Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rHACNp6WFk.exe

Overview

General Information

Sample name:rHACNp6WFk.exe
renamed because original name is a hash value
Original sample name:f7d1d2548bed4be604171cd18e535106e4549d646afb585265fb27d09c0feb7a.exe
Analysis ID:1554440
MD5:e8257a3a7ba4046f50d7795afa5b90b9
SHA1:26368c267e2545eaa34cd33898daa4d9e12ab159
SHA256:f7d1d2548bed4be604171cd18e535106e4549d646afb585265fb27d09c0feb7a
Tags:4-251-123-83exeuser-JAMESWT_MHT
Infos:

Detection

Meduza Stealer, PureLog Stealer, RedLine, zgRAT
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Meduza Stealer
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected zgRAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • rHACNp6WFk.exe (PID: 7524 cmdline: "C:\Users\user\Desktop\rHACNp6WFk.exe" MD5: E8257A3A7BA4046F50D7795AFA5B90B9)
    • rHACNp6WFk.tmp (PID: 7580 cmdline: "C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmp" /SL5="$10436,29074250,797184,C:\Users\user\Desktop\rHACNp6WFk.exe" MD5: D318E73231E30E6B64517F61073B5AF3)
      • ttgtggt.exe (PID: 7796 cmdline: "C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exe" MD5: C9B68B9567CC9067794E32999C02BFA7)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: RedLine

{"C2 url": "4.251.123.83:6677"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Local\Programs\My Program\is-FGFQ0.tmpJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        C:\Users\user\AppData\Local\Programs\My Program\is-FGFQ0.tmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          C:\Users\user\AppData\Local\Programs\My Program\is-FGFQ0.tmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            C:\Users\user\AppData\Local\Programs\My Program\is-FGFQ0.tmpMALWARE_Win_zgRATDetects zgRATditekSHen
            • 0x45c19:$s1: file:///
            • 0x45b51:$s2: {11111-22222-10009-11112}
            • 0x45ba9:$s3: {11111-22222-50001-00000}
            • 0x423fa:$s4: get_Module
            • 0x42864:$s5: Reverse
            • 0x45226:$s6: BlockCopy
            • 0x42c23:$s7: ReadByte
            • 0x45c2b:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000004.00000000.1545790566.0000000000102000.00000002.00000001.01000000.00000008.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              00000004.00000000.1545790566.0000000000102000.00000002.00000001.01000000.00000008.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    00000004.00000002.1627199642.000000000264D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                      Click to see the 3 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      4.0.ttgtggt.exe.100000.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                        4.0.ttgtggt.exe.100000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                          4.0.ttgtggt.exe.100000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                            4.0.ttgtggt.exe.100000.0.unpackMALWARE_Win_zgRATDetects zgRATditekSHen
                            • 0x45c19:$s1: file:///
                            • 0x45b51:$s2: {11111-22222-10009-11112}
                            • 0x45ba9:$s3: {11111-22222-50001-00000}
                            • 0x423fa:$s4: get_Module
                            • 0x42864:$s5: Reverse
                            • 0x45226:$s6: BlockCopy
                            • 0x42c23:$s7: ReadByte
                            • 0x45c2b:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

                            Sigma Signatures

                            No Sigma rule has matched

                            Suricata Signatures

                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-11-12T14:56:57.133259+010020229301A Network Trojan was detected172.202.163.200443192.168.2.849706TCP
                            2024-11-12T14:57:35.309360+010020229301A Network Trojan was detected172.202.163.200443192.168.2.849712TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-11-12T14:56:54.275070+010020460561A Network Trojan was detected4.251.123.836677192.168.2.849705TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-11-12T14:56:53.759174+010020460451A Network Trojan was detected192.168.2.8497054.251.123.836677TCP

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Found malware configuration
                            Source: ttgtggt.exe.7796.4.memstrminMalware Configuration Extractor: RedLine {"C2 url": "4.251.123.83:6677"}
                            Multi AV Scanner detection for dropped file
                            Source: C:\Users\user\AppData\Local\Programs\My Program\is-FGFQ0.tmpReversingLabs: Detection: 65%
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exe (copy)ReversingLabs: Detection: 65%
                            Multi AV Scanner detection for submitted file
                            Source: rHACNp6WFk.exeReversingLabs: Detection: 31%
                            AI detected suspicious sample
                            Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.0% probability
                            Machine Learning detection for dropped file
                            Source: C:\Users\user\AppData\Local\Programs\My Program\is-FGFQ0.tmpJoe Sandbox ML: detected
                            Source: rHACNp6WFk.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B61D3B6E-7045-4057-9E07-2D934A8C359C}_is1Jump to behavior
                            Source: rHACNp6WFk.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                            Source: Binary string: C:\agent\_work\138\s\build\ship\x86\burn.pdb source: is-GUSOD.tmp.2.dr
                            Source: Binary string: C:\agent\_work\138\s\build\ship\x86\burn.pdb/ source: is-GUSOD.tmp.2.dr

                            Networking

                            barindex
                            Suricata IDS alerts for network traffic
                            Source: Network trafficSuricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.8:49705 -> 4.251.123.83:6677
                            Source: Network trafficSuricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 4.251.123.83:6677 -> 192.168.2.8:49705
                            C2 URLs / IPs found in malware configuration
                            Source: Malware configuration extractorURLs: 4.251.123.83:6677
                            Source: global trafficTCP traffic: 192.168.2.8:49705 -> 4.251.123.83:6677
                            Source: Joe Sandbox ViewIP Address: 4.251.123.83 4.251.123.83
                            Source: Joe Sandbox ViewASN Name: LEVEL3US LEVEL3US
                            Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.8:49706
                            Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.8:49712
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: unknownTCP traffic detected without corresponding DNS query: 4.251.123.83
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.00000000025A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
                            Source: ttgtggt.exe, 00000004.00000002.1649583814.000000001B59C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002C15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: rC:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002C15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: rC:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb( equals www.youtube.com (Youtube)
                            Source: is-GUSOD.tmp.2.drString found in binary or memory: http://appsyndication.org/2006/appsynapplicationc:
                            Source: rHACNp6WFk.tmp, 00000002.00000002.1554362154.000000000095C000.00000004.00000010.00020000.00000000.sdmp, is-GUSOD.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                            Source: rHACNp6WFk.tmp, 00000002.00000002.1554362154.000000000095C000.00000004.00000010.00020000.00000000.sdmp, is-GUSOD.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                            Source: rHACNp6WFk.tmp, 00000002.00000002.1554362154.000000000095C000.00000004.00000010.00020000.00000000.sdmp, is-GUSOD.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                            Source: rHACNp6WFk.tmp, 00000002.00000002.1554362154.000000000095C000.00000004.00000010.00020000.00000000.sdmp, is-GUSOD.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                            Source: rHACNp6WFk.tmp, 00000002.00000002.1554362154.000000000095C000.00000004.00000010.00020000.00000000.sdmp, is-GUSOD.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                            Source: rHACNp6WFk.tmp, 00000002.00000002.1554362154.000000000095C000.00000004.00000010.00020000.00000000.sdmp, is-GUSOD.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                            Source: rHACNp6WFk.tmp, 00000002.00000002.1554362154.000000000095C000.00000004.00000010.00020000.00000000.sdmp, is-GUSOD.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                            Source: is-GUSOD.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                            Source: rHACNp6WFk.tmp, 00000002.00000002.1554362154.000000000095C000.00000004.00000010.00020000.00000000.sdmp, is-GUSOD.tmp.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                            Source: rHACNp6WFk.tmp, 00000002.00000002.1554362154.000000000095C000.00000004.00000010.00020000.00000000.sdmp, is-GUSOD.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0
                            Source: rHACNp6WFk.tmp, 00000002.00000002.1554362154.000000000095C000.00000004.00000010.00020000.00000000.sdmp, is-GUSOD.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0A
                            Source: rHACNp6WFk.tmp, 00000002.00000002.1554362154.000000000095C000.00000004.00000010.00020000.00000000.sdmp, is-GUSOD.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0C
                            Source: rHACNp6WFk.tmp, 00000002.00000002.1554362154.000000000095C000.00000004.00000010.00020000.00000000.sdmp, is-GUSOD.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0X
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.00000000025A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.00000000025A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.00000000025A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.00000000025A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.00000000025A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.00000000025A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.00000000025A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.00000000025A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.00000000025A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.00000000025A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.00000000025A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.00000000025A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.00000000025A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002775000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.00000000025A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.00000000025A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field1
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field1Response
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.00000000025A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field2
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.000000000264D000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000004.00000002.1627199642.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field2Response
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.00000000025A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field3
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.000000000286F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/example/Field3Response
                            Source: rHACNp6WFk.tmp, 00000002.00000002.1554362154.000000000095C000.00000004.00000010.00020000.00000000.sdmp, is-GUSOD.tmp.2.drString found in binary or memory: http://www.digicert.com/CPS0
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.000000000286F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.000000000286F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.oh
                            Source: ttgtggt.exe, 00000004.00000002.1637709747.00000000125DA000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000004.00000002.1637709747.00000000129C7000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000004.00000002.1637709747.00000000127F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.00000000025A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                            Source: ttgtggt.exe, 00000004.00000002.1637709747.00000000125DA000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000004.00000002.1637709747.00000000129C7000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000004.00000002.1637709747.00000000127F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                            Source: ttgtggt.exe, 00000004.00000002.1637709747.00000000125DA000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000004.00000002.1637709747.00000000129C7000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000004.00000002.1637709747.00000000127F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                            Source: ttgtggt.exe, 00000004.00000002.1637709747.00000000125DA000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000004.00000002.1637709747.00000000129C7000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000004.00000002.1637709747.00000000127F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.00000000025A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/users/
                            Source: ttgtggt.exe, 00000004.00000002.1637709747.00000000125DA000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000004.00000002.1637709747.00000000129C7000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000004.00000002.1637709747.00000000127F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                            Source: ttgtggt.exe, 00000004.00000002.1637709747.00000000125DA000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000004.00000002.1637709747.00000000129C7000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000004.00000002.1637709747.00000000127F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                            Source: ttgtggt.exe, 00000004.00000002.1637709747.00000000125DA000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000004.00000002.1637709747.00000000129C7000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000004.00000002.1637709747.00000000127F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                            Source: rHACNp6WFk.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
                            Source: ttgtggt.exe, 00000004.00000002.1637709747.00000000125DA000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000004.00000002.1637709747.00000000129C7000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000004.00000002.1637709747.00000000127F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                            Source: rHACNp6WFk.tmp, 00000002.00000003.1551738373.0000000000FEC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.github.com/
                            Source: rHACNp6WFk.exe, 00000000.00000003.1407144583.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp, rHACNp6WFk.tmp, 00000002.00000003.1412075685.0000000003770000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.github.com/.https://www.github.com/.https://www.github.com/
                            Source: rHACNp6WFk.exe, 00000000.00000003.1557115941.000000000282C000.00000004.00001000.00020000.00000000.sdmp, rHACNp6WFk.tmp, 00000002.00000003.1551738373.0000000000FEC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.github.com/a
                            Source: ttgtggt.exe, 00000004.00000002.1637709747.00000000125DA000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000004.00000002.1637709747.00000000129C7000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000004.00000002.1637709747.00000000127F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                            Source: rHACNp6WFk.exe, 00000000.00000003.1408743597.000000007F88B000.00000004.00001000.00020000.00000000.sdmp, rHACNp6WFk.exe, 00000000.00000003.1408348042.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp, rHACNp6WFk.tmp, 00000002.00000000.1410351911.00000000002B1000.00000020.00000001.01000000.00000004.sdmp, is-2T33C.tmp.2.drString found in binary or memory: https://www.innosetup.com/
                            Source: rHACNp6WFk.exe, 00000000.00000003.1408743597.000000007F88B000.00000004.00001000.00020000.00000000.sdmp, rHACNp6WFk.exe, 00000000.00000003.1408348042.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp, rHACNp6WFk.tmp, 00000002.00000000.1410351911.00000000002B1000.00000020.00000001.01000000.00000004.sdmp, is-2T33C.tmp.2.drString found in binary or memory: https://www.remobjects.com/ps
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                            System Summary

