7ffd9bae68f6 226->229 230 7ffd9bae69c4-7ffd9bae6a51 226->230 228->226 280 7ffd9bae6854-7ffd9bae6863 228->280 229->230 233 7ffd9bae6b36-7ffd9bae6c1d 230->233 234 7ffd9bae6a57-7ffd9bae6a68 230->234 246 7ffd9bae6c23-7ffd9bae6c34 233->246 247 7ffd9bae6d2e-7ffd9bae6dc9 233->247 234->233 246->247 249 7ffd9bae6efb-7ffd9bae6ff1 247->249 250 7ffd9bae6dcf-7ffd9bae6ee7 247->250 258 7ffd9bae6ff7-7ffd9bae70c5 249->258 259 7ffd9bae70d0-7ffd9bae726e call 7ffd9bad9d90 249->259 250->249 258->259 288 7ffd9bae730a-7ffd9bae735f 259->288 289 7ffd9bae7274-7ffd9bae72ff 259->289 280->221 291 7ffd9bae7365-7ffd9bae7427 288->291 292 7ffd9bae7432-7ffd9bae7501 call 7ffd9bad1408 288->292 289->288 291->292 292->176
                                                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2036686566.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9bad0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID: U
                                                                                                                                                                                                                                                                              • API String ID: 0-3372436214
                                                                                                                                                                                                                                                                              • Opcode ID: d7cdfcb8bcc37a475850780d422f0e3db103d625102d7b65060c11e1a3a8b01d
                                                                                                                                                                                                                                                                              • Instruction ID: 594a42c57a6e93510d5002f29ef0391da55baf9cc5c62611f5b9be99c508fcee
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d7cdfcb8bcc37a475850780d422f0e3db103d625102d7b65060c11e1a3a8b01d
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B1438B70A1996D8FDFA8DF18C895BA9B7B1FB68301F5041EA900DE3291DE756E81CF40
                                                                                                                                                                                                                                                                              Function 00007FFD9B989D02 Relevance: 3.0, Instructions: 3013COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                                                              control_flow_graph 314 7ffd9b989d02-7ffd9b989d5f 317 7ffd9b989d79-7ffd9b989d9a 314->317 318 7ffd9b989d61-7ffd9b989d77 314->318 322 7ffd9b989d9c-7ffd9b989db0 317->322 323 7ffd9b989db2-7ffd9b989dcf 317->323 318->317 322->323 328 7ffd9b989dd5-7ffd9b989e26 323->328 329 7ffd9b98a417-7ffd9b98a4b2 323->329 328->329 345 7ffd9b989e2c-7ffd9b989e7d 328->345 338 7ffd9b98a4cc-7ffd9b98a514 329->338 339 7ffd9b98a4b4-7ffd9b98a4ca 329->339 356 7ffd9b98b518-7ffd9b98b536 338->356 357 7ffd9b98a51a-7ffd9b98a533 338->357 339->338 345->329 358 7ffd9b989e83-7ffd9b989ed4 345->358 362 7ffd9b98b537-7ffd9b98b580 356->362 357->356 363 7ffd9b98a539-7ffd9b98a579 357->363 358->329 383 7ffd9b989eda-7ffd9b989f2b 358->383 366 7ffd9b98b582-7ffd9b98b5bf 362->366 385 7ffd9b98a57b-7ffd9b98a587 363->385 386 7ffd9b98a5bd-7ffd9b98a5ce 363->386 374 7ffd9b98b5d9-7ffd9b98b646 366->374 375 7ffd9b98b5c1-7ffd9b98b5d7 366->375 395 7ffd9b98b648-7ffd9b98b67b 374->395 396 7ffd9b98b67d-7ffd9b98b689 374->396 375->374 383->329 411 7ffd9b989f31-7ffd9b989f82 383->411 393 7ffd9b98a589-7ffd9b98a5bb 385->393 394 7ffd9b98a5d2-7ffd9b98a5de 385->394 386->394 406 7ffd9b98a624-7ffd9b98a628 393->406 400 7ffd9b98a629-7ffd9b98a639 394->400 401 7ffd9b98a5e0-7ffd9b98a618 394->401 395->396 400->356 410 7ffd9b98a63f-7ffd9b98a684 400->410 401->406 406->400 423 7ffd9b98a686-7ffd9b98a692 410->423 424 7ffd9b98a6c8-7ffd9b98a6d9 410->424 411->329 427 7ffd9b989f88-7ffd9b989fd5 411->427 428 7ffd9b98a6dd-7ffd9b98a6e9 423->428 429 7ffd9b98a694-7ffd9b98a6c6 423->429 424->428 427->329 447 7ffd9b989fdb-7ffd9b98a016 427->447 433 7ffd9b98a6eb-7ffd9b98a723 428->433 434 7ffd9b98a734-7ffd9b98a744 428->434 438 7ffd9b98a72f-7ffd9b98a733 429->438 433->438 434->356 442 7ffd9b98a74a-7ffd9b98a78f 434->442 438->434 453 7ffd9b98a7c1-7ffd9b98a808 442->453 454 7ffd9b98a791-7ffd9b98a7bf 442->454 459 7ffd9b98a018-7ffd9b98a046 447->459 462 7ffd9b98a814-7ffd9b98a829 453->462 454->462 459->329 469 7ffd9b98a04c-7ffd9b98a06c 459->469 462->356 466 7ffd9b98a82f-7ffd9b98a874 462->466 481 7ffd9b98a876-7ffd9b98a8b6 466->481 482 7ffd9b98a8b8-7ffd9b98a913 466->482 476 7ffd9b98a086 469->476 477 7ffd9b98a06e-7ffd9b98a082 469->477 476->459 477->476 487 7ffd9b98a91f-7ffd9b98a934 481->487 482->487 487->356 490 7ffd9b98a93a-7ffd9b98a97f 487->490 497 7ffd9b98a9b1-7ffd9b98a9f8 490->497 498 7ffd9b98a981-7ffd9b98a9af 490->498 502 7ffd9b98aa04-7ffd9b98aa19 497->502 498->502 502->356 504 7ffd9b98aa1f-7ffd9b98aa64 502->504 512 7ffd9b98aa96-7ffd9b98aadd 504->512 513 7ffd9b98aa66-7ffd9b98aa94 504->513 517 7ffd9b98aae9-7ffd9b98aafe 512->517 513->517 517->356 519 7ffd9b98ab04-7ffd9b98ab49 517->519 526 7ffd9b98ab7b-7ffd9b98abc2 519->526 527 7ffd9b98ab4b-7ffd9b98ab79 519->527 531 7ffd9b98abce-7ffd9b98abe3 526->531 527->531 531->356 533 7ffd9b98abe9-7ffd9b98ac2e 531->533 540 7ffd9b98ac60-7ffd9b98aca7 533->540 541 7ffd9b98ac30-7ffd9b98ac5e 533->541 545 7ffd9b98acb3-7ffd9b98acc8 540->545 541->545 545->356 547 7ffd9b98acce-7ffd9b98ace3 545->547 547->356 549 7ffd9b98ace9-7ffd9b98ad29 547->549 556 7ffd9b98ad2b-7ffd9b98ad37 549->556 557 7ffd9b98ad62-7ffd9b98ad80 549->557 560 7ffd9b98ad39-7ffd9b98ad60 556->560 561 7ffd9b98ad82-7ffd9b98adb3 556->561 557->561 563 7ffd9b98adbf-7ffd9b98add4 560->563 561->563 563->356 567 7ffd9b98adda-7ffd9b98adef 563->567 567->356 569 7ffd9b98adf5-7ffd9b98ae35 567->569 576 7ffd9b98ae67-7ffd9b98aeab 569->576 577 7ffd9b98ae37-7ffd9b98ae65 569->577 580 7ffd9b98aeb4-7ffd9b98aec9 576->580 577->580 580->356 583 7ffd9b98aecf-7ffd9b98aee4 580->583 583->356 585 7ffd9b98aeea-7ffd9b98af2a 583->585 591 7ffd9b98af5c-7ffd9b98afa0 585->591 592 7ffd9b98af2c-7ffd9b98af5a 585->592 596 7ffd9b98afa9-7ffd9b98afbe 591->596 592->596 596->356 598 7ffd9b98afc4-7ffd9b98afd9 596->598 598->356 600 7ffd9b98afdf-7ffd9b98b022 598->600 607 7ffd9b98b051-7ffd9b98b089 600->607 608 7ffd9b98b024-7ffd9b98b04f 600->608 611 7ffd9b98b090-7ffd9b98b0a5 607->611 608->611 611->356 614 7ffd9b98b0ab-7ffd9b98b0f3 611->614 621 7ffd9b98b0f5-7ffd9b98b12a 614->621 622 7ffd9b98b12c-7ffd9b98b143 614->622 631 7ffd9b98b178-7ffd9b98b18d 621->631 627 7ffd9b98b145-7ffd9b98b171 622->627 628 7ffd9b98b18e-7ffd9b98b1db 622->628 627->631 639 7ffd9b98b1dd-7ffd9b98b1e9 628->639 640 7ffd9b98b214-7ffd9b98b232 628->640 631->356 631->628 643 7ffd9b98b1eb-7ffd9b98b212 639->643 644 7ffd9b98b234-7ffd9b98b259 639->644 640->644 646 7ffd9b98b260-7ffd9b98b275 643->646 644->646 646->356 650 7ffd9b98b27b-7ffd9b98b2c6 646->650 656 7ffd9b98b2f5-7ffd9b98b32d 650->656 657 7ffd9b98b2c8-7ffd9b98b2f3 650->657 661 7ffd9b98b334-7ffd9b98b349 656->661 657->661 661->356 663 7ffd9b98b34f-7ffd9b98b39a 661->663 669 7ffd9b98b39c-7ffd9b98b3d1 663->669 670 7ffd9b98b3d3-7ffd9b98b418 663->670 675 7ffd9b98b41f-7ffd9b98b434 669->675 670->675 675->356 678 7ffd9b98b43a-7ffd9b98b485 675->678 684 7ffd9b98b487-7ffd9b98b4b2 678->684 685 7ffd9b98b4b4-7ffd9b98b4ec 678->685 689 7ffd9b98b4f3-7ffd9b98b517 684->689 685->689
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2034259929.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9b980000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: d8ba1a5376296d153b86ca4e791af0ec09abb54a0f75d4c78f0a011e5321e7c3
                                                                                                                                                                                                                                                                              • Instruction ID: c06a3349a83e611ec1fc9153ac48a3ec2b2e03c2c2dcd24c47b863c6ef6143ec
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d8ba1a5376296d153b86ca4e791af0ec09abb54a0f75d4c78f0a011e5321e7c3
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8913A431B1EE8D4FD7A9EB2C8464A2877E1FF99710B0545BEE09EC72A3DD24AC418741
                                                                                                                                                                                                                                                                              Function 00007FFD9B9816B3 Relevance: 1.0, Instructions: 995COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                                                              control_flow_graph 1085 7ffd9b9816b3-7ffd9b9816c9 1086 7ffd9b9816d1-7ffd9b98179e 1085->1086 1087 7ffd9b9816cb-7ffd9b9816d0 1085->1087 1094 7ffd9b9817a4-7ffd9b9817a5 1086->1094 1095 7ffd9b981910-7ffd9b981921 1086->1095 1087->1086 1096 7ffd9b9817a7-7ffd9b9817b7 1094->1096 1098 7ffd9b981a52-7ffd9b981a61 1095->1098 1099 7ffd9b981927-7ffd9b981937 1095->1099 1101 7ffd9b9818a2-7ffd9b9818a6 1096->1101 1102 7ffd9b9817bd-7ffd9b981802 1096->1102 1103 7ffd9b981a69-7ffd9b981a7c 1098->1103 1108 7ffd9b98193d-7ffd9b981975 1099->1108 1109 7ffd9b981a15-7ffd9b981a19 1099->1109 1104 7ffd9b9818b8 1101->1104 1105 7ffd9b9818a8-7ffd9b9818b6 1101->1105 1134 7ffd9b981804-7ffd9b981807 1102->1134 1135 7ffd9b98180c-7ffd9b981810 1102->1135 1107 7ffd9b9818bd-7ffd9b9818c0 1104->1107 1105->1107 1107->1103 1114 7ffd9b9818c6-7ffd9b9818ca 1107->1114 1138 7ffd9b98197f-7ffd9b981983 1108->1138 1139 7ffd9b981977-7ffd9b98197a 1108->1139 1112 7ffd9b981a31 1109->1112 1113 7ffd9b981a1b-7ffd9b981a2f 1109->1113 1115 7ffd9b981a33-7ffd9b981a35 1112->1115 1113->1115 1116 7ffd9b9818e2 1114->1116 1117 7ffd9b9818cc-7ffd9b9818e0 1114->1117 1121 7ffd9b981a93-7ffd9b981ab9 1115->1121 1122 7ffd9b981a37-7ffd9b981a44 1115->1122 1124 7ffd9b9818e4-7ffd9b9818e6 1116->1124 1117->1124 1153 7ffd9b981ac3-7ffd9b981ad8 1121->1153 1154 7ffd9b981abb-7ffd9b981ac2 1121->1154 1137 7ffd9b981a46-7ffd9b981a4c 1122->1137 1127 7ffd9b981a7d-7ffd9b981a80 1124->1127 1128 7ffd9b9818ec-7ffd9b9818f9 1124->1128 1136 7ffd9b981a8b-7ffd9b981a8c 1127->1136 1141 7ffd9b9818fb-7ffd9b981905 1128->1141 1142 7ffd9b981895-7ffd9b9818a0 1134->1142 1145 7ffd9b981812-7ffd9b98181e 1135->1145 1146 7ffd9b98184e-7ffd9b98187b 1135->1146 