                            barindex
                            Malicious sample detected (through community Yara rule)
                            Source: 4.0.ttgtggt.exe.100000.0.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                            Source: C:\Users\user\AppData\Local\Programs\My Program\is-FGFQ0.tmp, type: DROPPEDMatched rule: Detects zgRAT Author: ditekSHen
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeCode function: 4_2_00007FFB4A0C16B34_2_00007FFB4A0C16B3
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeCode function: 4_2_00007FFB4A0C9CE54_2_00007FFB4A0C9CE5
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeCode function: 4_2_00007FFB4A0CC50A4_2_00007FFB4A0CC50A
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeCode function: 4_2_00007FFB4A2313094_2_00007FFB4A231309
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeCode function: 4_2_00007FFB4A2118C94_2_00007FFB4A2118C9
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeCode function: 4_2_00007FFB4A2202754_2_00007FFB4A220275
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeCode function: 4_2_00007FFB4A23070D4_2_00007FFB4A23070D
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeCode function: 4_2_00007FFB4A229F914_2_00007FFB4A229F91
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeCode function: 4_2_00007FFB4A21BD394_2_00007FFB4A21BD39
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeCode function: 4_2_00007FFB4A21F5CD4_2_00007FFB4A21F5CD
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeCode function: 4_2_00007FFB4A21DAF44_2_00007FFB4A21DAF4
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeCode function: 4_2_00007FFB4A21C4994_2_00007FFB4A21C499
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeCode function: 4_2_00007FFB4A2270D94_2_00007FFB4A2270D9
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeCode function: 4_2_00007FFB4A2270904_2_00007FFB4A227090
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeCode function: 4_2_00007FFB4A2265794_2_00007FFB4A226579
                            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Programs\My Program\is-FGFQ0.tmp 8DBCECF4F09CDB10EF4F2AC2AC3F66A28D148A63A381877F413CD5F5B39DB4E0
                            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exe (copy) 8DBCECF4F09CDB10EF4F2AC2AC3F66A28D148A63A381877F413CD5F5B39DB4E0
                            Source: rHACNp6WFk.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                            Source: is-2T33C.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                            Source: rHACNp6WFk.exeStatic PE information: Number of sections : 11 > 10
                            Source: is-2T33C.tmp.2.drStatic PE information: Number of sections : 11 > 10
                            Source: rHACNp6WFk.tmp.0.drStatic PE information: Number of sections : 11 > 10
                            Source: rHACNp6WFk.exe, 00000000.00000003.1408743597.000000007FB7B000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs rHACNp6WFk.exe
                            Source: rHACNp6WFk.exe, 00000000.00000000.1406891117.0000000000B69000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs rHACNp6WFk.exe
                            Source: rHACNp6WFk.exe, 00000000.00000003.1408348042.0000000002DDF000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs rHACNp6WFk.exe
                            Source: rHACNp6WFk.exeBinary or memory string: OriginalFileName vs rHACNp6WFk.exe
                            Source: rHACNp6WFk.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: 4.0.ttgtggt.exe.100000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                            Source: C:\Users\user\AppData\Local\Programs\My Program\is-FGFQ0.tmp, type: DROPPEDMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                            Source: classification engineClassification label: mal80.troj.spyw.evad.winEXE@5/11@0/1
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeMutant created: NULL
                            Source: C:\Users\user\Desktop\rHACNp6WFk.exeFile created: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmpJump to behavior
                            Source: C:\Users\user\Desktop\rHACNp6WFk.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                            Source: C:\Users\user\Desktop\rHACNp6WFk.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpFile read: C:\Users\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\rHACNp6WFk.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
                            Source: rHACNp6WFk.exeReversingLabs: Detection: 31%
                            Source: rHACNp6WFk.exeString found in binary or memory: /LOADINF="filename"
                            Source: C:\Users\user\Desktop\rHACNp6WFk.exeFile read: C:\Users\user\Desktop\rHACNp6WFk.exeJump to behavior
                            Source: unknownProcess created: C:\Users\user\Desktop\rHACNp6WFk.exe "C:\Users\user\Desktop\rHACNp6WFk.exe"
                            Source: C:\Users\user\Desktop\rHACNp6WFk.exeProcess created: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmp "C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmp" /SL5="$10436,29074250,797184,C:\Users\user\Desktop\rHACNp6WFk.exe"
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpProcess created: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exe "C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exe"
                            Source: C:\Users\user\Desktop\rHACNp6WFk.exeProcess created: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmp "C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmp" /SL5="$10436,29074250,797184,C:\Users\user\Desktop\rHACNp6WFk.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpProcess created: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exe "C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exe"Jump to behavior
                            Source: C:\Users\user\Desktop\rHACNp6WFk.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\Desktop\rHACNp6WFk.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpSection loaded: mpr.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpSection loaded: winhttp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpSection loaded: iconcodecservice.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpSection loaded: windowscodecs.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpSection loaded: wtsapi32.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpSection loaded: winsta.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpSection loaded: textinputframework.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpSection loaded: coreuicomponents.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpSection loaded: coremessaging.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpSection loaded: coremessaging.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpSection loaded: shfolder.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpSection loaded: rstrtmgr.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpSection loaded: ncrypt.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpSection loaded: ntasn1.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpSection loaded: textshaping.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpSection loaded: dwmapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpSection loaded: explorerframe.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpSection loaded: sfc.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpSection loaded: sfc_os.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpSection loaded: linkinfo.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpSection loaded: ntshrui.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpSection loaded: cscapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: windowscodecs.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                            Source: My Program.lnk.2.drLNK file: ..\..\..\..\..\Local\Programs\My Program\ttgtggt.exe
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpWindow found: window name: TMainFormJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpAutomated click: Next
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpAutomated click: Next
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpAutomated click: Install
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpAutomated click: Next
                            Source: Window RecorderWindow detected: More than 3 window changes detected
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B61D3B6E-7045-4057-9E07-2D934A8C359C}_is1Jump to behavior
                            Source: rHACNp6WFk.exeStatic file information: File size 30026469 > 1048576
                            Source: rHACNp6WFk.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                            Source: Binary string: C:\agent\_work\138\s\build\ship\x86\burn.pdb source: is-GUSOD.tmp.2.dr
                            Source: Binary string: C:\agent\_work\138\s\build\ship\x86\burn.pdb/ source: is-GUSOD.tmp.2.dr
                            Source: is-FGFQ0.tmp.2.drStatic PE information: 0xE3FEC0F4 [Mon Mar 19 06:19:32 2091 UTC]
                            Source: rHACNp6WFk.exeStatic PE information: section name: .didata
                            Source: rHACNp6WFk.tmp.0.drStatic PE information: section name: .didata
                            Source: is-2T33C.tmp.2.drStatic PE information: section name: .didata
                            Source: is-GUSOD.tmp.2.drStatic PE information: section name: .wixburn
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeCode function: 4_2_00007FFB49FF5CB5 push edx; iretd 4_2_00007FFB49FF5CBB
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeCode function: 4_2_00007FFB49FF5D0E push edx; iretd 4_2_00007FFB49FF5CBB
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeCode function: 4_2_00007FFB4A0CCB4F push eax; retf 4_2_00007FFB4A0CCB61
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeCode function: 4_2_00007FFB4A0C6170 pushad ; ret 4_2_00007FFB4A0C6171
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeCode function: 4_2_00007FFB4A0C2004 pushad ; retf 4_2_00007FFB4A0C2005
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeCode function: 4_2_00007FFB4A2270D9 push ds; ret 4_2_00007FFB4A22795F
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeCode function: 4_2_00007FFB4A227090 push ds; ret 4_2_00007FFB4A22795F
                            Source: C:\Users\user\Desktop\rHACNp6WFk.exeFile created: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpFile created: C:\Users\user\AppData\Local\Programs\My Program\is-2T33C.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpFile created: C:\Users\user\AppData\Local\Programs\My Program\is-FGFQ0.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpFile created: C:\Users\user\AppData\Local\Temp\is-3O9NM.tmp\_isetup\_setup64.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpFile created: C:\Users\user\AppData\Local\Programs\My Program\unins000.exe (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpFile created: C:\Users\user\AppData\Local\Programs\My Program\python-3.13.0-amd64.exe (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpFile created: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exe (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpFile created: C:\Users\user\AppData\Local\Programs\My Program\is-GUSOD.tmpJump to dropped file

                            Boot Survival

                            barindex
                            Creates an undocumented autostart registry key
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpKey value created or modified: HKEY_CURRENT_USER_Classes\.exe\OpenWithProgids File.exeJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpKey value created or modified: HKEY_CURRENT_USER_Classes\.exe\OpenWithProgids File.exeJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\My Program.lnkJump to behavior
                            Source: C:\Users\user\Desktop\rHACNp6WFk.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                            Malware Analysis System Evasion

                            barindex
                            Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.00000000025A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeMemory allocated: 880000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeMemory allocated: 1A5A0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeWindow / User API: threadDelayed 1892Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeWindow / User API: threadDelayed 2810Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\My Program\is-2T33C.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-3O9NM.tmp\_isetup\_setup64.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\My Program\unins000.exe (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\My Program\python-3.13.0-amd64.exe (copy)Jump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\My Program\is-GUSOD.tmpJump to dropped file
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exe TID: 8052Thread sleep time: -13835058055282155s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exe TID: 7820Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: ttgtggt.exe, 00000004.00000002.1637709747.00000000126CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696494690
                            Source: ttgtggt.exe, 00000004.00000002.1637709747.00000000126CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696494690f
                            Source: ttgtggt.exe, 00000004.00000002.1637709747.00000000126CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696494690
                            Source: ttgtggt.exe, 00000004.00000002.1637709747.00000000126CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696494690s
                            Source: ttgtggt.exe, 00000004.00000002.1637709747.00000000126CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                            Source: ttgtggt.exe, 00000004.00000002.1637709747.00000000126CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                            Source: ttgtggt.exe, 00000004.00000002.1637709747.00000000126CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                            Source: ttgtggt.exe, 00000004.00000002.1637709747.00000000126CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696494690
                            Source: ttgtggt.exe, 00000004.00000002.1637709747.00000000126CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                            Source: ttgtggt.exe, 00000004.00000002.1637709747.00000000126CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                            Source: ttgtggt.exe, 00000004.00000002.1637709747.00000000126CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                            Source: ttgtggt.exe, 00000004.00000002.1637709747.00000000126CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696494690t
                            Source: ttgtggt.exe, 00000004.00000002.1637709747.00000000126CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                            Source: ttgtggt.exe, 00000004.00000002.1637709747.00000000126CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                            Source: ttgtggt.exe, 00000004.00000002.1637709747.00000000126CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                            Source: ttgtggt.exe, 00000004.00000002.1637709747.00000000126CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                            Source: ttgtggt.exe, 00000004.00000002.1637709747.00000000126CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                            Source: ttgtggt.exe, 00000004.00000002.1637709747.00000000126CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                            Source: ttgtggt.exe, 00000004.00000002.1649583814.000000001B5FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5
                            Source: ttgtggt.exe, 00000004.00000002.1637709747.00000000126CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696494690o
                            Source: ttgtggt.exe, 00000004.00000002.1637709747.00000000126CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                            Source: ttgtggt.exe, 00000004.00000002.1637709747.00000000126CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.00000000025A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe
                            Source: ttgtggt.exe, 00000004.00000002.1637709747.00000000126CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696494690j
                            Source: ttgtggt.exe, 00000004.00000002.1637709747.00000000126CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696494690
                            Source: ttgtggt.exe, 00000004.00000002.1637709747.00000000126CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                            Source: ttgtggt.exe, 00000004.00000002.1637709747.00000000126CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696494690x
                            Source: ttgtggt.exe, 00000004.00000002.1637709747.00000000126CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                            Source: ttgtggt.exe, 00000004.00000002.1637709747.00000000126CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                            Source: ttgtggt.exe, 00000004.00000002.1637709747.00000000126CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                            Source: ttgtggt.exe, 00000004.00000002.1637709747.00000000126CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                            Source: ttgtggt.exe, 00000004.00000002.1637709747.00000000126CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                            Source: ttgtggt.exe, 00000004.00000002.1637709747.00000000126CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpProcess information queried: ProcessInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeMemory allocated: page read and write | page guardJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmpQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeQueries volume information: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                            Stealing of Sensitive Information

                            barindex
                            Yara detected Meduza Stealer
                            Source: Yara matchFile source: Process Memory Space: ttgtggt.exe PID: 7796, type: MEMORYSTR
                            Yara detected PureLog Stealer
                            Source: Yara matchFile source: 4.0.ttgtggt.exe.100000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000004.00000000.1545790566.0000000000102000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Programs\My Program\is-FGFQ0.tmp, type: DROPPED
                            Yara detected RedLine Stealer
                            Source: Yara matchFile source: dump.pcap, type: PCAP
                            Source: Yara matchFile source: 4.0.ttgtggt.exe.100000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000004.00000000.1545790566.0000000000102000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: ttgtggt.exe PID: 7796, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Programs\My Program\is-FGFQ0.tmp, type: DROPPED
                            Yara detected zgRAT
                            Source: Yara matchFile source: 4.0.ttgtggt.exe.100000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Programs\My Program\is-FGFQ0.tmp, type: DROPPED
                            Found many strings related to Crypto-Wallets (likely being stolen)
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.000000000264D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Electrum
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.000000000264D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectronCash
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.000000000264D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: com.liberty.jaxx
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.000000000264D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Exodus
                            Source: ttgtggt.exe, 00000004.00000002.1627199642.000000000264D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum
                            Source: ttgtggt.exe, 00000004.00000000.1545790566.0000000000102000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: set_UseMachineKeyStore
                            Tries to harvest and steal browser information (history, passwords, etc)
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqliteJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                            Tries to steal Crypto Currency Wallets
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                            Source: Yara matchFile source: 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000004.00000002.1627199642.000000000264D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: ttgtggt.exe PID: 7796, type: MEMORYSTR

                            Remote Access Functionality

                            barindex
                            Yara detected Meduza Stealer
                            Source: Yara matchFile source: Process Memory Space: ttgtggt.exe PID: 7796, type: MEMORYSTR
                            Yara detected PureLog Stealer
                            Source: Yara matchFile source: 4.0.ttgtggt.exe.100000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000004.00000000.1545790566.0000000000102000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Programs\My Program\is-FGFQ0.tmp, type: DROPPED
                            Yara detected RedLine Stealer
                            Source: Yara matchFile source: dump.pcap, type: PCAP
                            Source: Yara matchFile source: 4.0.ttgtggt.exe.100000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000004.00000000.1545790566.0000000000102000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: ttgtggt.exe PID: 7796, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Programs\My Program\is-FGFQ0.tmp, type: DROPPED
                            Yara detected zgRAT
                            Source: Yara matchFile source: 4.0.ttgtggt.exe.100000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Programs\My Program\is-FGFQ0.tmp, type: DROPPED

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                            Windows Management Instrumentation                            		1
                            Windows Service                            		1
                            Windows Service                            		1
                            Masquerading                            		1
                            OS Credential Dumping                            		421
                            Security Software Discovery                            		Remote Services1
                            Archive Collected Data                            		1
                            Encrypted Channel                            		Exfiltration Over Other Network MediumAbuse Accessibility Features
                            CredentialsDomainsDefault Accounts2
                            Command and Scripting Interpreter                            		11
                            Registry Run Keys / Startup Folder                            		1
                            Process Injection                            		1
                            Disable or Modify Tools                            		LSASS Memory1
                            Process Discovery                            		Remote Desktop Protocol3
                            Data from Local System                            		1
                            Non-Standard Port                            		Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain AccountsAt1
                            DLL Side-Loading                            		11
                            Registry Run Keys / Startup Folder                            		241
                            Virtualization/Sandbox Evasion                            		Security Account Manager241
                            Virtualization/Sandbox Evasion                            		SMB/Windows Admin Shares1
                            Clipboard Data                            		1
                            Application Layer Protocol                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                            DLL Side-Loading                            		1
                            Process Injection                            		NTDS1
                            Application Window Discovery                            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                            Obfuscated Files or Information                            		LSA Secrets2
                            System Owner/User Discovery                            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                            Timestomp                            		Cached Domain Credentials1
                            File and Directory Discovery                            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                            DLL Side-Loading                            		DCSync113
                            System Information Discovery                            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            rHACNp6WFk.exe32%ReversingLabsByteCode-MSIL.Trojan.Mamut

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\Users\user\AppData\Local\Programs\My Program\is-FGFQ0.tmp100%Joe Sandbox ML
                            C:\Users\user\AppData\Local\Programs\My Program\is-FGFQ0.tmp66%ReversingLabsByteCode-MSIL.Ransomware.RedLine
                            C:\Users\user\AppData\Local\Programs\My Program\is-GUSOD.tmp0%ReversingLabs
                            C:\Users\user\AppData\Local\Programs\My Program\python-3.13.0-amd64.exe (copy)0%ReversingLabs
                            C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exe (copy)66%ReversingLabsByteCode-MSIL.Ransomware.RedLine
                            C:\Users\user\AppData\Local\Temp\is-3O9NM.tmp\_isetup\_setup64.tmp0%ReversingLabs
                            C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmp0%ReversingLabs

                            Unpacked PE Files

                            No Antivirus matches

                            Domains

                            No Antivirus matches

                            URLs

                            No Antivirus matches

                            Domains and IPs

                            Contacted Domains

                            No contacted domains info

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            4.251.123.83:6677false
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Textttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2005/02/sc/sctttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://duckduckgo.com/chrome_newtabttgtggt.exe, 00000004.00000002.1637709747.00000000125DA000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000004.00000002.1637709747.00000000129C7000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000004.00000002.1637709747.00000000127F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUrHACNp6WFk.exefalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://duckduckgo.com/ac/?q=ttgtggt.exe, 00000004.00000002.1637709747.00000000125DA000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000004.00000002.1637709747.00000000129C7000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000004.00000002.1637709747.00000000127F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://tempuri.org/ttgtggt.exe, 00000004.00000002.1627199642.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrapttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Preparettgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licensettgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuettgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://appsyndication.org/2006/appsynapplicationc:is-GUSOD.tmp.2.drfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/Abortedttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequencettgtggt.exe, 00000004.00000002.1627199642.00000000025A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://www.remobjects.com/psrHACNp6WFk.exe, 00000000.00000003.1408743597.000000007F88B000.00000004.00001000.00020000.00000000.sdmp, rHACNp6WFk.exe, 00000000.00000003.1408348042.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp, rHACNp6WFk.tmp, 00000002.00000000.1410351911.00000000002B1000.00000020.00000001.01000000.00000004.sdmp, is-2T33C.tmp.2.drfalse
                                                                    		high
                                                                    https://www.innosetup.com/rHACNp6WFk.exe, 00000000.00000003.1408743597.000000007F88B000.00000004.00001000.00020000.00000000.sdmp, rHACNp6WFk.exe, 00000000.00000003.1408348042.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp, rHACNp6WFk.tmp, 00000002.00000000.1410351911.00000000002B1000.00000020.00000001.01000000.00000004.sdmp, is-2T33C.tmp.2.drfalse
                                                                      		high
                                                                      https://discord.com/api/v9/users/ttgtggt.exe, 00000004.00000002.1627199642.00000000025A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/faultttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsatttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://tempuri.org/example/Field1Responsettgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namettgtggt.exe, 00000004.00000002.1627199642.0000000002775000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renewttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/Registerttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://api.ip.sb/ipttgtggt.exe, 00000004.00000002.1627199642.00000000025A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2004/04/scttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancelttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=ttgtggt.exe, 00000004.00000002.1637709747.00000000125DA000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000004.00000002.1637709747.00000000129C7000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000004.00000002.1637709747.00000000127F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://www.github.com/rHACNp6WFk.tmp, 00000002.00000003.1551738373.0000000000FEC000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issuettgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://www.ecosia.org/newtab/ttgtggt.exe, 00000004.00000002.1637709747.00000000125DA000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000004.00000002.1637709747.00000000129C7000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000004.00000002.1637709747.00000000127F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedttgtggt.exe, 00000004.00000002.1627199642.00000000025A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/Replayttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegottgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://www.w3.ohttgtggt.exe, 00000004.00000002.1627199642.000000000286F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://www.github.com/.https://www.github.com/.https://www.github.com/rHACNp6WFk.exe, 00000000.00000003.1407144583.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp, rHACNp6WFk.tmp, 00000002.00000003.1412075685.0000000003770000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binaryttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://schemas.xmlsoap.org/ws/2004/08/addressingttgtggt.exe, 00000004.00000002.1627199642.00000000025A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuettgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Completionttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/trustttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponsettgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancelttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/Noncettgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsttgtggt.exe, 00000004.00000002.1627199642.00000000025A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/Renewttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://tempuri.org/example/Field1ttgtggt.exe, 00000004.00000002.1627199642.00000000025A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://schemas.xmlsoap.org/ws/2006/02/addressingidentityttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://schemas.xmlsoap.org/soap/envelope/ttgtggt.exe, 00000004.00000002.1627199642.00000000025A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://tempuri.org/example/Field2ttgtggt.exe, 00000004.00000002.1627199642.00000000025A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://tempuri.org/example/Field3ttgtggt.exe, 00000004.00000002.1627199642.00000000025A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=ttgtggt.exe, 00000004.00000002.1637709747.00000000125DA000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000004.00000002.1637709747.00000000129C7000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000004.00000002.1637709747.00000000127F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trustttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollbackttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCTttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/06/addressingexttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wscoorttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/Noncettgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponsettgtggt.exe, 00000004.00000002.1627199642.00000000025A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/08/addressing/faultttgtggt.exe, 00000004.00000002.1627199642.00000000025A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renewttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKeyttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchttgtggt.exe, 00000004.00000002.1637709747.00000000125DA000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000004.00000002.1637709747.00000000129C7000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000004.00000002.1637709747.00000000127F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://www.github.com/arHACNp6WFk.exe, 00000000.00000003.1557115941.000000000282C000.00000004.00001000.00020000.00000000.sdmp, rHACNp6WFk.tmp, 00000002.00000003.1551738373.0000000000FEC000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    http://www.w3.ottgtggt.exe, 00000004.00000002.1627199642.000000000286F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Committedttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              http://tempuri.org/example/Field3Responsettgtggt.exe, 00000004.00000002.1627199642.000000000286F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wscoor/faultttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyttgtggt.exe, 00000004.00000002.1627199642.00000000025A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/sc/sctttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponsettgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/Cancelttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            		high
                                                                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgementttgtggt.exe, 00000004.00000002.1627199642.00000000025A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                              		high
                                                                                                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCTttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                		high
                                                                                                                                                                                                                                https://www.google.com/images/branding/product/ico/googleg_lodp.icottgtggt.exe, 00000004.00000002.1637709747.00000000125DA000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000004.00000002.1637709747.00000000129C7000.00000004.00000800.00020000.00000000.sdmp, ttgtggt.exe, 00000004.00000002.1637709747.00000000127F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1ttgtggt.exe, 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                    		high

                                                                                                                                                                                                                                    World Map of Contacted IPs

                                                                                                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                                                                                                    Public IPs

                                                                                                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                                    4.251.123.83
                                                                                                                                                                                                                                    		unknownUnited States
                                                                                                                                                                                                                                    		3356LEVEL3UStrue

                                                                                                                                                                                                                                    General Information

                                                                                                                                                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                                    Analysis ID:1554440
                                                                                                                                                                                                                                    Start date and time:2024-11-12 14:55:41 +01:00
                                                                                                                                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                                    Overall analysis duration:0h 6m 11s
                                                                                                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                                    Report type:full
                                                                                                                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                                    Number of analysed new started processes analysed:11
                                                                                                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                                                                                                                    Technologies:
                                                                                                                                                                                                                                    • HCA enabled
                                                                                                                                                                                                                                    • EGA enabled
                                                                                                                                                                                                                                    • AMSI enabled
                                                                                                                                                                                                                                    Analysis Mode:default
                                                                                                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                                                                                                    Sample name:rHACNp6WFk.exe
                                                                                                                                                                                                                                    renamed because original name is a hash value
                                                                                                                                                                                                                                    Original Sample Name:f7d1d2548bed4be604171cd18e535106e4549d646afb585265fb27d09c0feb7a.exe
                                                                                                                                                                                                                                    Detection:MAL
                                                                                                                                                                                                                                    Classification:mal80.troj.spyw.evad.winEXE@5/11@0/1
                                                                                                                                                                                                                                    EGA Information:
                                                                                                                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                                                                                                                    HCA Information:Failed
                                                                                                                                                                                                                                    Cookbook Comments:
                                                                                                                                                                                                                                    • Found application associated with file extension: .exe

                                                                                                                                                                                                                                    Warnings

                                                                                                                                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                                    • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                                    • VT rate limit hit for: rHACNp6WFk.exe

                                                                                                                                                                                                                                    Simulations

                                                                                                                                                                                                                                    Behavior and APIs

                                                                                                                                                                                                                                    TimeTypeDescription
                                                                                                                                                                                                                                    08:56:56API Interceptor23x Sleep call for process: ttgtggt.exe modified

                                                                                                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                                                                                                    IPs

                                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                    4.251.123.83jyRdJ06Naz.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                      rePERU8VUs.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                        VJoillkb6X.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                          9LrEuTWP8s.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                            HAeAec7no3.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                              EUFOvMxM2H.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                                i4w1K6ft2F.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                                  xMYbN0Yd2a.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                                    FaZM14kDMN.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                                      j7movK82QT.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse

                                                                                                                                                                                                                                                        Domains

                                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                                        ASNs

                                                                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                        LEVEL3USjyRdJ06Naz.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                                        • 4.251.123.83
                                                                                                                                                                                                                                                        rePERU8VUs.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                                        • 4.251.123.83
                                                                                                                                                                                                                                                        VJoillkb6X.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                                        • 4.251.123.83
                                                                                                                                                                                                                                                        9LrEuTWP8s.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                                        • 4.251.123.83
                                                                                                                                                                                                                                                        HAeAec7no3.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                                        • 4.251.123.83
                                                                                                                                                                                                                                                        EUFOvMxM2H.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                                        • 4.251.123.83
                                                                                                                                                                                                                                                        i4w1K6ft2F.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                                        • 4.251.123.83
                                                                                                                                                                                                                                                        xMYbN0Yd2a.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                                        • 4.251.123.83
                                                                                                                                                                                                                                                        FaZM14kDMN.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                                        • 4.251.123.83
                                                                                                                                                                                                                                                        j7movK82QT.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                                        • 4.251.123.83