1136->1121 1137->1098 1137->1099 1143 7ffd9b9819c1-7ffd9b9819ee 1138->1143 1144 7ffd9b981985-7ffd9b981991 1138->1144 1140 7ffd9b981a08-7ffd9b981a13 1139->1140 1140->1137 1141->1096 1148 7ffd9b98190b 1141->1148 1142->1141 1143->1140 1162 7ffd9b9819f0-7ffd9b9819fe 1143->1162 1149 7ffd9b981993-7ffd9b981994 1144->1149 1150 7ffd9b98199c-7ffd9b9819bf 1144->1150 1151 7ffd9b981820-7ffd9b981821 1145->1151 1152 7ffd9b981829-7ffd9b98184c 1145->1152 1146->1142 1164 7ffd9b98187d-7ffd9b981893 1146->1164 1148->1103 1149->1150 1150->1140 1151->1152 1152->1142 1153->1136 1158 7ffd9b981ada-7ffd9b981b4c 1153->1158 1154->1153 1173 7ffd9b981b4d-7ffd9b981b59 1158->1173 1162->1140 1169 7ffd9b981a00-7ffd9b981a06 1162->1169 1164->1142 1169->1140 1175 7ffd9b981b5b-7ffd9b981b9d 1173->1175 1179 7ffd9b981ba3-7ffd9b981ba4 1175->1179 1180 7ffd9b981ca1-7ffd9b981cb2 1175->1180 1181 7ffd9b981ba6-7ffd9b981bb6 1179->1181 1184 7ffd9b981cb8-7ffd9b981cc8 1180->1184 1185 7ffd9b981d75-7ffd9b981d84 1180->1185 1186 7ffd9b981c33-7ffd9b981c37 1181->1186 1187 7ffd9b981bb8-7ffd9b981c01 1181->1187 1193 7ffd9b981cca-7ffd9b981d15 1184->1193 1194 7ffd9b981d38-7ffd9b981d3c 1184->1194 1188 7ffd9b981d8c-7ffd9b981d9d 1185->1188 1189 7ffd9b981c49 1186->1189 1190 7ffd9b981c39-7ffd9b981c47 1186->1190 1205 7ffd9b981c07-7ffd9b981c10 1187->1205 1195 7ffd9b981c4e-7ffd9b981c51 1189->1195 1190->1195 1214 7ffd9b981d2b-7ffd9b981d36 1193->1214 1215 7ffd9b981d17-7ffd9b981d2a 1193->1215 1198 7ffd9b981d54 1194->1198 1199 7ffd9b981d3e-7ffd9b981d52 1194->1199 1195->1188 1201 7ffd9b981c57-7ffd9b981c5b 1195->1201 1204 7ffd9b981d56-7ffd9b981d58 1198->1204 1199->1204 1202 7ffd9b981c73 1201->1202 1203 7ffd9b981c5d-7ffd9b981c71 1201->1203 1207 7ffd9b981c75-7ffd9b981c77 1202->1207 1203->1207 1209 7ffd9b981db4-7ffd9b981dd9 1204->1209 1210 7ffd9b981d5a-7ffd9b981d67 1204->1210 1212 7ffd9b981c12-7ffd9b981c25 1205->1212 1213 7ffd9b981c26-7ffd9b981c31 1205->1213 1216 7ffd9b981d9e-7ffd9b981dad 1207->1216 1217 7ffd9b981c7d-7ffd9b981c8a 1207->1217 1230 7ffd9b981de1-7ffd9b981e6d 1209->1230 1231 7ffd9b981ddb-7ffd9b981ddf 1209->1231 1222 7ffd9b981d69-7ffd9b981d6f 1210->1222 1212->1213 1227 7ffd9b981c8c-7ffd9b981c96 1213->1227 1214->1222 1215->1214 1216->1209 1217->1227 1222->1184 1222->1185 1227->1181 1229 7ffd9b981c9c 1227->1229 1229->1188 1235 7ffd9b981e6f-7ffd9b981e7c 1230->1235 1236 7ffd9b981e86-7ffd9b981ea7 1230->1236 1231->1230 1235->1236 1238 7ffd9b981e7e-7ffd9b981e84 1235->1238 1242 7ffd9b981eac-7ffd9b981eb0 1236->1242 1238->1236 1243 7ffd9b9821bc-7ffd9b9821cd 1242->1243 1244 7ffd9b981eb6-7ffd9b981eca 1242->1244 1244->1243 1246 7ffd9b981ed0-7ffd9b981ef0 1244->1246 1246->1242 1248 7ffd9b981ef2-7ffd9b981f06 1246->1248 1248->1243
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2034259929.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9b980000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: b7716a99af5c253de07ad48974dd5064a80aed52d7689edffc456ee4f99fb06c
                                                                                                                                                                                                                                                                              • Instruction ID: a921624a313a9c628d0c894b28abcf5d849623368fb077d8fd180fd15bb0313c
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b7716a99af5c253de07ad48974dd5064a80aed52d7689edffc456ee4f99fb06c
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E7520530B1DE595FEBA8D76C9469A7537D1EF9A310B0502BAD04EC72F7DE24AC428381
                                                                                                                                                                                                                                                                              Function 00007FFD9BAD05B1 Relevance: .9, Instructions: 857COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                                                              control_flow_graph 1249 7ffd9bad05b1-7ffd9bad05ff 1250 7ffd9bad0606-7ffd9bad0636 1249->1250 1251 7ffd9bad0601 1249->1251 1254 7ffd9bad0640-7ffd9bad06d3 1250->1254 1251->1250 1260 7ffd9bad06e9-7ffd9bad075c 1254->1260 1261 7ffd9bad06d5-7ffd9bad06e4 1254->1261 1266 7ffd9bad1029-7ffd9bad104c 1260->1266 1262 7ffd9bad106f-7ffd9bad107c 1261->1262 1268 7ffd9bad0761-7ffd9bad0798 1266->1268 1269 7ffd9bad1052-7ffd9bad1069 call 7ffd9bad1107 1266->1269 1273 7ffd9bad079e-7ffd9bad0835 1268->1273 1274 7ffd9bad0840-7ffd9bad0887 1268->1274 1269->1262 1273->1274 1276 7ffd9bad088d-7ffd9bad0919 1274->1276 1277 7ffd9bad096f-7ffd9bad0a1b 1274->1277 1305 7ffd9bad091d-7ffd9bad0953 1276->1305 1291 7ffd9bad0ff4-7ffd9bad1017 1277->1291 1295 7ffd9bad101d-7ffd9bad1028 call 7ffd9bad10a9 1291->1295 1296 7ffd9bad0a20-7ffd9bad0a29 1291->1296 1295->1266 1297 7ffd9bad0ac7-7ffd9bad0bc8 1296->1297 1298 7ffd9bad0a2f-7ffd9bad0abc 1296->1298 1320 7ffd9bad0ff1-7ffd9bad0ff2 1297->1320 1321 7ffd9bad0bce-7ffd9bad0d16 1297->1321 1298->1297 1314 7ffd9bad0955-7ffd9bad0964 1305->1314 1314->1277 1320->1291 1332 7ffd9bad0d39-7ffd9bad0d3b 1321->1332 1333 7ffd9bad0d18-7ffd9bad0d37 1321->1333 1334 7ffd9bad0d3e-7ffd9bad0d42 1332->1334 1333->1334 1334->1320 1335 7ffd9bad0d48-7ffd9bad0f0e 1334->1335 1354 7ffd9bad0f31-7ffd9bad0f33 1335->1354 1355 7ffd9bad0f10-7ffd9bad0f2f 1335->1355 1356 7ffd9bad0f36-7ffd9bad0f3a 1354->1356 1355->1356 1356->1320 1358 7ffd9bad0f40-7ffd9bad0f4b 1356->1358 1360 7ffd9bad0f62-7ffd9bad0fea 1358->1360 1361 7ffd9bad0f4d-7ffd9bad0f57 1358->1361 1360->1320 1361->1360
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2036686566.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9bad0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: 6afa4d2087bbc85e751f659a92054f7b273e5a988b57cd3e15d491890cfc02f5
                                                                                                                                                                                                                                                                              • Instruction ID: 6ea861ad3d2f098d062fecdfb2c0a25938ab0a7c2a78efdc149eb43174e3ba37
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6afa4d2087bbc85e751f659a92054f7b273e5a988b57cd3e15d491890cfc02f5
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1C72DC70E1996D8FDBA4EB58C8A5BA8B7B1FF58300F5141E9D00DE32A5DA746E81CF40
                                                                                                                                                                                                                                                                              Function 00007FFD9BAE2AD0 Relevance: .8, Instructions: 823COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                                                              control_flow_graph 1368 7ffd9bae2ad0-7ffd9bb09390 1374 7ffd9bb0946c-7ffd9bb0948a call 7ffd9bae4730 1368->1374 1377 7ffd9bb09490 1374->1377 1378 7ffd9bb09395-7ffd9bb0939b 1374->1378 1381 7ffd9bb0949f-7ffd9bb094b2 1377->1381 1379 7ffd9bb0939d 1378->1379 1380 7ffd9bb093a7-7ffd9bb093b2 1378->1380 1379->1380 1382 7ffd9bb093e4-7ffd9bb093f1 1380->1382 1383 7ffd9bb093b4-7ffd9bb093bf 1380->1383 1393 7ffd9bb093f3-7ffd9bb093f6 1382->1393 1394 7ffd9bb093f8-7ffd9bb093fe 1382->1394 1384 7ffd9bb094b3-7ffd9bb094c1 1383->1384 1385 7ffd9bb093c5-7ffd9bb093d0 1383->1385 1395 7ffd9bb094c3 1384->1395 1396 7ffd9bb094c9 1384->1396 1387 7ffd9bb093d2-7ffd9bb093d5 1385->1387 1388 7ffd9bb093d7-7ffd9bb093dd 1385->1388 1387->1388 1391 7ffd9bb093df-7ffd9bb093e0 1387->1391 1392 7ffd9bb093e2 1388->1392 1391->1392 1397 7ffd9bb09403-7ffd9bb09406 1392->1397 1393->1394 1398 7ffd9bb09400-7ffd9bb09401 1393->1398 1394->1397 1395->1396 1401 7ffd9bb094cd-7ffd9bb094d7 1396->1401 1402 7ffd9bb094cb 1396->1402 1399 7ffd9bb09454-7ffd9bb09456 1397->1399 1400 7ffd9bb09408-7ffd9bb0940a 1397->1400 1398->1397 1403 7ffd9bb09462-7ffd9bb09465 1399->1403 1404 7ffd9bb09458 1399->1404 1405 7ffd9bb09416-7ffd9bb09419 1400->1405 1406 7ffd9bb0940c 1400->1406 1407 7ffd9bb0950d-7ffd9bb09538 1401->1407 1402->1401 1402->1407 1403->1374 1404->1403 1405->1399 1408 7ffd9bb0941b-7ffd9bb0941d 1405->1408 1406->1405 1409 7ffd9bb09542-7ffd9bb09552 1407->1409 1410 7ffd9bb0953a-7ffd9bb09540 1407->1410 1411 7ffd9bb0941f 1408->1411 1412 7ffd9bb09429-7ffd9bb0942c 1408->1412 1413 7ffd9bb09554-7ffd9bb09558 1409->1413 1410->1413 1411->1412 1412->1399 1414 7ffd9bb0942e-7ffd9bb09430 1412->1414 1415 7ffd9bb095fd-7ffd9bb09608 1413->1415 1416 7ffd9bb0955e 1413->1416 1419 7ffd9bb09432 1414->1419 1420 7ffd9bb0943c-7ffd9bb0943f 1414->1420 1417 7ffd9bb0960e 1415->1417 1418 7ffd9bb0974c-7ffd9bb09780 call 7ffd9bae3af0 call 7ffd9bae2bc8 1415->1418 1416->1418 1424 7ffd9bb09566-7ffd9bb0958d call 7ffd9bae4090 1417->1424 1455 7ffd9bb09787-7ffd9bb097db call 7ffd9bae3ae0 call 7ffd9bae2bc8 1418->1455 1419->1420 1420->1399 1423 7ffd9bb09441-7ffd9bb09443 1420->1423 1426 7ffd9bb0944f-7ffd9bb09452 1423->1426 1427 7ffd9bb09445 1423->1427 1435 7ffd9bb0958f-7ffd9bb09599 1424->1435 1436 7ffd9bb095bb-7ffd9bb095be 1424->1436 1426->1399 1428 7ffd9bb09492-7ffd9bb0949a 1426->1428 1427->1426 1428->1381 1431 7ffd9bb0949c 1428->1431 1431->1381 1437 7ffd9bb0959f-7ffd9bb095b3 1435->1437 1438 7ffd9bb096c5-7ffd9bb096d5 1435->1438 1439 7ffd9bb097e2-7ffd9bb0982d call 7ffd9bae3ae8 call 7ffd9bae2bc8 1436->1439 1440 7ffd9bb095c4-7ffd9bb095ce 1436->1440 1442 7ffd9bb095b9 1437->1442 1443 7ffd9bb096dc-7ffd9bb096e7 1437->1443 1438->1443 1480 7ffd9bb0982f-7ffd9bb09836 1439->1480 1481 7ffd9bb09837-7ffd9bb0986e 1439->1481 1445 7ffd9bb096f2-7ffd9bb096f6 1440->1445 1446 7ffd9bb095d4-7ffd9bb095de 1440->1446 1448 7ffd9bb09613-7ffd9bb0961b 1442->1448 1443->1448 1451 7ffd9bb096ed 1443->1451 1449 7ffd9bb09700-7ffd9bb0970b 1445->1449 1446->1449 1450 7ffd9bb095e4 1446->1450 1456 7ffd9bb0961d 1448->1456 1457 7ffd9bb09620-7ffd9bb0965e call 7ffd9bae3ee0 call 7ffd9bae4090 1448->1457 1453 7ffd9bb09711-7ffd9bb09745 call 7ffd9bae3ad8 call 7ffd9bae2bc8 1449->1453 1454 7ffd9bb095e9-7ffd9bb095fc 1449->1454 1450->1453 1451->1436 1453->1418 1455->1439 1456->1457 1476 7ffd9bb09660-7ffd9bb09666 1457->1476 1477 7ffd9bb09668-7ffd9bb0966c 1457->1477 1479 7ffd9bb09671-7ffd9bb09674 1476->1479 1477->1479 1484 7ffd9bb09682-7ffd9bb09692 1479->1484 1485 7ffd9bb09676-7ffd9bb0967c 1479->1485 1480->1481 1489 7ffd9bb09870-7ffd9bb09882 1481->1489 1490 7ffd9bb098d1-7ffd9bb098dc 1481->1490 1487 7ffd9bb0969d-7ffd9bb096a1 1484->1487 1488 7ffd9bb09694-7ffd9bb0969b 1484->1488 1485->1436 1485->1484 1492 7ffd9bb096a6-7ffd9bb096a9 1487->1492 1488->1492 1496 7ffd9bb09884-7ffd9bb098a4 1489->1496 1497 7ffd9bb098a6-7ffd9bb098b0 call 7ffd9bae2b70 1489->1497 1500 7ffd9bb098de-7ffd9bb098e2 1490->1500 1501 7ffd9bb098f9-7ffd9bb0991f 1490->1501 1492->1455 1494 7ffd9bb096af-7ffd9bb096ba 1492->1494 1494->1455 1499 7ffd9bb096c0 1494->1499 1508 7ffd9bb098e9-7ffd9bb098f8 1496->1508 1506 7ffd9bb098b2-7ffd9bb098b4 1497->1506 1507 7ffd9bb098c9-7ffd9bb098cf 1497->1507 1499->1424 1500->1508 1509 7ffd9bb09930-7ffd9bb09969 call 7ffd9bae3b40 1501->1509 1506->1509 1510 7ffd9bb098b6-7ffd9bb098c8 1506->1510 1507->1508 1516 7ffd9bb0996d-7ffd9bb099ac 1509->1516 1517 7ffd9bb0996b 1509->1517 1518 7ffd9bb099ad-7ffd9bb099c0 1516->1518 1517->1516 1517->1518 1521 7ffd9bb099c2-7ffd9bb099d9 call 7ffd9bae2b30 1518->1521 1522 7ffd9bb099e7-7ffd9bb099ff 1518->1522 1525 7ffd9bb099de-7ffd9bb099e2 1521->1525 1526 7ffd9bb09a41-7ffd9bb09a44 1522->1526 1527 7ffd9bb09a01-7ffd9bb09a18 call 7ffd9bae2b50 1522->1527 1528 7ffd9bb09c1c-7ffd9bb09c2c 1525->1528 1530 7ffd9bb09a56-7ffd9bb09a62 1526->1530 1531 7ffd9bb09a46-7ffd9bb09a54 1526->1531 1532 7ffd9bb09a1d-7ffd9bb09a1f 1527->1532 1537 7ffd9bb09be8-7ffd9bb09bf9 1530->1537 1531->1530 1539 7ffd9bb09a67-7ffd9bb09a87 1531->1539 1534 7ffd9bb09a21-7ffd9bb09a2e 1532->1534 1535 7ffd9bb09a33-7ffd9bb09c17 1532->1535 1534->1537 1543 7ffd9bb09a89-7ffd9bb09c19 1539->1543 1544 7ffd9bb09abb-7ffd9bb09ac4 1539->1544 1543->1528 1544->1537
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2036686566.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9bad0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: fc5b66c51c649600ace9dcaaa9f218cc57d7a4ecc17c92ae193fcead22388ed9
                                                                                                                                                                                                                                                                              • Instruction ID: 8c030fca9aa8a08c507c8e6425dbb70b9b2a5370d59a24bb18e2ef5e0396c0d5
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: fc5b66c51c649600ace9dcaaa9f218cc57d7a4ecc17c92ae193fcead22388ed9
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E4322521F1D60E4BE7799AAC947927973C1FF85318F16017EE4CEC32E6DE29A9428241
                                                                                                                                                                                                                                                                              Function 00007FFD9BAE2B30 Relevance: .8, Instructions: 814COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                                                              control_flow_graph 1549 7ffd9bae2b30-7ffd9bb09d9a 1551 7ffd9bb09d9b-7ffd9bb09dfe 1549->1551 1553 7ffd9bb09e04-7ffd9bb09e13 1551->1553 1554 7ffd9bb09ee8-7ffd9bb09eeb 1551->1554 1553->1551 1560 7ffd9bb09e15-7ffd9bb09e38 call 7ffd9bb09850 1553->1560 1556 7ffd9bb09f2d-7ffd9bb09f30 1554->1556 1557 7ffd9bb09eed-7ffd9bb09ef5 call 7ffd9bae2758 1554->1557 1558 7ffd9bb09f41-7ffd9bb09f4a 1556->1558 1559 7ffd9bb09f32-7ffd9bb09f3f call 7ffd9bae2b60 1556->1559 1564 7ffd9bb09efa-7ffd9bb09efd 1557->1564 1569 7ffd9bb09f4c-7ffd9bb09f88 call 7ffd9bae2b68 1558->1569 1559->1558 1559->1569 1570 7ffd9bb09e5e-7ffd9bb09e67 1560->1570 1571 7ffd9bb09e3a-7ffd9bb09e59 1560->1571 1564->1556 1565 7ffd9bb09eff-7ffd9bb09f28 1564->1565 1585 7ffd9bb0a299-7ffd9bb0a2af 1565->1585 1592 7ffd9bb0a19e-7ffd9bb0a1a1 1569->1592 1593 7ffd9bb09f8e-7ffd9bb09fa2 1569->1593 1572 7ffd9bb09e8e-7ffd9bb09e91 1570->1572 1573 7ffd9bb09e69-7ffd9bb09e79 1570->1573 1587 7ffd9bb0a1d4-7ffd9bb0a1e6 1571->1587 1572->1554 1578 7ffd9bb09e93-7ffd9bb09e98 1572->1578 1573->1572 1581 7ffd9bb09e9a-7ffd9bb09eb1 1578->1581 1582 7ffd9bb09ecb-7ffd9bb09ee3 1578->1582 1581->1582 1591 7ffd9bb09eb3-7ffd9bb09eb7 1581->1591 1582->1554 1594 7ffd9bb09ebd-7ffd9bb09ec6 1591->1594 1595 7ffd9bb0a2b0-7ffd9bb0a2bb 1591->1595 1596 7ffd9bb0a1a3-7ffd9bb0a1bf 1592->1596 1597 7ffd9bb0a1e7-7ffd9bb0a215 1592->1597 1605 7ffd9bb0a470-7ffd9bb0a49a 1593->1605 1606 7ffd9bb09fa8-7ffd9bb09fbe 1593->1606 1594->1587 1600 7ffd9bb0a2bd-7ffd9bb0a340 call 7ffd9bae3ac0 1595->1600 1601 7ffd9bb0a23f-7ffd9bb0a249 call 7ffd9bae2b28 1595->1601 1596->1597 1621 7ffd9bb0a1c1-7ffd9bb0a1c5 1596->1621 1607 7ffd9bb0a217-7ffd9bb0a23c 1597->1607 1608 7ffd9bb0a269-7ffd9bb0a26e 1597->1608 1627 7ffd9bb0a347-7ffd9bb0a386 1600->1627 1609 7ffd9bb0a24e-7ffd9bb0a250 1601->1609 1623 7ffd9bb0a4a1-7ffd9bb0a4c6 1605->1623 1624 7ffd9bb0a49c 1605->1624 1617 7ffd9bb09fc0-7ffd9bb09fe7 1606->1617 1618 7ffd9bb09fec-7ffd9bb0a000 1606->1618 1607->1601 1615 7ffd9bb0a275-7ffd9bb0a28a 1608->1615 1613 7ffd9bb0a252-7ffd9bb0a267 1609->1613 1614 7ffd9bb0a28b-7ffd9bb0a296 1609->1614 1613->1607 1613->1608 1614->1585 1617->1587 1618->1605 1632 7ffd9bb0a006-7ffd9bb0a017 call 7ffd9bae2b60 1618->1632 1621->1627 1628 7ffd9bb0a1cb-7ffd9bb0a1d2 1621->1628 1624->1623 1648 7ffd9bb0a388-7ffd9bb0a3f5 call 7ffd9bae3b28 1627->1648 1649 7ffd9bb0a3fc-7ffd9bb0a469 call 7ffd9bae3ab8 1627->1649 1628->1587 1637 7ffd9bb0a019-7ffd9bb0a036 1632->1637 1638 7ffd9bb0a03b-7ffd9bb0a0cb 1632->1638 1647 7ffd9bb0a0d2-7ffd9bb0a0d5 1637->1647 1638->1647 1647->1592 1652 7ffd9bb0a0db-7ffd9bb0a106 1647->1652 1648->1649 1649->1605 1660 7ffd9bb0a108-7ffd9bb0a145 call 7ffd9bb09850 1652->1660 1661 7ffd9bb0a17a-7ffd9bb0a186 1652->1661 1674 7ffd9bb0a147-7ffd9bb0a178 1660->1674 1675 7ffd9bb0a18b-7ffd9bb0a199 1660->1675 1661->1615 1674->1660 1674->1661 1675->1585
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2036686566.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9bad0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: fe05b6b25a1812896801ccfd19edc373af93f3498994a011ff387b11820c5360
                                                                                                                                                                                                                                                                              • Instruction ID: c41c1e568b635d6fe219f46f8475e25cea1c6f3a41fbec413679f2756c83f219
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: fe05b6b25a1812896801ccfd19edc373af93f3498994a011ff387b11820c5360
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: AE32C531B1DA0D4FEBA8EB6C98656B877D1FF98314F0501BAE48DC32E6DD24AD428741
                                                                                                                                                                                                                                                                              Function 00007FFD9B98C50A Relevance: .8, Instructions: 765COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2034259929.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9b980000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: 08eaff0bf74c59a875975d2294feb2fef778c02361a027892a6ce248ddd8ea35
                                                                                                                                                                                                                                                                              • Instruction ID: 1813dca8816ccc8901ad4191bf099362fa808ef8e5d90a8465e9c10228bf61de
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 08eaff0bf74c59a875975d2294feb2fef778c02361a027892a6ce248ddd8ea35
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E822C371B2EE495FEBA8EB2C846566877E1FF55700B0601BEE44EC72B3DD24AC418341
                                                                                                                                                                                                                                                                              Function 00007FFD9BAE5A2C Relevance: .7, Instructions: 691COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2036686566.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9bad0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: b1f37aab9530ecf8a33ded7b5fc70286f883eca0b78f5cca710d8f93fa844576
                                                                                                                                                                                                                                                                              • Instruction ID: ea5f36292861f4e5c02da5c8008a43463dec840aee94e3e248632c5e65f47295
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b1f37aab9530ecf8a33ded7b5fc70286f883eca0b78f5cca710d8f93fa844576
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B852CD70A1992D8FDFA8DB58C8A4BA9B7B1FB58305F1041EA900DE3291DF756E81CF40
                                                                                                                                                                                                                                                                              Function 00007FFD9BAE2AB0 Relevance: .5, Instructions: 532COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2036686566.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9bad0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: 96def45affaa3e97104dba060e92ad3d99a62c4d37f9b6554ec36b1683667c38
                                                                                                                                                                                                                                                                              • Instruction ID: 694682819a1d28ef96e6d4de578f6b750dda59a403ea5a08f6137a1cdff05c7e
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 96def45affaa3e97104dba060e92ad3d99a62c4d37f9b6554ec36b1683667c38
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D5F13321F0DA5E4BE7799BA8846527A77C1EF85310F56017DE48EC31F2EFACA9428341
                                                                                                                                                                                                                                                                              Function 00007FFD9BAE1AC7 Relevance: .5, Instructions: 490COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2036686566.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9bad0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: a0cdd009866833bdfa906665e281ba2d49e57dc4b3279949d89a5cc5b4990c5e