                                                                                                                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                                        Dropped Files

                                                                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exe (copy)jyRdJ06Naz.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Programs\My Program\is-FGFQ0.tmpjyRdJ06Naz.exeGet hashmaliciousMeduza Stealer, PureLog Stealer, RedLine, zgRATBrowse

                                                                                                                                                                                                                                                            Created / dropped Files

                                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ttgtggt.exe.log

                                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exe
                                                                                                                                                                                                                                                            File Type:CSV text
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):2611
                                                                                                                                                                                                                                                            Entropy (8bit):5.363358188931451
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkafHKWA1eXrHKlT48BHK7HKmTHlHNW:iq+wmj0qCYqGSI6oPtzHeqKkGqhA7qZR
                                                                                                                                                                                                                                                            MD5:CEA017D10C4D437981D19F21660A47FA
                                                                                                                                                                                                                                                            SHA1:61AAFCECB5325DE172857CEF7C7E1F230F73AFFD
                                                                                                                                                                                                                                                            SHA-256:60B099420455DECD1878FE84F217CFE478BA0BA5E6E574077150D08355A1DD96
                                                                                                                                                                                                                                                            SHA-512:413384BF9D2EDC9BC2DF6D5175D09A33B91CCF9C53FE3CB21892CB57AF4FD8A9BE0608E9BCA57AF4A7F2709A4C110148719DA3210460DF433CFD77FA753B9CF8
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Reputation:moderate, very likely benign file
                                                                                                                                                                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Programs\My Program\is-2T33C.tmp

                                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmp
                                                                                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):3311677
                                                                                                                                                                                                                                                            Entropy (8bit):6.5714241602852965
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:49152:MdJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQL3330Y:uJYVM+LtVt3P/KuG2ONG9iqLRQL333f
                                                                                                                                                                                                                                                            MD5:0CD7B69C1A41E8F5671DC1EF6044B567
                                                                                                                                                                                                                                                            SHA1:8B393D9F344D02129433EA93EF8CA3E324A9A2BA
                                                                                                                                                                                                                                                            SHA-256:6E543D5B3B0A1F76DAFFA72CE3E789FB14A19E0556EE7370F3788FE67FD68FC0
                                                                                                                                                                                                                                                            SHA-512:2A97ABD15DEF952AA3EB3F51321B14B5B316F0CEECD5308C172A03845099358DE9AA80D0C8E1153E648C7889207DE12E2E190361DADFB8E0F8EE3A3D35684FF6
                                                                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                                                                            Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*..d........*.......*...@...........................3...........@......@...................P,.n.....,.j:...P0. .....................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc... ....P0......./.............@..@.............04......`3.............@..@................

                                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Programs\My Program\is-FGFQ0.tmp

                                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmp
                                                                                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):346112
                                                                                                                                                                                                                                                            Entropy (8bit):6.572244662396641
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:6144:2DKXJVqDD/qxgATuaBNt1BrivR0V4TBjgYxs1wl206gBawFV2ceSb0BQ/GfM/4Qx:2DgYDzqxdXBNt1BrivR0V4TBjgYxs1wQ
                                                                                                                                                                                                                                                            MD5:C9B68B9567CC9067794E32999C02BFA7
                                                                                                                                                                                                                                                            SHA1:D999F0701086E1ECC87380CF002F37F985C6DE4C
                                                                                                                                                                                                                                                            SHA-256:8DBCECF4F09CDB10EF4F2AC2AC3F66A28D148A63A381877F413CD5F5B39DB4E0
                                                                                                                                                                                                                                                            SHA-512:9E24E7FAB933FBD5AD500B0759582D3417CCD571C248010BE486C53574F21E38A5D10DD2B14128CC4D4B4D922DC25806A14D46793B9E2FFE951B8C797F458C6A
                                                                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                                                                            Yara Hits:
                                                                                                                                                                                                                                                            • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Programs\My Program\is-FGFQ0.tmp, Author: Joe Security
                                                                                                                                                                                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Programs\My Program\is-FGFQ0.tmp, Author: Joe Security
                                                                                                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Programs\My Program\is-FGFQ0.tmp, Author: Joe Security
                                                                                                                                                                                                                                                            • Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: C:\Users\user\AppData\Local\Programs\My Program\is-FGFQ0.tmp, Author: ditekSHen
                                                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 66%
                                                                                                                                                                                                                                                            Joe Sandbox View:
                                                                                                                                                                                                                                                            • Filename: jyRdJ06Naz.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc...............F..............@..B........................H........K........../.......)...........................................*.(O...(....*..{....*..{....*.~....(....~....(.....(......}......}....*.0..<........u......,0(.....{.....{....o....,.(.....{.....{....o....+..*. ..L0(.....{....o....X )UU.Z(.....{....o....X*..0...........r...p......%..{.....................-.q.............-.&.+.......o.....%..{.....................-.q.............-.&.+.......o.....(....*..{....*..{....*.~....(....~....(.....(......}......}....*...0..<...

                                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Programs\My Program\is-GUSOD.tmp

                                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmp
                                                                                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):28160096
                                                                                                                                                                                                                                                            Entropy (8bit):7.997949543387279
                                                                                                                                                                                                                                                            Encrypted:true
                                                                                                                                                                                                                                                            SSDEEP:393216:NQs3AMrF2S7Pr96of7sv2iZpAs2vEqhlKBe//u4fW9Xj9uXU//EAa6L4pGROW:NQs31rFn7Pr4Y4vbpCye//zf0TAEVJGq
                                                                                                                                                                                                                                                            MD5:F5E5D48BA86586D4BEF67BCB3790D339
                                                                                                                                                                                                                                                            SHA1:118838D3BC5D1A13CE71D8D83DE52427B1562124
                                                                                                                                                                                                                                                            SHA-256:78156AD0CF0EC4123BFB5333B40F078596EBF15F2D062A10144863680AFBDEFC
                                                                                                                                                                                                                                                            SHA-512:FFAEF212D55E3BDD87E79CBFACEBC0612FFC1C8C4B495585392746202DCE6332383199F0206113EE95EBB4A76D718D0700E1AED9AD518D43B7569A44F0A39427
                                                                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........[.s...s...s.......s......$s.......s.......s.......s.......s.......s.......s...s...r.......s....Q..s...s9..s.......s..Rich.s..........................PE..L....RKa..........................................@......................................@.................................<............e..........P..../...P...=...{..T....................{.......z..@............................................text.............................. ..`.rdata..t...........................@..@.data...............................@....wixburn8...........................@..@.rsrc....e.......f..................@..@.reloc...=...P...>..................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Programs\My Program\python-3.13.0-amd64.exe (copy)

                                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmp
                                                                                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):28160096
                                                                                                                                                                                                                                                            Entropy (8bit):7.997949543387279
                                                                                                                                                                                                                                                            Encrypted:true
                                                                                                                                                                                                                                                            SSDEEP:393216:NQs3AMrF2S7Pr96of7sv2iZpAs2vEqhlKBe//u4fW9Xj9uXU//EAa6L4pGROW:NQs31rFn7Pr4Y4vbpCye//zf0TAEVJGq
                                                                                                                                                                                                                                                            MD5:F5E5D48BA86586D4BEF67BCB3790D339
                                                                                                                                                                                                                                                            SHA1:118838D3BC5D1A13CE71D8D83DE52427B1562124
                                                                                                                                                                                                                                                            SHA-256:78156AD0CF0EC4123BFB5333B40F078596EBF15F2D062A10144863680AFBDEFC
                                                                                                                                                                                                                                                            SHA-512:FFAEF212D55E3BDD87E79CBFACEBC0612FFC1C8C4B495585392746202DCE6332383199F0206113EE95EBB4A76D718D0700E1AED9AD518D43B7569A44F0A39427
                                                                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........[.s...s...s.......s......$s.......s.......s.......s.......s.......s.......s...s...r.......s....Q..s...s9..s.......s..Rich.s..........................PE..L....RKa..........................................@......................................@.................................<............e..........P..../...P...=...{..T....................{.......z..@............................................text.............................. ..`.rdata..t...........................@..@.data...............................@....wixburn8...........................@..@.rsrc....e.......f..................@..@.reloc...=...P...>..................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exe (copy)

                                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmp
                                                                                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):346112
                                                                                                                                                                                                                                                            Entropy (8bit):6.572244662396641
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:6144:2DKXJVqDD/qxgATuaBNt1BrivR0V4TBjgYxs1wl206gBawFV2ceSb0BQ/GfM/4Qx:2DgYDzqxdXBNt1BrivR0V4TBjgYxs1wQ
                                                                                                                                                                                                                                                            MD5:C9B68B9567CC9067794E32999C02BFA7
                                                                                                                                                                                                                                                            SHA1:D999F0701086E1ECC87380CF002F37F985C6DE4C
                                                                                                                                                                                                                                                            SHA-256:8DBCECF4F09CDB10EF4F2AC2AC3F66A28D148A63A381877F413CD5F5B39DB4E0
                                                                                                                                                                                                                                                            SHA-512:9E24E7FAB933FBD5AD500B0759582D3417CCD571C248010BE486C53574F21E38A5D10DD2B14128CC4D4B4D922DC25806A14D46793B9E2FFE951B8C797F458C6A
                                                                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 66%
                                                                                                                                                                                                                                                            Joe Sandbox View:
                                                                                                                                                                                                                                                            • Filename: jyRdJ06Naz.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc...............F..............@..B........................H........K........../.......)...........................................*.(O...(....*..{....*..{....*.~....(....~....(.....(......}......}....*.0..<........u......,0(.....{.....{....o....,.(.....{.....{....o....+..*. ..L0(.....{....o....X )UU.Z(.....{....o....X*..0...........r...p......%..{.....................-.q.............-.&.+.......o.....%..{.....................-.q.............-.&.+.......o.....(....*..{....*..{....*.~....(....~....(.....(......}......}....*...0..<...

                                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Programs\My Program\unins000.dat

                                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmp
                                                                                                                                                                                                                                                            File Type:InnoSetup Log My Program {B61D3B6E-7045-4057-9E07-2D934A8C359C}, version 0x418, 2214 bytes, 965969\37\user\37, C:\Users\user\AppData\Local\Programs\My
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):2214
                                                                                                                                                                                                                                                            Entropy (8bit):3.4889963235470005
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:48:EMGQQC3GQDCy1bGQl1GQyGQjCyQJCyQMztxvjUxA8xeUh7HAM:HBC0mC7CeBhUi8HhzAM
                                                                                                                                                                                                                                                            MD5:D47C9BFA387FA41AFCBDAEC1CC36E611
                                                                                                                                                                                                                                                            SHA1:E6DF4D7FD09604E0D5D0A81433FEDCCBF67EE83C
                                                                                                                                                                                                                                                            SHA-256:0DD0AB2CA8571EE765F03C20F4C4DDB1CDED5CFA43756F02DBC5D75C69256C72
                                                                                                                                                                                                                                                            SHA-512:7D3E5CD0AE0090575DE39C353F275B5F576451F463F31D831855E6FC47B7574E131E4160F21F47BC4CFD5E237F13316396270577C86D5983762E8682AD32F7FC
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Preview:Inno Setup Uninstall Log (b)....................................{B61D3B6E-7045-4057-9E07-2D934A8C359C}..........................................................................................My Program..................................................................................................................................%......................................................................................................................%....:M+...............9.6.5.9.6.9......h.u.b.e.r.t......C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.P.r.o.g.r.a.m.s.\.M.y. .P.r.o.g.r.a.m................8.-.... .....D..................C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.P.r.o.g.r.a.m.s.\.M.y. .P.r.o.g.r.a.m..b...C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.S.t.a.r.t. .M.e.n.u.\.P.r.o.g.r.a.m.s.\.(.D.e.f.a.u.l.t.)......(.D.e.f.a.u.l.t.)......e.n.g.l.i.s.h.............................h........C.:.\.

                                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Programs\My Program\unins000.exe (copy)

                                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmp
                                                                                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):3311677
                                                                                                                                                                                                                                                            Entropy (8bit):6.5714241602852965
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:49152:MdJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQL3330Y:uJYVM+LtVt3P/KuG2ONG9iqLRQL333f
                                                                                                                                                                                                                                                            MD5:0CD7B69C1A41E8F5671DC1EF6044B567
                                                                                                                                                                                                                                                            SHA1:8B393D9F344D02129433EA93EF8CA3E324A9A2BA
                                                                                                                                                                                                                                                            SHA-256:6E543D5B3B0A1F76DAFFA72CE3E789FB14A19E0556EE7370F3788FE67FD68FC0
                                                                                                                                                                                                                                                            SHA-512:2A97ABD15DEF952AA3EB3F51321B14B5B316F0CEECD5308C172A03845099358DE9AA80D0C8E1153E648C7889207DE12E2E190361DADFB8E0F8EE3A3D35684FF6
                                                                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                                                                            Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*..d........*.......*...@...........................3...........@......@...................P,.n.....,.j:...P0. .....................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc... ....P0......./.............@..@.............04......`3.............@..@................