                                                                                                                                                                                                                                                                              • Instruction ID: 501d1be99f826f690ee4abcd939684e0a0eafd3cdeff1a14728da33eb33a2d6c
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a0cdd009866833bdfa906665e281ba2d49e57dc4b3279949d89a5cc5b4990c5e
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6C12AC70E1592D8FDBA8DB58C899BA9B7B1FB68301F5041EAD00DE3295DE746E81CF40
                                                                                                                                                                                                                                                                              Function 00007FFD9BAE5491 Relevance: .4, Instructions: 404COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2036686566.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9bad0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: bd1f8596cda2603d4599507080bb95def9ab36e211d3e0f781d72be4dd37632d
                                                                                                                                                                                                                                                                              • Instruction ID: b88a7e530c6008a0cb60122495f2de5c0bf19f427baaad4f5f16a7709c423c35
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bd1f8596cda2603d4599507080bb95def9ab36e211d3e0f781d72be4dd37632d
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: FDF1AB74A1592D8FDFA8DF18C895BA9B7B1FB68305F1041EA810DE3291DB716E81CF44
                                                                                                                                                                                                                                                                              Function 00007FFD9B98D439 Relevance: 2.1, Strings: 1, Instructions: 867COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                                                              control_flow_graph 691 7ffd9b98d439-7ffd9b98d4bd 695 7ffd9b98d4d7-7ffd9b98d52d 691->695 696 7ffd9b98d4bf-7ffd9b98d4d1 691->696 704 7ffd9b98d797-7ffd9b98d7ad 695->704 705 7ffd9b98d533-7ffd9b98d580 695->705 696->695 708 7ffd9b98d7b5-7ffd9b98d82b 704->708 709 7ffd9b98d7af-7ffd9b98d7b4 704->709 705->704 722 7ffd9b98d586-7ffd9b98d5f0 705->722 717 7ffd9b98d845-7ffd9b98d89b 708->717 718 7ffd9b98d82d-7ffd9b98d843 708->718 709->708 732 7ffd9b98d89d-7ffd9b98d8ee 717->732 733 7ffd9b98d912-7ffd9b98d9b1 717->733 718->717 722->704 748 7ffd9b98d5f6-7ffd9b98d643 722->748 732->733 756 7ffd9b98d8f0-7ffd9b98d911 732->756 741 7ffd9b98d9cb-7ffd9b98da32 733->741 742 7ffd9b98d9b3-7ffd9b98d9c9 733->742 758 7ffd9b98da63-7ffd9b98da8d 741->758 759 7ffd9b98da34-7ffd9b98da38 741->759 742->741 748->704 772 7ffd9b98d649-7ffd9b98d6ae 748->772 773 7ffd9b98db1f-7ffd9b98db46 758->773 761 7ffd9b98db4c-7ffd9b98db5a 759->761 762 7ffd9b98da3e-7ffd9b98da56 759->762 767 7ffd9b98da58-7ffd9b98da61 762->767 768 7ffd9b98da92-7ffd9b98dad8 762->768 767->758 781 7ffd9b98db06-7ffd9b98db19 768->781 782 7ffd9b98dada-7ffd9b98db00 768->782 772->704 789 7ffd9b98d6b4-7ffd9b98d71e 772->789 773->761 773->762 781->773 782->781 789->704 798 7ffd9b98d720-7ffd9b98d771 789->798 798->704 806 7ffd9b98d773-7ffd9b98d796 798->806
                                                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2034259929.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9b980000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID: 0-3916222277
                                                                                                                                                                                                                                                                              • Opcode ID: 6017d42c95a0ad231432e880bf5117937352ffdb1f384cd020c219cb047d07c6
                                                                                                                                                                                                                                                                              • Instruction ID: 5f5171743f2879bb35fa66f42488b267c6adf3ed414a8c2902b8c1e54c558ed5
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6017d42c95a0ad231432e880bf5117937352ffdb1f384cd020c219cb047d07c6
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3A42F431B1EB891FE7A5EB6C98659287BE1EF56310B0A01FEE09DC71F3D924AC458341
                                                                                                                                                                                                                                                                              Function 00007FFD9BAD8A5A Relevance: 1.7, APIs: 1, Instructions: 245fileCOMMON
                                                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                                                              control_flow_graph 930 7ffd9bad8a5a-7ffd9bad8aef 934 7ffd9bad8af1-7ffd9bad8b00 930->934 935 7ffd9bad8b4d-7ffd9bad8c20 CreateFileA 930->935 934->935 936 7ffd9bad8b02-7ffd9bad8b05 934->936 945 7ffd9bad8c28-7ffd9bad8c6c call 7ffd9bad8c88 935->945 946 7ffd9bad8c22 935->946 937 7ffd9bad8b07-7ffd9bad8b1a 936->937 938 7ffd9bad8b3f-7ffd9bad8b47 936->938 940 7ffd9bad8b1c 937->940 941 7ffd9bad8b1e-7ffd9bad8b31 937->941 938->935 940->941 941->941 943 7ffd9bad8b33-7ffd9bad8b3b 941->943 943->938 950 7ffd9bad8c73-7ffd9bad8c87 945->950 951 7ffd9bad8c6e 945->951 946->945 951->950
                                                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2036686566.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9bad0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID: CreateFile
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID: 823142352-0
                                                                                                                                                                                                                                                                              • Opcode ID: 643959bee2360c800f3879ff67e546a5cd6b431dc58d30f7b0c2740dc984aac4
                                                                                                                                                                                                                                                                              • Instruction ID: c4ec97c5dfb74a5433ec18306f9d7e020267def1a2d9ce3dc3d4c25b3698ba82
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 643959bee2360c800f3879ff67e546a5cd6b431dc58d30f7b0c2740dc984aac4
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8E71C470A18A4C8FEB68EF2CD8567E977D1FB58310F14426AE84DC7251DB74E9418BC2
                                                                                                                                                                                                                                                                              Function 00007FFD9BAD9551 Relevance: 1.7, APIs: 1, Instructions: 169fileCOMMON
                                                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                                                              control_flow_graph 952 7ffd9bad9551-7ffd9bad9603 957 7ffd9bad9605-7ffd9bad960a 952->957 958 7ffd9bad960d-7ffd9bad966b ReadFile 952->958 957->958 960 7ffd9bad9673-7ffd9bad96bb call 7ffd9bad96bc 958->960 961 7ffd9bad966d 958->961 961->960
                                                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2036686566.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9bad0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID: FileRead
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID: 2738559852-0
                                                                                                                                                                                                                                                                              • Opcode ID: 9261f44f992a676d6623adc87d5ae31cadb8fbb26d5638c5ba64a79d7eca966b
                                                                                                                                                                                                                                                                              • Instruction ID: a078294e3fb5498d4711d20ae298ce6f8d38de47ba5ee6b998f9c383a96c2222
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9261f44f992a676d6623adc87d5ae31cadb8fbb26d5638c5ba64a79d7eca966b
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9F41A131E08B1C8FDB58EF5898596EDBBE1FB99310F00426AD00DD7256CA74A945CBC2
                                                                                                                                                                                                                                                                              Function 00007FFD9B98BDAC Relevance: 1.5, Strings: 1, Instructions: 287COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                                                              control_flow_graph 965 7ffd9b98bdac-7ffd9b98be51 967 7ffd9b98be6b-7ffd9b98bed8 965->967 968 7ffd9b98be53-7ffd9b98be69 965->968 974 7ffd9b98bfec-7ffd9b98bffa 967->974 975 7ffd9b98bede-7ffd9b98bef6 967->975 968->967 977 7ffd9b98bef8-7ffd9b98bf2d 975->977 978 7ffd9b98bf32-7ffd9b98bf78 975->978 987 7ffd9b98bfbf-7ffd9b98bfe6 977->987 985 7ffd9b98bfa6-7ffd9b98bfb9 978->985 986 7ffd9b98bf7a-7ffd9b98bfa0 978->986 985->987 986->985 987->974 987->975
                                                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2034259929.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9b980000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID: ~>_H
                                                                                                                                                                                                                                                                              • API String ID: 0-3245688848
                                                                                                                                                                                                                                                                              • Opcode ID: 43af228a1f3a3dc0ad3a0278ac60882259f67fcbc066e79203653ceafd6344b5
                                                                                                                                                                                                                                                                              • Instruction ID: b298d2e7341b7b9bf68d380c522aa6fdf8a4774ad4e52aad903a1b7081c9eb03
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 43af228a1f3a3dc0ad3a0278ac60882259f67fcbc066e79203653ceafd6344b5
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0171177171DF4C4FDB98DB1C9465A657BE2EF99310B1901AEE48AC72B3DE21EC028781
                                                                                                                                                                                                                                                                              Function 00007FFD9B8B3299 Relevance: .3, Instructions: 328COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2032564007.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9b8b0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: e0d5988ab3e897ffbe46f50bc61fe7ee44174f5a38d8619964809d97329040b2
                                                                                                                                                                                                                                                                              • Instruction ID: 734e8365951b3ce92bbf9738738a8c6a8d93270ff21bc79707a951803ebefc26
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e0d5988ab3e897ffbe46f50bc61fe7ee44174f5a38d8619964809d97329040b2
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 41C14F71E0956D8FEBA8DB68C865BA8B7B1FF58300F5041BAD00DD3296DE346985CF40
                                                                                                                                                                                                                                                                              Function 00007FFD9B8B0F4F Relevance: .3, Instructions: 316COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2032564007.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9b8b0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: 133559054d3f1399e1231d909f427055cd168fc8565e4f42b2bb151edebd8f93
                                                                                                                                                                                                                                                                              • Instruction ID: ad389dd2fc02da2181abb3c45d8253efb1ebdcf40e32b356836ec474e72754ea
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 133559054d3f1399e1231d909f427055cd168fc8565e4f42b2bb151edebd8f93
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C7D16574A05A2C8FDBA4EB18C898BA8B7F5FF59301F1541E9910DE7265DB70AE81CF40
                                                                                                                                                                                                                                                                              Function 00007FFD9B8B0DF5 Relevance: .3, Instructions: 315COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2032564007.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9b8b0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: e18d3eed694ca5b00eea672e83e32661af25934ddd1d89bf20436f2d96bb67f8
                                                                                                                                                                                                                                                                              • Instruction ID: 23f060fc35c73ec42d81e84f8a8dbdb6442d348ad958f05d2366524c57fa020f
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e18d3eed694ca5b00eea672e83e32661af25934ddd1d89bf20436f2d96bb67f8
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8CC1A870A15A2D8FDBA8DB58C894BA9B7B5FF59300F1141E9D00DE72A5DB34AE81CF40
                                                                                                                                                                                                                                                                              Function 00007FFD9B98BFFD Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2034259929.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9b980000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: d2224d84cf5252be41689225d0c5ef779c8f4f00e449c12b07a37264b79162c2
                                                                                                                                                                                                                                                                              • Instruction ID: 5c33d85182074336e0bd96715f3e060e7bf1a277353e0045358b673ef602d1e7
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d2224d84cf5252be41689225d0c5ef779c8f4f00e449c12b07a37264b79162c2
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C2910321B1EBC91FE7669B6C88A55247BE1EF66310B0A41FFD089CB1F3D928AC45C351
                                                                                                                                                                                                                                                                              Function 00007FFD9B8B1EDE Relevance: .3, Instructions: 297COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2032564007.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9b8b0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: 54be58151ccb0162d731f65e5d181ebf1ae8ccf36794d658def65686778b264a
                                                                                                                                                                                                                                                                              • Instruction ID: 200cee728798cd9525ac5deb389ca80cc1573bd8824122fcaedf66da0579a240
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 54be58151ccb0162d731f65e5d181ebf1ae8ccf36794d658def65686778b264a
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 38B11F70A1962D8FDBA9EB58C8A5BA877B5FF59300F1001E9D40DD72A1CB34AE85CF40
                                                                                                                                                                                                                                                                              Function 00007FFD9B9822EB Relevance: .3, Instructions: 291COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2034259929.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9b980000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: 4382fa235ad51fdca49b1de3a083111941a601f3b3901d7e378ba6a67e0f590a
                                                                                                                                                                                                                                                                              • Instruction ID: 0a98be7338dc4263607258d0e5cb15f962b42406b2cd9a0e10d48a3c3593f466
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4382fa235ad51fdca49b1de3a083111941a601f3b3901d7e378ba6a67e0f590a
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F081F420B1DA490FE769D7AC9465A743BD1EF9A720B1501BBD08EC72F7DD28AD428381
                                                                                                                                                                                                                                                                              Function 00007FFD9B98D1F9 Relevance: .3, Instructions: 281COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2034259929.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9b980000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: 49c57e0d5fc57db58c3284c0ed09dcac1ef31e07ceed0a9c7e7f079a4b20c2b7
                                                                                                                                                                                                                                                                              • Instruction ID: 1207e5f36ecdc76d2938f54263e7f8bf85e0dc03cc20b189f232baef0d7c306a
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 49c57e0d5fc57db58c3284c0ed09dcac1ef31e07ceed0a9c7e7f079a4b20c2b7
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9171D83171DE484FE799DB2C98659643BE2EF9A31070A02EFE48DC72B3DD24AC028741
                                                                                                                                                                                                                                                                              Function 00007FFD9B8B2FF0 Relevance: .3, Instructions: 279COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2032564007.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9b8b0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: 07b546ad1d91cbc610e7514dd03aa48186b0632a8417a899e1dba18e0c3359d5
                                                                                                                                                                                                                                                                              • Instruction ID: eeb0d0098e3836fe3aec27249b9cd5feebd21a26e1dbc9d01657e5489cc0ff0c
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 07b546ad1d91cbc610e7514dd03aa48186b0632a8417a899e1dba18e0c3359d5
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: FC91D471B0DA5D4FDB58CB6C88686AD7BE2FF9D350F05027EE04DE32A2DA2459018B81