                                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\is-3O9NM.tmp\_isetup\_setup64.tmp

                                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmp
                                                                                                                                                                                                                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):6144
                                                                                                                                                                                                                                                            Entropy (8bit):4.720366600008286
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                                                                                                                                                                                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                                                                                                                                                                                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                                                                                                                                                                                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                                                                                                                                                                                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmp

                                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\rHACNp6WFk.exe
                                                                                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):3287552
                                                                                                                                                                                                                                                            Entropy (8bit):6.584850058337391
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:49152:0dJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQL3330T:WJYVM+LtVt3P/KuG2ONG9iqLRQL333y
                                                                                                                                                                                                                                                            MD5:D318E73231E30E6B64517F61073B5AF3
                                                                                                                                                                                                                                                            SHA1:B6F9500E965322ACC32A714BE68463DFD02B389C
                                                                                                                                                                                                                                                            SHA-256:F18525A6444DAC6425191227CEB6023EBE1B02DB164BF627D173587A45576BA8
                                                                                                                                                                                                                                                            SHA-512:84AAEC6EAB831E95E09DABA871329B4BB3B22B8CFEF39B4F96E4135EC1762DB396BCCC75B869EB736D10B0DBA0EC173DA6D905B1C8CABD1070B76C1FE0FDAD41
                                                                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*..d........*.......*...@...........................3...........@......@...................P,.n.....,.j:...P0. .....................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc... ....P0......./.............@..@.............04......`3.............@..@................

                                                                                                                                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\My Program.lnk

                                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmp
                                                                                                                                                                                                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Nov 12 12:56:46 2024, mtime=Tue Nov 12 12:56:46 2024, atime=Sun Nov 10 04:07:02 2024, length=346112, window=hide
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):1282
                                                                                                                                                                                                                                                            Entropy (8bit):4.820102650418543
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:24:8mYcHvDdDRyEZkI0r/qek00AySWpGQpGQHcbMKqygm:8mDHvDdDRyEZB0r/qeDFuGQpGQ1Hyg
                                                                                                                                                                                                                                                            MD5:BA0F5F4EEF0E1044407FE3E3224B4EEE
                                                                                                                                                                                                                                                            SHA1:2023BB00D3E4FC5957E99699A20E52704475AAC0
                                                                                                                                                                                                                                                            SHA-256:029EE932A31B8D3E11B4B5680DDFDA4241F06EC589631B4FB7E7CFD1E5C7D523
                                                                                                                                                                                                                                                            SHA-512:06FFBFA7CBF2AA3BB3B7D9519E2E5794281965EB7B0967878812F7F00B2743A19BB5CE64AA2DD2C065E6BECA63E6F7115F790BEC712A478E714E4124FBF8D009
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Preview:L..................F.... ...^.1..5....6..5..._.`.3...H......................(.:..DG..Yr?.D..U..k0.&...&.......y.Yd....Z...5...mQ..5......t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)BlY.o..........................d...A.p.p.D.a.t.a...B.P.1.....lY.o..Local.<......EW)BlY.o..........................]..L.o.c.a.l.....Z.1.....lY.o..Programs..B......lY.olY.o.....).....................]..P.r.o.g.r.a.m.s.....^.1.....lY.o..MYPROG~1..F......lY.olY.o.....)......................A.M.y. .P.r.o.g.r.a.m.....b.2..H..jY.( .ttgtggt.exe.H......lY.olY.o.....)........................t.t.g.t.g.g.t...e.x.e.......l...............-.......k............r......C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exe..4.....\.....\.....\.....\.....\.L.o.c.a.l.\.P.r.o.g.r.a.m.s.\.M.y. .P.r.o.g.r.a.m.\.t.t.g.t.g.g.t...e.x.e.1.C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.P.r.o.g.r.a.m.s.\.M.y. .P.r.o.g.r.a.m.........|....I.J.H..K..:...`.......X.......965969......

                                                                                                                                                                                                                                                            Static File Info

                                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                            Entropy (8bit):7.996431388433169
                                                                                                                                                                                                                                                            TrID:
                                                                                                                                                                                                                                                            • Win32 Executable (generic) a (10002005/4) 98.45%
                                                                                                                                                                                                                                                            • Inno Setup installer (109748/4) 1.08%
                                                                                                                                                                                                                                                            • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                                                                                                                                                                                                                                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                                                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                                                            File name:rHACNp6WFk.exe
                                                                                                                                                                                                                                                            File size:30'026'469 bytes
                                                                                                                                                                                                                                                            MD5:e8257a3a7ba4046f50d7795afa5b90b9
                                                                                                                                                                                                                                                            SHA1:26368c267e2545eaa34cd33898daa4d9e12ab159
                                                                                                                                                                                                                                                            SHA256:f7d1d2548bed4be604171cd18e535106e4549d646afb585265fb27d09c0feb7a
                                                                                                                                                                                                                                                            SHA512:c220fd861f3ac586e9436691506ce4fb6cfbbe4af52649f9fd3bdfeda86b5ab53973f8fd2f50e2ff955e7e2a23d1a400aa7f065b276af5641bac5e27cfd594d7
                                                                                                                                                                                                                                                            SSDEEP:786432:1WLbcF8n4x1BtKXy7Gn54fytYESCn124Fg:kLbcFLqz54atYESCnQ4S
                                                                                                                                                                                                                                                            TLSH:C1673323B2C7A03EE05D0B3B11B2B215A5FB79627827BD66D6F084ACDE254500D3EB57
                                                                                                                                                                                                                                                            File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                                                                                                                                                                            File Icon

                                                                                                                                                                                                                                                            Icon Hash:0f0575e0c8713133

                                                                                                                                                                                                                                                            Static PE Info

                                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                                            Entrypoint:0x4a83bc
                                                                                                                                                                                                                                                            Entrypoint Section:.itext
                                                                                                                                                                                                                                                            Digitally signed:false
                                                                                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                                                                                            Subsystem:windows gui
                                                                                                                                                                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                                            Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                                                                                                                                                                                                                                                            TLS Callbacks:
                                                                                                                                                                                                                                                            CLR (.Net) Version:
                                                                                                                                                                                                                                                            OS Version Major:6
                                                                                                                                                                                                                                                            OS Version Minor:1
                                                                                                                                                                                                                                                            File Version Major:6
                                                                                                                                                                                                                                                            File Version Minor:1
                                                                                                                                                                                                                                                            Subsystem Version Major:6
                                                                                                                                                                                                                                                            Subsystem Version Minor:1
                                                                                                                                                                                                                                                            Import Hash:40ab50289f7ef5fae60801f88d4541fc

                                                                                                                                                                                                                                                            Entrypoint Preview

                                                                                                                                                                                                                                                            Instruction
                                                                                                                                                                                                                                                            push ebp
                                                                                                                                                                                                                                                            mov ebp, esp
                                                                                                                                                                                                                                                            add esp, FFFFFFA4h
                                                                                                                                                                                                                                                            push ebx
                                                                                                                                                                                                                                                            push esi
                                                                                                                                                                                                                                                            push edi
                                                                                                                                                                                                                                                            xor eax, eax
                                                                                                                                                                                                                                                            mov dword ptr [ebp-3Ch], eax
                                                                                                                                                                                                                                                            mov dword ptr [ebp-40h], eax
                                                                                                                                                                                                                                                            mov dword ptr [ebp-5Ch], eax
                                                                                                                                                                                                                                                            mov dword ptr [ebp-30h], eax
                                                                                                                                                                                                                                                            mov dword ptr [ebp-38h], eax
                                                                                                                                                                                                                                                            mov dword ptr [ebp-34h], eax
                                                                                                                                                                                                                                                            mov dword ptr [ebp-2Ch], eax
                                                                                                                                                                                                                                                            mov dword ptr [ebp-28h], eax
                                                                                                                                                                                                                                                            mov dword ptr [ebp-14h], eax
                                                                                                                                                                                                                                                            mov eax, 004A2EBCh
                                                                                                                                                                                                                                                            call 00007FB9F8A62685h
                                                                                                                                                                                                                                                            xor eax, eax
                                                                                                                                                                                                                                                            push ebp
                                                                                                                                                                                                                                                            push 004A8AC1h
                                                                                                                                                                                                                                                            push dword ptr fs:[eax]
                                                                                                                                                                                                                                                            mov dword ptr fs:[eax], esp
                                                                                                                                                                                                                                                            xor edx, edx
                                                                                                                                                                                                                                                            push ebp
                                                                                                                                                                                                                                                            push 004A8A7Bh
                                                                                                                                                                                                                                                            push dword ptr fs:[edx]
                                                                                                                                                                                                                                                            mov dword ptr fs:[edx], esp
                                                                                                                                                                                                                                                            mov eax, dword ptr [004B0634h]
                                                                                                                                                                                                                                                            call 00007FB9F8AF400Bh
                                                                                                                                                                                                                                                            call 00007FB9F8AF3B5Eh
                                                                                                                                                                                                                                                            lea edx, dword ptr [ebp-14h]
                                                                                                                                                                                                                                                            xor eax, eax
                                                                                                                                                                                                                                                            call 00007FB9F8AEE838h
                                                                                                                                                                                                                                                            mov edx, dword ptr [ebp-14h]
                                                                                                                                                                                                                                                            mov eax, 004B41F4h
                                                                                                                                                                                                                                                            call 00007FB9F8A5C733h
                                                                                                                                                                                                                                                            push 00000002h
                                                                                                                                                                                                                                                            push 00000000h
                                                                                                                                                                                                                                                            push 00000001h
                                                                                                                                                                                                                                                            mov ecx, dword ptr [004B41F4h]
                                                                                                                                                                                                                                                            mov dl, 01h
                                                                                                                                                                                                                                                            mov eax, dword ptr [0049CD14h]
                                                                                                                                                                                                                                                            call 00007FB9F8AEFB63h
                                                                                                                                                                                                                                                            mov dword ptr [004B41F8h], eax
                                                                                                                                                                                                                                                            xor edx, edx
                                                                                                                                                                                                                                                            push ebp
                                                                                                                                                                                                                                                            push 004A8A27h
                                                                                                                                                                                                                                                            push dword ptr fs:[edx]
                                                                                                                                                                                                                                                            mov dword ptr fs:[edx], esp
                                                                                                                                                                                                                                                            call 00007FB9F8AF4093h
                                                                                                                                                                                                                                                            mov dword ptr [004B4200h], eax
                                                                                                                                                                                                                                                            mov eax, dword ptr [004B4200h]
                                                                                                                                                                                                                                                            cmp dword ptr [eax+0Ch], 01h
                                                                                                                                                                                                                                                            jne 00007FB9F8AFAD7Ah
                                                                                                                                                                                                                                                            mov eax, dword ptr [004B4200h]
                                                                                                                                                                                                                                                            mov edx, 00000028h
                                                                                                                                                                                                                                                            call 00007FB9F8AF0458h
                                                                                                                                                                                                                                                            mov edx, dword ptr [004B4200h]

                                                                                                                                                                                                                                                            Data Directories

                                                                                                                                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x5184.rsrc
                                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                                            Sections

                                                                                                                                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                                            .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                            .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                            .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                            .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                            .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                            .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                            .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                            .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                            .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                            .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                            .rsrc0xcb0000x51840x5200bdc81b14ae9fd6f8c0457dec57e5e445False0.5676448170731707data5.999241935326499IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                                            Resources

                                                                                                                                                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                                            RT_ICON0xcb4380x1c30PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0015243902439024
                                                                                                                                                                                                                                                            RT_STRING0xcd0680x3f8data0.3198818897637795
                                                                                                                                                                                                                                                            RT_STRING0xcd4600x2dcdata0.36475409836065575
                                                                                                                                                                                                                                                            RT_STRING0xcd73c0x430data0.40578358208955223
                                                                                                                                                                                                                                                            RT_STRING0xcdb6c0x44cdata0.38636363636363635
                                                                                                                                                                                                                                                            RT_STRING0xcdfb80x2d4data0.39226519337016574
                                                                                                                                                                                                                                                            RT_STRING0xce28c0xb8data0.6467391304347826
                                                                                                                                                                                                                                                            RT_STRING0xce3440x9cdata0.6410256410256411
                                                                                                                                                                                                                                                            RT_STRING0xce3e00x374data0.4230769230769231
                                                                                                                                                                                                                                                            RT_STRING0xce7540x398data0.3358695652173913
                                                                                                                                                                                                                                                            RT_STRING0xceaec0x368data0.3795871559633027
                                                                                                                                                                                                                                                            RT_STRING0xcee540x2a4data0.4275147928994083
                                                                                                                                                                                                                                                            RT_RCDATA0xcf0f80x10data1.5
                                                                                                                                                                                                                                                            RT_RCDATA0xcf1080x310data0.6173469387755102
                                                                                                                                                                                                                                                            RT_RCDATA0xcf4180x2cdata1.1590909090909092
                                                                                                                                                                                                                                                            RT_GROUP_ICON0xcf4440x14dataEnglishUnited States1.2
                                                                                                                                                                                                                                                            RT_VERSION0xcf4580x584dataEnglishUnited States0.2563739376770538
                                                                                                                                                                                                                                                            RT_MANIFEST0xcf9dc0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                                                                                                                                                                                                                                                            Imports