                                                                                                                                                                                                                                                                              Function 00007FFD9B8B15A8 Relevance: .3, Instructions: 263COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2032564007.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9b8b0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: d525d0101e7c18f45384ed9946e52afe5fb9e816bdbb2ce95d7e6a8913c4288a
                                                                                                                                                                                                                                                                              • Instruction ID: 1c1c198ee1487a20e64920620db5cceb4f79f5d9e6fa5464d4550967bd9419ea
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d525d0101e7c18f45384ed9946e52afe5fb9e816bdbb2ce95d7e6a8913c4288a
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7FB18870A1961D8FDBA9EB58C894BA8B7B5FF59301F5041E9D00DE72A5CB34AE81CF40
                                                                                                                                                                                                                                                                              Function 00007FFD9B8B251D Relevance: .3, Instructions: 263COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2032564007.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9b8b0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: bf0ad51154d09f2f36e1d379032c2f4d3da8ae252eb4c5165a231dc5ab7f4ab0
                                                                                                                                                                                                                                                                              • Instruction ID: cfe2c0445f01f1e9aaaac2afc2f07eb13791902963355da14315660e1a5133c3
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: bf0ad51154d09f2f36e1d379032c2f4d3da8ae252eb4c5165a231dc5ab7f4ab0
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4A811852B0E5AA4AE31A7BFC7C768F93F50EF46329B0941F7D09D4A0E3EC0964464786
                                                                                                                                                                                                                                                                              Function 00007FFD9B8B2E90 Relevance: .3, Instructions: 258COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2032564007.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9b8b0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: deed2a957e9e5ee23752ff015a277f9ad15d4904fcb6593793b8d4837708ef88
                                                                                                                                                                                                                                                                              • Instruction ID: 58ee7dde5028d9e43e19be248edc2281c2d902c80922b30cf059ba86f1e78556
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: deed2a957e9e5ee23752ff015a277f9ad15d4904fcb6593793b8d4837708ef88
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4D91E830A0991D8FDBA4EBA8D8A5BAD77E1FF59310F4101B9D00DD72A6CE74A985CF40
                                                                                                                                                                                                                                                                              Function 00007FFD9B98C2A0 Relevance: .2, Instructions: 227COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2034259929.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9b980000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: ffd5df7cc444c1813f96786b43cdda346965dc56fe7a79e763accea9b9072610
                                                                                                                                                                                                                                                                              • Instruction ID: fa9c3b07b808a32bc69132fb279f2f1c24bd26ed9af572419999fb8d82a96e49
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: ffd5df7cc444c1813f96786b43cdda346965dc56fe7a79e763accea9b9072610
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8451253172DE4C5FDBA8DA1C9465A757BE2EB99710B0501BFE08EC32A2DD21EC428381
                                                                                                                                                                                                                                                                              Function 00007FFD9B8B1F71 Relevance: .2, Instructions: 218COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2032564007.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9b8b0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: 1c81fe6db754cd9e86df82b9c39a63b6ae5d4e1932766b80c887e384cb1a9de7
                                                                                                                                                                                                                                                                              • Instruction ID: cdce7e76654d8410134bb0cca0f8142a48a43afb648e94e2d09735f7b529a116
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1c81fe6db754cd9e86df82b9c39a63b6ae5d4e1932766b80c887e384cb1a9de7
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: AF916774A15A2C8FDBA9EB58C894BA8B7B5FF59301F1001E9D00DE7265CB71AE81CF40
                                                                                                                                                                                                                                                                              Function 00007FFD9B8B1E4F Relevance: .2, Instructions: 206COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2032564007.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9b8b0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: b321142d0f1e4c89bf5bb7494863baf58526e3d1d8ec75884f364ed2fa8aa869
                                                                                                                                                                                                                                                                              • Instruction ID: 2071b80d909384ef3f46c1b1e1a28cfc18e11a0bb06caeb3d7d6d2b92704b058
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b321142d0f1e4c89bf5bb7494863baf58526e3d1d8ec75884f364ed2fa8aa869
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9881A870A0962D8FDBA9EB58C894BA8B7F5EF59301F1101E9D00DE7265CB74AE81CF41
                                                                                                                                                                                                                                                                              Function 00007FFD9B8B30DD Relevance: .2, Instructions: 158COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2032564007.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9b8b0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: 25307f1dca8e83771e07c9d5a9ea08caa7c4c442f9e82a25c4808cc0f8d89569
                                                                                                                                                                                                                                                                              • Instruction ID: 145b605c26e2577586b787d56775b4e0dd2b43445d2a675a8cc176d0593c097f
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 25307f1dca8e83771e07c9d5a9ea08caa7c4c442f9e82a25c4808cc0f8d89569
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9E410D22B0F6BA4FD716E7BCBC754E87B60EF46268B0801F7D0988A0D7EC54654A87C1
                                                                                                                                                                                                                                                                              Function 00007FFD9B98031D Relevance: .1, Instructions: 148COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2034259929.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9b980000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: d8bc870d7d29ca45f73aa78260de0c31ca9f57c8963ecaa87b84d9d4ee6cdae5
                                                                                                                                                                                                                                                                              • Instruction ID: b60187d0c650aa7ecf37d4811e464af730c1ea84228d971ca9b587b8102220ee
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: d8bc870d7d29ca45f73aa78260de0c31ca9f57c8963ecaa87b84d9d4ee6cdae5
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 08410A3171EE885FD765D76C88699753BE1EF56720B0902FBD089C75F3D924AC068381
                                                                                                                                                                                                                                                                              Function 00007FFD9B8B2CBD Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2032564007.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9b8b0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: 19471e94d4d81e438ef0b4d4a120bafa80f11a09c05e9be6f9d0252ffaf4d005
                                                                                                                                                                                                                                                                              • Instruction ID: 65091b0ac1471b10df662b1bac1a243fd6c476dac3536b346d7b255ef63de715
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 19471e94d4d81e438ef0b4d4a120bafa80f11a09c05e9be6f9d0252ffaf4d005
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 19416931A0F69D4FEB269FB898751A97FA0FF55300F0900BAD048C70E3DA25A949CB81
                                                                                                                                                                                                                                                                              Function 00007FFD9B8B0A52 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2032564007.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9b8b0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: 00f7d6647b18b0e93be2c70c8fe868867cb0675fda13d2903e9c5450c83fbfe7
                                                                                                                                                                                                                                                                              • Instruction ID: ed78502c268818febe6e2bd93a6bf303deddeddd9e6846246e0132d55e4b6b88
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 00f7d6647b18b0e93be2c70c8fe868867cb0675fda13d2903e9c5450c83fbfe7
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: FF419270918F598EE748CF58C8B47A97BE1FB5A704F60016AC108D73DDDBB52559CB40
                                                                                                                                                                                                                                                                              Function 00007FFD9B8B30D0 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2032564007.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9b8b0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: be94c6c101e6f7dbe76ebfcf4575f19d9136fc0f9338dd7229e41f3ef7d1e82d
                                                                                                                                                                                                                                                                              • Instruction ID: b62ae6f8205e969d4f64850aac7b4d5313e35e1898159552c6fd9503206e33ab
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: be94c6c101e6f7dbe76ebfcf4575f19d9136fc0f9338dd7229e41f3ef7d1e82d
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4C21E132E09A5D8FDB54CFAC88586AD7BF2FB9C300F04026AE40DE3251DB3499018B81
                                                                                                                                                                                                                                                                              Function 00007FFD9B8B275A Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2032564007.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9b8b0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: 90196888de938dfb3d5c23560163d28da184e311c3e3179ded78da3166db6e48
                                                                                                                                                                                                                                                                              • Instruction ID: 020fe9e6c96df3fcce1ca63071cdeeb07d0485e4fadeb67387e14edd7c053924
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 90196888de938dfb3d5c23560163d28da184e311c3e3179ded78da3166db6e48
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5C21E731A1A59D8FF798EFB488755A97BA0FF58300F4105BAE04DC71E7DD3469818B81
                                                                                                                                                                                                                                                                              Function 00007FFD9B982119 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2034259929.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9b980000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: 332d39c8b11bfc0387794f0fab426b01f85895866c81e4f2fc7aca830cc76b44
                                                                                                                                                                                                                                                                              • Instruction ID: 3e89a826b88e9ad3de9cdb0ee59e6fe5f4504d31c6956993ffcf2128b53d0ccb
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 332d39c8b11bfc0387794f0fab426b01f85895866c81e4f2fc7aca830cc76b44
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C111B961B1EE891FE7A6DB6C846463537D2EFA9750B25407ED09DC72E3DE34AC418301
                                                                                                                                                                                                                                                                              Function 00007FFD9B9804FD Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2034259929.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9b980000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: 49ba581db51096ec320a39825851098caf3a298a0b4a8b7ac815c46a06baf0fe
                                                                                                                                                                                                                                                                              • Instruction ID: 60f4fedb80c5de948a67fb91a65a283b367fb01453a8a44c30117d6376431133
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 49ba581db51096ec320a39825851098caf3a298a0b4a8b7ac815c46a06baf0fe
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2911D661B1EA8A1FD7A9D76C84746353BD1EF9A710B1901BED04CC72F2DE28AC458305
                                                                                                                                                                                                                                                                              Function 00007FFD9B9806E0 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2034259929.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9b980000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: 59749703153ec25db151afbec0748177b922792c9153a5480374c7f7b696d517
                                                                                                                                                                                                                                                                              • Instruction ID: 25d0fd01e919b68e6e758dceb0e8f9061e3ac35e8a9da3bf9573bae2cca93b52
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 59749703153ec25db151afbec0748177b922792c9153a5480374c7f7b696d517
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C6115E71B2EA891FD365DB5C84651293BD2EF95710B1A027EE08CC32F2CD39ED058705
                                                                                                                                                                                                                                                                              Function 00007FFD9B8B0D01 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2032564007.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9b8b0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: 7fb5db9aa7c5b1168cb8241967740f95d5cfcada3f25606703691c5368ee21c1
                                                                                                                                                                                                                                                                              • Instruction ID: eeb545a0a0703962e5af552c96083676aa4e17e07d0d9d9603745c3fcfcff269
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7fb5db9aa7c5b1168cb8241967740f95d5cfcada3f25606703691c5368ee21c1
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 62010431E1E68D5FE7A5AB7488762FD7BA0EF58300F0502BAE018C60E3ED2825408B41
                                                                                                                                                                                                                                                                              Function 00007FFD9B9807CE Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2034259929.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9b980000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: 19e42cb769ec2d1738d793be2cbfcc8a204db213b206cad067b369c0153193d7
                                                                                                                                                                                                                                                                              • Instruction ID: 9a521ac7e3ac56bff4df55485d2d54232f2140562eafe81a66715f7b6de5951c
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 19e42cb769ec2d1738d793be2cbfcc8a204db213b206cad067b369c0153193d7
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6611C83071ED899FDBA5DB6CD464A247BE1EF55700B1941ADE04DC71E2CE29EC80CB85
                                                                                                                                                                                                                                                                              Function 00007FFD9B8B0850 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2032564007.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9b8b0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: c7b6cd07b8f28f65b11b73a2dc40cf106f15fd6dff15ec0a687c189a5addbcb4
                                                                                                                                                                                                                                                                              • Instruction ID: c054f9373aad6b20d0beb6ba2a7dfa07460385ea146deff083ec14e2f6f070e8
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c7b6cd07b8f28f65b11b73a2dc40cf106f15fd6dff15ec0a687c189a5addbcb4
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E701DB12A1E5AA46D72623FD6C751F93750EF46528F0D01B3E0DC850E3DC19661785D2
                                                                                                                                                                                                                                                                              Function 00007FFD9B8B3775 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2032564007.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9b8b0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: a16bb3174fbc97887c6adaa39f20fc6762e3d528c50c5d3146a2425f00b2b69d