                                                                                                                                                                                                                                                            DLLImport
                                                                                                                                                                                                                                                            kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                                                                                                                                                                                                                                            comctl32.dllInitCommonControls
                                                                                                                                                                                                                                                            user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                                                                                                                                                                                                                                            oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                                                                                                                                                                                                                                            advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

                                                                                                                                                                                                                                                            Exports

                                                                                                                                                                                                                                                            NameOrdinalAddress
                                                                                                                                                                                                                                                            __dbk_fcall_wrapper20x40fc10
                                                                                                                                                                                                                                                            dbkFCallWrapperAddr10x4b063c

                                                                                                                                                                                                                                                            Possible Origin

                                                                                                                                                                                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                                                            EnglishUnited States

                                                                                                                                                                                                                                                            Network Behavior

                                                                                                                                                                                                                                                            Suricata IDS Alerts

                                                                                                                                                                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                                            2024-11-12T14:56:53.759174+01002046045ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)1192.168.2.8497054.251.123.836677TCP
                                                                                                                                                                                                                                                            2024-11-12T14:56:54.275070+01002046056ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)14.251.123.836677192.168.2.849705TCP
                                                                                                                                                                                                                                                            2024-11-12T14:56:57.133259+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow1172.202.163.200443192.168.2.849706TCP
                                                                                                                                                                                                                                                            2024-11-12T14:57:35.309360+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow1172.202.163.200443192.168.2.849712TCP

                                                                                                                                                                                                                                                            Network Port Distribution

                                                                                                                                                                                                                                                            TCP Packets

                                                                                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:52.822416067 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:52.827342987 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:52.827605963 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:52.832276106 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:52.837165117 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:53.650696039 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:53.698899031 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:53.759174109 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:53.765940905 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:53.996568918 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:54.035516977 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:54.040524960 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:54.274965048 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:54.275002956 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:54.275018930 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:54.275049925 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:54.275069952 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:54.275089025 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:54.275113106 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:54.275119066 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:54.275127888 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:54.275144100 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:54.275160074 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:54.275176048 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:54.275182962 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:54.275212049 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:54.275244951 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:54.275641918 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:54.275674105 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:54.275737047 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:54.280067921 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:54.323936939 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:54.391880035 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:54.391906023 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:54.391921043 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:54.391952038 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:54.391954899 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:54.391987085 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:54.392009020 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:54.392015934 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:54.392030001 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:54.392060995 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:54.433263063 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.251796007 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.256779909 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.256803036 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.256808996 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.256819010 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.256824970 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.256839037 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.256843090 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.256846905 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.256869078 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.256911039 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.256916046 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.256921053 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.256942034 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.256973028 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.256999016 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.261719942 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.261771917 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.261774063 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.261775970 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.261804104 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.261820078 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.261847019 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.261863947 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.261878014 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.261914968 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.261931896 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.261939049 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.261959076 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.261987925 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.262008905 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.262025118 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.262037039 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.262069941 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.262080908 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.262109995 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.262160063 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.267324924 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.267374992 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.267385960 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.267420053 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.267631054 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.267640114 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.267689943 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.267704010 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.267740965 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.267746925 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.267797947 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.267801046 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.267823935 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.267853975 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.267879963 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.267926931 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.267992973 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.268022060 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.268081903 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.268096924 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.268126965 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.268167019 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.268227100 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.268235922 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.268271923 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.268301964 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.268313885 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.268318892 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.268340111 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.268378973 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.268388987 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.268470049 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.268548012 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.268553972 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.268563986 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.268567085 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.268575907 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.268582106 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.268601894 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.268605947 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.268613100 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.268637896 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.268657923 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.268701077 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.268706083 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.268749952 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.272470951 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.272511005 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.272546053 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.272556067 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.272572041 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.272597075 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.272614002 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.272614956 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.272639990 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.272660971 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.272697926 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.272699118 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.272737026 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.272790909 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.272795916 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.272800922 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.272820950 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.272850037 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.272875071 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.272890091 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.272906065 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.273066998 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.273072004 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.273137093 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.273140907 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.273319006 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.273339033 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.273444891 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.273452044 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.273541927 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.273547888 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.273627043 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.273677111 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.273763895 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.273767948 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.273832083 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.273840904 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.273865938 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.273869991 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.273902893 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.273906946 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.273942947 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.273988008 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.273992062 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.274029970 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.274041891 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.274045944 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.274110079 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.274113894 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.274204016 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.274220943 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.274240017 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.274256945 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.274260998 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.274271011 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.274275064 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.274302006 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.274312019 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.274318933 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.274334908 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.274358988 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.274411917 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.274415970 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.274465084 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.274477959 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.274488926 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.274493933 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.274529934 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.274534941 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.274564981 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.274601936 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.274663925 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.274667978 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.274677038 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.274681091 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.274712086 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.274715900 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.274758101 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.274761915 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.277652979 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.277657032 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.277693033 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.277695894 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.277739048 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.277743101 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.277776957 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.277857065 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.277861118 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.277910948 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.277915001 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.277947903 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.277991056 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.277995110 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.278039932 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.278043985 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.278089046 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.278093100 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.278140068 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.278148890 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.278352976 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.278429031 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.279300928 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.279305935 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.279371023 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.279408932 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.279508114 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.279561996 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.279570103 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.279575109 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.279597998 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.279602051 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.279654026 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.279658079 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.279704094 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.279707909 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.279743910 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.279799938 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.279803991 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.279918909 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.279922962 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.279932022 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.279936075 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.279946089 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.279951096 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.279962063 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.280019999 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.280024052 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.280051947 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.280056000 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.280060053 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.280143023 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.280148029 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.280157089 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.280159950 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.280169964 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.280174017 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.280184031 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.280226946 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.280230999 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.280239105 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.280242920 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.280270100 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.280273914 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.280318975 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.280323029 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.280366898 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.280370951 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.280416965 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.280421019 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.280457973 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.280481100 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.280484915 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.280539989 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.280544043 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.283375978 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.283380032 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.283415079 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.283418894 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.283454895 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.283458948 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.283483028 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.283514023 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.283535004 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.283546925 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.283552885 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.283555984 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.283576965 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.283627987 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.283648014 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.283652067 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.283662081 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.283665895 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.283726931 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.283730984 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.283835888 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.283839941 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.283848047 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.283852100 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.283890963 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.283895016 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.283931017 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.283935070 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.284024954 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.284029007 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.284084082 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.284089088 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.284118891 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.284122944 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.284261942 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.284271955 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.284276009 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.284285069 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.284295082 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.284300089 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.284303904 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.284312963 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.284318924 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.284327030 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.284331083 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.284338951 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.284343004 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.284352064 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.284356117 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.284364939 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.284368992 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.284390926 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.284394979 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.284404039 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.284482956 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.288697004 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.288701057 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.288747072 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.288750887 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.288755894 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.288808107 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.288840055 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.288871050 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.288892984 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.288902044 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.288991928 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.288995981 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289010048 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289025068 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289056063 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289060116 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289172888 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289176941 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289185047 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289187908 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289197922 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289300919 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289310932 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289319038 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289323092 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289334059 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289336920 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289402962 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289412975 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289417982 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289448977 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289453983 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289486885 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289519072 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289521933 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289566040 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289570093 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289599895 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289608002 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289644957 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289654016 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289694071 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289697886 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289741993 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289747000 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289777994 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289782047 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289819002 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289827108 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289891958 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289896011 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289952993 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289958000 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.289999008 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.290013075 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.294504881 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.294596910 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.294611931 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.294652939 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.294691086 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.294735909 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.294796944 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.294801950 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.294811964 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.294819117 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.294823885 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.294832945 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.294861078 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.294863939 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.294893980 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.294926882 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.294930935 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.295023918 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.295027971 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.295037031 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.295039892 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.295089960 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.295094013 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.295103073 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.295106888 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.295116901 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.295222044 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.295231104 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.295290947 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.295304060 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.295324087 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.295327902 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.295366049 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.295370102 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.295420885 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.295424938 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.295459986 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.295464039 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.295516014 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.295519114 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.295542002 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.295546055 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.295584917 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.295589924 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.295618057 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.295665979 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.295674086 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.295716047 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.295720100 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.295758963 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.295763016 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.295804977 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.295809984 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.295851946 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.295855999 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.299680948 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.299772978 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.299777985 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.299841881 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.299845934 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.299889088 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.299894094 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.299905062 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.299918890 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.299953938 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.299982071 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.299994946 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.299998999 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.300028086 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.300031900 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.300056934 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.300060987 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.300106049 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.300110102 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.300148964 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.300169945 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.300223112 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.300225973 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.300261021 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.300265074 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.300297976 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.300301075 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.300358057 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.300362110 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.300395966 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.300426006 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.300462008 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.300470114 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.300492048 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.300496101 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.342128992 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.342365026 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.342457056 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.342457056 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.342506886 CET497056677192.168.2.84.251.123.83
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:58.390114069 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:59.114747047 CET6677497054.251.123.83192.168.2.8
                                                                                                                                                                                                                                                            Nov 12, 2024 14:56:59.160463095 CET497056677192.168.2.84.251.123.83

                                                                                                                                                                                                                                                            Statistics

                                                                                                                                                                                                                                                            CPU Usage

                                                                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                                                                            Memory Usage

                                                                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                                                                            High Level Behavior Distribution

                                                                                                                                                                                                                                                            Click to dive into process behavior distribution

                                                                                                                                                                                                                                                            Behavior

                                                                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                                                                            System Behavior

                                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                                            Target ID:0
                                                                                                                                                                                                                                                            Start time:08:56:36
                                                                                                                                                                                                                                                            Start date:12/11/2024
                                                                                                                                                                                                                                                            Path:C:\Users\user\Desktop\rHACNp6WFk.exe
                                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\rHACNp6WFk.exe"
                                                                                                                                                                                                                                                            Imagebase:0xab0000
                                                                                                                                                                                                                                                            File size:30'026'469 bytes
                                                                                                                                                                                                                                                            MD5 hash:E8257A3A7BA4046F50D7795AFA5B90B9
                                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                                            Programmed in:Borland Delphi
                                                                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                                            Target ID:2
                                                                                                                                                                                                                                                            Start time:08:56:37
                                                                                                                                                                                                                                                            Start date:12/11/2024
                                                                                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmp
                                                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                                                            Commandline:"C:\Users\user\AppData\Local\Temp\is-U0C1K.tmp\rHACNp6WFk.tmp" /SL5="$10436,29074250,797184,C:\Users\user\Desktop\rHACNp6WFk.exe"
                                                                                                                                                                                                                                                            Imagebase:0x2b0000
                                                                                                                                                                                                                                                            File size:3'287'552 bytes
                                                                                                                                                                                                                                                            MD5 hash:D318E73231E30E6B64517F61073B5AF3
                                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                                            Programmed in:Borland Delphi
                                                                                                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                                                                                                            • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                                            General

                                                                                                                                                                                                                                                            Target ID:4
                                                                                                                                                                                                                                                            Start time:08:56:50
                                                                                                                                                                                                                                                            Start date:12/11/2024
                                                                                                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exe
                                                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                                                            Commandline:"C:\Users\user\AppData\Local\Programs\My Program\ttgtggt.exe"
                                                                                                                                                                                                                                                            Imagebase:0x100000
                                                                                                                                                                                                                                                            File size:346'112 bytes
                                                                                                                                                                                                                                                            MD5 hash:C9B68B9567CC9067794E32999C02BFA7
                                                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000000.1545790566.0000000000102000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000000.1545790566.0000000000102000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000002.1627199642.0000000002630000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1627199642.000000000264D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                                                            Disassembly

                                                                                                                                                                                                                                                            Reset < >

                                                                                                                                                                                                                                                              Execution Graph

                                                                                                                                                                                                                                                              Execution Coverage:15.7%
                                                                                                                                                                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                              Signature Coverage:0%
                                                                                                                                                                                                                                                              Total number of Nodes:12
                                                                                                                                                                                                                                                              Total number of Limit Nodes:0
                                                                                                                                                                                                                                                              execution_graph 18796 7ffb4a21575d 18797 7ffb4a21577f ReadFile 18796->18797 18799 7ffb4a21587d 18797->18799 18788 7ffb4a213145 18789 7ffb4a213163 CreateCompatibleBitmap 18788->18789 18791 7ffb4a21323a 18789->18791 18792 7ffb4a214977 18793 7ffb4a214993 CreateFileA 18792->18793 18795 7ffb4a214b02 18793->18795 18784 7ffb4a216259 18785 7ffb4a21626f DeleteDC 18784->18785 18787 7ffb4a2162f6 18785->18787

                                                                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                                                                              Function 00007FFB4A21BD39 Relevance: 12.0, Strings: 7, Instructions: 3217COMMON
                                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                                              control_flow_graph 81 7ffb4a21bd39-7ffb4a21bd8a 82 7ffb4a21bd8c 81->82 83 7ffb4a21bd91-7ffb4a21bdca 81->83 82->83 86 7ffb4a21bdd0-7ffb4a21be6d 83->86 87 7ffb4a21be78-7ffb4a21bee6 83->87 86->87 92 7ffb4a21e810-7ffb4a21e833 87->92 96 7ffb4a21beeb-7ffb4a21bf22 92->96 97 7ffb4a21e839-7ffb4a21e864 call 7ffb4a21e981 92->97 100 7ffb4a21bfd0-7ffb4a21c017 96->100 101 7ffb4a21bf28-7ffb4a21bfc5 96->101 106 7ffb4a21c0fc-7ffb4a21c1a8 100->106 107 7ffb4a21c01d-7ffb4a21c0e7 100->107 101->100 120 7ffb4a21e7db-7ffb4a21e7fe 106->120 107->106 124 7ffb4a21c1ad-7ffb4a21c1e4 120->124 125 7ffb4a21e804-7ffb4a21e80f call 7ffb4a21e921 120->125 130 7ffb4a21c34c-7ffb4a21c393 124->130 131 7ffb4a21c1ea-7ffb4a21c341 124->131 125->92 136 7ffb4a21c49a-7ffb4a21c52e 130->136 137 7ffb4a21c399-7ffb4a21c491 130->137 131->130 146 7ffb4a21c660-7ffb4a21c71e 136->146 147 7ffb4a21c534-7ffb4a21c655 136->147 137->136 161 7ffb4a21c82c-7ffb4a21c8d5 146->161 162 7ffb4a21c724-7ffb4a21c821 146->162 147->146 166 7ffb4a21c8db-7ffb4a21c9db 161->166 167 7ffb4a21c9e6-7ffb4a21caab 161->167 162->161 166->167 171 7ffb4a21cb90-7ffb4a21ccb7 167->171 172 7ffb4a21cab1-7ffb4a21cb85 167->172 191 7ffb4a21cd9c-7ffb4a21ced6 171->191 192 7ffb4a21ccbd-7ffb4a21cd91 171->192 172->171 223 7ffb4a21cedc-7ffb4a21cfb0 191->223 224 7ffb4a21cfbb-7ffb4a21d03d 191->224 192->191 223->224 231 7ffb4a21d11c-7ffb4a21d18d 224->231 232 7ffb4a21d043-7ffb4a21d0fc 224->232 235 7ffb4a21d272-7ffb4a21d329 231->235 236 7ffb4a21d193-7ffb4a21d267 231->236 270 7ffb4a21d0fe-7ffb4a21d107 232->270 249 7ffb4a21d32b-7ffb4a21d368 235->249 250 7ffb4a21d36a-7ffb4a21d3a2 235->250 236->235 254 7ffb4a21d3a9-7ffb4a21d3e2 249->254 250->254 256 7ffb4a21d3eb-7ffb4a21d409 254->256 259 7ffb4a21d40f-7ffb4a21d4ac 256->259 260 7ffb4a21d4b7-7ffb4a21d528 256->260 259->260 271 7ffb4a21e7a3-7ffb4a21e7c6 260->271 274 7ffb4a21d0fd 270->274 275 7ffb4a21d107 270->275 280 7ffb4a21e7cc-7ffb4a21e7d9 call 7ffb4a21e893 271->280 281 7ffb4a21d52d-7ffb4a21d580 271->281 274->270 275->274 276 7ffb4a21d10b-7ffb4a21d111 275->276 276->231 280->120 286 7ffb4a21d586-7ffb4a21d67c 281->286 287 7ffb4a21d687-7ffb4a21d70d 281->287 286->287 297 7ffb4a21d7f2-7ffb4a21d8a8 287->297 298 7ffb4a21d713-7ffb4a21d7e7 287->298 306 7ffb4a21d8ae-7ffb4a21d94b 297->306 307 7ffb4a21d956-7ffb4a21d9ab 297->307 298->297 306->307 310 7ffb4a21db0e-7ffb4a21db7f 307->310 311 7ffb4a21d9b1-7ffb4a21daf0 307->311 313 7ffb4a21dc64-7ffb4a21dcf1 310->313 314 7ffb4a21db85-7ffb4a21dc59 310->314 311->310 319 7ffb4a21ddd6-7ffb4a21debd 313->319 320 7ffb4a21dcf7-7ffb4a21ddcb 313->320 314->313 341 7ffb4a21dfce-7ffb4a21e069 319->341 342 7ffb4a21dec3-7ffb4a21dfc3 319->342 320->319 348 7ffb4a21e19b-7ffb4a21e291 341->348 349 7ffb4a21e06f-7ffb4a21e190 341->349 342->341 361 7ffb4a21e370-7ffb4a21e50e call 7ffb4a215cb0 348->361 362 7ffb4a21e297-7ffb4a21e2a2 348->362 349->348 396 7ffb4a21e514-7ffb4a21e59f 361->396 397 7ffb4a21e5aa-7ffb4a21e5ff 361->397 362->361 396->397 400 7ffb4a21e6d2-7ffb4a21e7a1 call 7ffb4a216848 397->400 401 7ffb4a21e605-7ffb4a21e610 397->401 400->271 405 7ffb4a21e650-7ffb4a21e664 401->405 406 7ffb4a21e612-7ffb4a21e645 401->406 413 7ffb4a21e665-7ffb4a21e6b7 405->413 406->405 413->400
                                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1656406266.00007FFB4A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A210000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb4a210000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID: 0<*J$E4_H$P5*J$xI J$9*J$C J$C J
                                                                                                                                                                                                                                                              • API String ID: 0-1637708201
                                                                                                                                                                                                                                                              • Opcode ID: 9eed08f4451450a9099fbfcf7e12a6bde55c4f0c21bd28b618caa3905c02c4e8
                                                                                                                                                                                                                                                              • Instruction ID: 6fb55e987f2d4fd0a32095fa3cfd81fdd018522bc5838a3a4965a7ef15a90082
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9eed08f4451450a9099fbfcf7e12a6bde55c4f0c21bd28b618caa3905c02c4e8
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5153A770D19A2D8FDBA8EF18C895BA9B7B1FB68305F1041EA900DE3651CE356E81DF41
                                                                                                                                                                                                                                                              Function 00007FFB4A2118C9 Relevance: 4.7, Strings: 3, Instructions: 987COMMON
                                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                                              control_flow_graph 527 7ffb4a2118c9-7ffb4a21191a 529 7ffb4a21191c 527->529 530 7ffb4a211921-7ffb4a211984 527->530 529->530 534 7ffb4a2126d3-7ffb4a2126f6 530->534 536 7ffb4a2126fc-7ffb4a212727 call 7ffb4a212894 534->536 537 7ffb4a211989-7ffb4a2119bf 534->537 537->536 540 7ffb4a2119c5-7ffb4a211a1c 537->540 548 7ffb4a211a1e 540->548 549 7ffb4a211a23-7ffb4a211a90 540->549 548->549 553 7ffb4a211a92-7ffb4a211a97 549->553 554 7ffb4a211a99-7ffb4a211aaa 549->554 555 7ffb4a211aad-7ffb4a211ab1 553->555 554->555 556 7ffb4a2126d0-7ffb4a2126d1 555->556 557 7ffb4a211ab7-7ffb4a211ac4 555->557 556->534 558 7ffb4a211acb-7ffb4a211b35 call 7ffb4a210ee0 557->558 559 7ffb4a211ac6 557->559 564 7ffb4a211b3c-7ffb4a211b8e 558->564 565 7ffb4a211b37 558->565 559->558 569 7ffb4a211b90 564->569 570 7ffb4a211b95-7ffb4a211c0a 564->570 565->564 569->570 574 7ffb4a211c0c 570->574 575 7ffb4a211c11-7ffb4a211c33 570->575 574->575 576 7ffb4a211c6b-7ffb4a211caf 575->576 577 7ffb4a211c35-7ffb4a211c45 575->577 583 7ffb4a2121fd-7ffb4a212292 call 7ffb4a210f08 576->583 584 7ffb4a211cb5-7ffb4a211cd1 576->584 578 7ffb4a211c4c-7ffb4a211c68 577->578 579 7ffb4a211c47 577->579 578->576 579->578 598 7ffb4a212698-7ffb4a2126bb 583->598 588 7ffb4a211cd4-7ffb4a211ce1 584->588 588->556 589 7ffb4a211ce7-7ffb4a211cf5 588->589 591 7ffb4a211cfc-7ffb4a211da5 call 7ffb4a210f08 589->591 592 7ffb4a211cf7 589->592 610 7ffb4a2121b1-7ffb4a2121da 591->610 592->591 602 7ffb4a2126c1-7ffb4a2126ce call 7ffb4a212756 598->602 603 7ffb4a212297-7ffb4a212313 598->603 602->556 619 7ffb4a21234d-7ffb4a21234f 603->619 620 7ffb4a212315-7ffb4a212335 603->620 614 7ffb4a2121e0-7ffb4a2121f8 call 7ffb4a2127f5 610->614 615 7ffb4a211daa-7ffb4a211e2c 610->615 614->588 633 7ffb4a211e2e-7ffb4a211e4e 615->633 634 7ffb4a211e66-7ffb4a211e68 615->634 623 7ffb4a212355-7ffb4a21235c 619->623 620->619 630 7ffb4a212337-7ffb4a21234b 620->630 626 7ffb4a212362-7ffb4a212369 623->626 627 7ffb4a212695-7ffb4a212696 623->627 631 7ffb4a212370-7ffb4a2123e1 626->631 627->598 630->623 648 7ffb4a2123e3 631->648 649 7ffb4a2123e8-7ffb4a212402 631->649 633->634 641 7ffb4a211e50-7ffb4a211e64 633->641 636 7ffb4a211e6e-7ffb4a211e75 634->636 637 7ffb4a211e7b-7ffb4a211efa 636->637 638 7ffb4a2121ae-7ffb4a2121af 636->638 657 7ffb4a211efc 637->657 658 7ffb4a211f01-7ffb4a211f1b 637->658 638->610 641->636 648->649 650 7ffb4a212404 649->650 651 7ffb4a212409-7ffb4a212478 649->651 650->651 663 7ffb4a21247a-7ffb4a21248f 651->663 657->658 659 7ffb4a211f1d 658->659 660 7ffb4a211f22-7ffb4a211f9d 658->660 659->660 660->638 665 7ffb4a21249a-7ffb4a2124be 663->665 666 7ffb4a2124c0-7ffb4a2124cb 665->666 667 7ffb4a212511-7ffb4a212536 665->667 666->667 668 7ffb4a2124cd-7ffb4a2124f9 666->668 669 7ffb4a21253c-7ffb4a212618 call 7ffb4a210f30 call 7ffb4a210f58 call 7ffb4a210f80 667->669 671 7ffb4a2124fb 668->671 672 7ffb4a212500-7ffb4a21250f 668->672 686 7ffb4a21261a 669->686 671->672 672->669 687 7ffb4a212625-7ffb4a212692 686->687 687->627
                                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1656406266.00007FFB4A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A210000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb4a210000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID: @B/$I$I
                                                                                                                                                                                                                                                              • API String ID: 0-565819723
                                                                                                                                                                                                                                                              • Opcode ID: de43b20e9064803f84001a7cf76efdd5f2809f2e789378fe57c41933e821b5b9
                                                                                                                                                                                                                                                              • Instruction ID: 3cd213489abfd2a60e33e50a45ed1ea26b043fde050bdfc04c50f9a68ae2d9fd