                                                                                                                                                                                                                                                                              • Instruction ID: 659c2d758d5c529fd47000520082ac10f9e47314388dec7ec3f05a502aec692c
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a16bb3174fbc97887c6adaa39f20fc6762e3d528c50c5d3146a2425f00b2b69d
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: DA014870908A4D8FDF85EF68C858AEA7BF0FF68300F0005AAD418C72A1DB309694CB81
                                                                                                                                                                                                                                                                              Function 00007FFD9B8B2FA8 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2032564007.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9b8b0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: 983800de7148414de21c807dd2d8ed1a4f4f7bb8a48ffc88d458da03b0d3e77d
                                                                                                                                                                                                                                                                              • Instruction ID: d422086ba30f2f51e41310e0c800d1de2899605838eb3f1afdb5954315783dca
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 983800de7148414de21c807dd2d8ed1a4f4f7bb8a48ffc88d458da03b0d3e77d
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6001D630914A4D9FDF94EF68C849AEE7BF0FB28305F00056AE81DD3264DB30A690CB81
                                                                                                                                                                                                                                                                              Function 00007FFD9B8B2EE0 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2032564007.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9b8b0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: 7ffb2757c0a8f2f01998afaba2945423a6eae733b365a1f2f2480bb178b3b032
                                                                                                                                                                                                                                                                              • Instruction ID: ba068c2ae7e26f6e1192144348e084ce3373b28b323a6e70584c7fb76dc9bfb3
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7ffb2757c0a8f2f01998afaba2945423a6eae733b365a1f2f2480bb178b3b032
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D301C830914A1D9FDF84EF68C849AEE77F0FB68305F00056AA819D3260DB30A590CB81
                                                                                                                                                                                                                                                                              Function 00007FFD9B8B21F9 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2032564007.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9b8b0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: 4a2d6675995b1b6da12df57d8af86c2a9067706faa7ad95d6a26458afa39e130
                                                                                                                                                                                                                                                                              • Instruction ID: 478a67123f10f8f007bc938ef956ef052d724c9219300f3aa49f4946d72ced8a
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4a2d6675995b1b6da12df57d8af86c2a9067706faa7ad95d6a26458afa39e130
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7E017C30A0969D8FCB85EFA8C859AAD7BF0FF19300F0501EAD018C72A2DB34D944CB41
                                                                                                                                                                                                                                                                              Function 00007FFD9B8B2F08 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2032564007.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9b8b0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: 1589ce2f4dc7bcc2d3d2d05f6000d6812a0c5cd623bc947a059c4a4c54bc3475
                                                                                                                                                                                                                                                                              • Instruction ID: c145cb83e56c6fee5dd916647369db88b0980318d59911983724e84089f69a60
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1589ce2f4dc7bcc2d3d2d05f6000d6812a0c5cd623bc947a059c4a4c54bc3475
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0901BB3091491D8FDF94EF68C858AEE77F0FF68305F10056AA41DD3264DB70A690CB80
                                                                                                                                                                                                                                                                              Function 00007FFD9B8B0D99 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2032564007.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9b8b0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: a5ac05d272cfdeb2d6a32e2f52133fc8eb9c2c9e72ea33546446ac38ba8f37cb
                                                                                                                                                                                                                                                                              • Instruction ID: 8cda8539dfb579f501f0734c53f6dddfc8e7ccffe52c00a897374354dedb4043
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a5ac05d272cfdeb2d6a32e2f52133fc8eb9c2c9e72ea33546446ac38ba8f37cb
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 17F0F671A1E78D5FE7629B7488291D87FB0FF5A310F4A02FBD048C70E3E92865588741
                                                                                                                                                                                                                                                                              Function 00007FFD9B8B2D70 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2032564007.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9b8b0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: 839ab63d8fbb0621e9cc3a76cf7e51656bb670f1730475eeef967260f32f3112
                                                                                                                                                                                                                                                                              • Instruction ID: 2b74f284b7c98abb9828e97fe999a9a9b727650038a84f49dbe2dce4945bd393
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 839ab63d8fbb0621e9cc3a76cf7e51656bb670f1730475eeef967260f32f3112
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: FEF01C3091494C9FDF84EFA8C458AE9BBF0FF68305F4441AAE41DC31A4DB31A694CB41
                                                                                                                                                                                                                                                                              Function 00007FFD9B8B0873 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2032564007.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9b8b0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: 1f5565c0832c09fe547c7eb3cd6662d63e1c5eead320ca4dcb0acba5dfcb26bc
                                                                                                                                                                                                                                                                              • Instruction ID: 55bc2e468c3efaa80f770df5d15b76056747a909f36083f4a052ad586d046816
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1f5565c0832c09fe547c7eb3cd6662d63e1c5eead320ca4dcb0acba5dfcb26bc
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: EEF0A72192E7CD4ED72723F51C201947F70BF57204F4A01E3E048C60E3D91C9628C7A2

                                                                                                                                                                                                                                                                              Non-executed Functions

                                                                                                                                                                                                                                                                              Function 00007FFD9BADB41D Relevance: 1.1, Instructions: 1099COMMON
                                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                                              • Source File: 00000006.00000002.2036686566.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_7ffd9bad0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                                              • Opcode ID: 55fe1a044fa0c203380d63937bb82775350b93ded43961639c008d3e2218dd7d
                                                                                                                                                                                                                                                                              • Instruction ID: 5a1d4865d06103d6ca8f90de9b834ea64b4b22993e9ce58e8b2572c081a8c8fa
                                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 55fe1a044fa0c203380d63937bb82775350b93ded43961639c008d3e2218dd7d
                                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E692EC70E19A2D8FDBA5EB58C8A5BE9B7B1FB58300F5042E9D00DD3295DE746A81CF40