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: de43b20e9064803f84001a7cf76efdd5f2809f2e789378fe57c41933e821b5b9
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8082E9B0919A1D8FDBA9EF28C8957A8B7B5FF58300F5041F9D00DE7292DE356A81DB40
                                                                                                                                                                                                                                                              Function 00007FFB4A21C499 Relevance: 3.4, Strings: 2, Instructions: 928COMMON
                                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                                              control_flow_graph 691 7ffb4a21c499 692 7ffb4a21c49a-7ffb4a21c52e 691->692 695 7ffb4a21c660-7ffb4a21c71e 692->695 696 7ffb4a21c534-7ffb4a21c655 692->696 704 7ffb4a21c82c-7ffb4a21c8d5 695->704 705 7ffb4a21c724-7ffb4a21c821 695->705 696->695 707 7ffb4a21c8db-7ffb4a21c9c6 704->707 708 7ffb4a21c9e6-7ffb4a21caab 704->708 705->704 760 7ffb4a21c9c8-7ffb4a21c9db 707->760 711 7ffb4a21cb90-7ffb4a21cc04 708->711 712 7ffb4a21cab1-7ffb4a21cb85 708->712 723 7ffb4a21cc0d-7ffb4a21ccb7 711->723 712->711 726 7ffb4a21cd9c-7ffb4a21cdcd 723->726 727 7ffb4a21ccbd-7ffb4a21cd91 723->727 732 7ffb4a21cdd6-7ffb4a21ce93 726->732 727->726 750 7ffb4a21ce9c-7ffb4a21ced6 732->750 754 7ffb4a21cedc-7ffb4a21cfb0 750->754 755 7ffb4a21cfbb-7ffb4a21d03d 750->755 754->755 762 7ffb4a21d11c-7ffb4a21d18d 755->762 763 7ffb4a21d043-7ffb4a21d0fc 755->763 760->708 766 7ffb4a21d272-7ffb4a21d2a3 762->766 767 7ffb4a21d193-7ffb4a21d267 762->767 801 7ffb4a21d0fe-7ffb4a21d107 763->801 772 7ffb4a21d2ac-7ffb4a21d2de 766->772 767->766 778 7ffb4a21d2e7-7ffb4a21d329 772->778 780 7ffb4a21d32b-7ffb4a21d368 778->780 781 7ffb4a21d36a-7ffb4a21d3a2 778->781 785 7ffb4a21d3a9-7ffb4a21d3e2 780->785 781->785 787 7ffb4a21d3eb-7ffb4a21d409 785->787 790 7ffb4a21d40f-7ffb4a21d4ac 787->790 791 7ffb4a21d4b7-7ffb4a21d528 787->791 790->791 802 7ffb4a21e7a3-7ffb4a21e7c6 791->802 805 7ffb4a21d0fd 801->805 806 7ffb4a21d107 801->806 811 7ffb4a21e7cc-7ffb4a21e7d9 call 7ffb4a21e893 802->811 812 7ffb4a21d52d-7ffb4a21d580 802->812 805->801 806->805 807 7ffb4a21d10b-7ffb4a21d111 806->807 807->762 824 7ffb4a21e7db-7ffb4a21e7fe 811->824 817 7ffb4a21d586-7ffb4a21d67c 812->817 818 7ffb4a21d687-7ffb4a21d70d 812->818 817->818 832 7ffb4a21d7f2-7ffb4a21d8a8 818->832 833 7ffb4a21d713-7ffb4a21d7e7 818->833 829 7ffb4a21c1ad-7ffb4a21c1e4 824->829 830 7ffb4a21e804-7ffb4a21e833 call 7ffb4a21e921 824->830 837 7ffb4a21c34c-7ffb4a21c393 829->837 838 7ffb4a21c1ea-7ffb4a21c341 829->838 860 7ffb4a21beeb-7ffb4a21bf22 830->860 861 7ffb4a21e839-7ffb4a21e864 call 7ffb4a21e981 830->861 853 7ffb4a21d8ae-7ffb4a21d94b 832->853 854 7ffb4a21d956-7ffb4a21d9ab 832->854 833->832 837->692 844 7ffb4a21c399-7ffb4a21c491 837->844 838->837 844->692 853->854 858 7ffb4a21db0e-7ffb4a21db7f 854->858 859 7ffb4a21d9b1-7ffb4a21daf0 854->859 865 7ffb4a21dc64-7ffb4a21dcf1 858->865 866 7ffb4a21db85-7ffb4a21dc59 858->866 859->858 872 7ffb4a21bfd0-7ffb4a21c017 860->872 873 7ffb4a21bf28-7ffb4a21bfc5 860->873 875 7ffb4a21ddd6-7ffb4a21debd 865->875 876 7ffb4a21dcf7-7ffb4a21ddcb 865->876 866->865 884 7ffb4a21c0fc-7ffb4a21c168 872->884 885 7ffb4a21c01d-7ffb4a21c0e7 872->885 873->872 916 7ffb4a21dfce-7ffb4a21e069 875->916 917 7ffb4a21dec3-7ffb4a21dfc3 875->917 876->875 910 7ffb4a21c171-7ffb4a21c1a8 884->910 885->884 910->824 923 7ffb4a21e19b-7ffb4a21e291 916->923 924 7ffb4a21e06f-7ffb4a21e190 916->924 917->916 945 7ffb4a21e370-7ffb4a21e50e call 7ffb4a215cb0 923->945 946 7ffb4a21e297-7ffb4a21e2a2 923->946 924->923 991 7ffb4a21e514-7ffb4a21e59f 945->991 992 7ffb4a21e5aa-7ffb4a21e5ff 945->992 946->945 991->992 995 7ffb4a21e6d2-7ffb4a21e7a1 call 7ffb4a216848 992->995 996 7ffb4a21e605-7ffb4a21e610 992->996 995->802 1000 7ffb4a21e650-7ffb4a21e664 996->1000 1001 7ffb4a21e612-7ffb4a21e645 996->1001 1007 7ffb4a21e665-7ffb4a21e6b7 1000->1007 1001->1000 1007->995
                                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1656406266.00007FFB4A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A210000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb4a210000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID: xI J$C J
                                                                                                                                                                                                                                                              • API String ID: 0-2807787609
                                                                                                                                                                                                                                                              • Opcode ID: 576a001fdd26e797cb3927164214344da80fd9d4193e8aa7487bd86ad3e57cc1
                                                                                                                                                                                                                                                              • Instruction ID: 9dddfc5194b4d34567db0bd9f98efdccf1e5a03328319e72438ab8efcf10a1b1
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 576a001fdd26e797cb3927164214344da80fd9d4193e8aa7487bd86ad3e57cc1
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F48287B4918A2D8FDBA9EF18C895BA9B7B1FB58305F5041EA900DE3251CF356E81DF40
                                                                                                                                                                                                                                                              Function 00007FFB4A0C9CE5 Relevance: 2.9, Instructions: 2918COMMON
                                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                                              control_flow_graph 1122 7ffb4a0c9ce5-7ffb4a0c9d5f 1125 7ffb4a0c9d79-7ffb4a0c9d9a 1122->1125 1126 7ffb4a0c9d61-7ffb4a0c9d77 1122->1126 1130 7ffb4a0c9db2-7ffb4a0c9dcf 1125->1130 1131 7ffb4a0c9d9c-7ffb4a0c9db0 1125->1131 1126->1125 1136 7ffb4a0ca417-7ffb4a0ca4b2 1130->1136 1137 7ffb4a0c9dd5-7ffb4a0c9e26 1130->1137 1131->1130 1146 7ffb4a0ca4b4-7ffb4a0ca4ca 1136->1146 1147 7ffb4a0ca4cc-7ffb4a0ca514 1136->1147 1137->1136 1153 7ffb4a0c9e2c-7ffb4a0c9e7d 1137->1153 1146->1147 1163 7ffb4a0cb518-7ffb4a0cb536 1147->1163 1164 7ffb4a0ca51a-7ffb4a0ca533 1147->1164 1153->1136 1166 7ffb4a0c9e83-7ffb4a0c9ed4 1153->1166 1169 7ffb4a0cb537-7ffb4a0cb580 1163->1169 1164->1163 1170 7ffb4a0ca539-7ffb4a0ca579 1164->1170 1166->1136 1191 7ffb4a0c9eda-7ffb4a0c9f2b 1166->1191 1174 7ffb4a0cb582-7ffb4a0cb5bf 1169->1174 1193 7ffb4a0ca57b-7ffb4a0ca587 1170->1193 1194 7ffb4a0ca5bd-7ffb4a0ca5ce 1170->1194 1183 7ffb4a0cb5d9-7ffb4a0cb646 1174->1183 1184 7ffb4a0cb5c1-7ffb4a0cb5d7 1174->1184 1202 7ffb4a0cb648-7ffb4a0cb67b 1183->1202 1203 7ffb4a0cb67d-7ffb4a0cb689 1183->1203 1184->1183 1191->1136 1219 7ffb4a0c9f31-7ffb4a0c9f82 1191->1219 1200 7ffb4a0ca589-7ffb4a0ca5bb 1193->1200 1201 7ffb4a0ca5d2-7ffb4a0ca5de 1193->1201 1194->1201 1216 7ffb4a0ca624-7ffb4a0ca628 1200->1216 1210 7ffb4a0ca629-7ffb4a0ca639 1201->1210 1211 7ffb4a0ca5e0-7ffb4a0ca618 1201->1211 1202->1203 1210->1163 1217 7ffb4a0ca63f-7ffb4a0ca684 1210->1217 1211->1216 1216->1210 1232 7ffb4a0ca6c8-7ffb4a0ca6d9 1217->1232 1233 7ffb4a0ca686-7ffb4a0ca692 1217->1233 1219->1136 1234 7ffb4a0c9f88-7ffb4a0c9fd5 1219->1234 1238 7ffb4a0ca6dd-7ffb4a0ca6e9 1232->1238 1237 7ffb4a0ca694-7ffb4a0ca6c6 1233->1237 1233->1238 1234->1136 1255 7ffb4a0c9fdb-7ffb4a0ca016 1234->1255 1247 7ffb4a0ca72f-7ffb4a0ca733 1237->1247 1242 7ffb4a0ca734-7ffb4a0ca744 1238->1242 1243 7ffb4a0ca6eb-7ffb4a0ca723 1238->1243 1242->1163 1250 7ffb4a0ca74a-7ffb4a0ca78f 1242->1250 1243->1247 1247->1242 1261 7ffb4a0ca7c1-7ffb4a0ca808 1250->1261 1262 7ffb4a0ca791-7ffb4a0ca7bf 1250->1262 1267 7ffb4a0ca018-7ffb4a0ca046 1255->1267 1268 7ffb4a0ca814-7ffb4a0ca829 1261->1268 1262->1268 1267->1136 1277 7ffb4a0ca04c-7ffb4a0ca06c 1267->1277 1268->1163 1273 7ffb4a0ca82f-7ffb4a0ca874 1268->1273 1289 7ffb4a0ca8b8-7ffb4a0ca913 1273->1289 1290 7ffb4a0ca876-7ffb4a0ca8b6 1273->1290 1283 7ffb4a0ca086 1277->1283 1284 7ffb4a0ca06e-7ffb4a0ca082 1277->1284 1283->1267 1284->1283 1296 7ffb4a0ca91f-7ffb4a0ca934 1289->1296 1290->1296 1296->1163 1298 7ffb4a0ca93a-7ffb4a0ca97f 1296->1298 1305 7ffb4a0ca9b1-7ffb4a0ca9f8 1298->1305 1306 7ffb4a0ca981-7ffb4a0ca9af 1298->1306 1310 7ffb4a0caa04-7ffb4a0caa19 1305->1310 1306->1310 1310->1163 1312 7ffb4a0caa1f-7ffb4a0caa64 1310->1312 1320 7ffb4a0caa96-7ffb4a0caadd 1312->1320 1321 7ffb4a0caa66-7ffb4a0caa94 1312->1321 1325 7ffb4a0caae9-7ffb4a0caafe 1320->1325 1321->1325 1325->1163 1327 7ffb4a0cab04-7ffb4a0cab49 1325->1327 1334 7ffb4a0cab7b-7ffb4a0cabc2 1327->1334 1335 7ffb4a0cab4b-7ffb4a0cab79 1327->1335 1339 7ffb4a0cabce-7ffb4a0cabe3 1334->1339 1335->1339 1339->1163 1341 7ffb4a0cabe9-7ffb4a0cac2e 1339->1341 1348 7ffb4a0cac60-7ffb4a0caca7 1341->1348 1349 7ffb4a0cac30-7ffb4a0cac5e 1341->1349 1352 7ffb4a0cacb3-7ffb4a0cacc8 1348->1352 1349->1352 1352->1163 1355 7ffb4a0cacce-7ffb4a0cace3 1352->1355 1355->1163 1357 7ffb4a0cace9-7ffb4a0cad29 1355->1357 1364 7ffb4a0cad62-7ffb4a0cad80 1357->1364 1365 7ffb4a0cad2b-7ffb4a0cad37 1357->1365 1368 7ffb4a0cad82-7ffb4a0cadb3 1364->1368 1367 7ffb4a0cad39-7ffb4a0cad60 1365->1367 1365->1368 1371 7ffb4a0cadbf-7ffb4a0cadd4 1367->1371 1368->1371 1371->1163 1375 7ffb4a0cadda-7ffb4a0cadef 1371->1375 1375->1163 1377 7ffb4a0cadf5-7ffb4a0cae35 1375->1377 1384 7ffb4a0cae67-7ffb4a0caeab 1377->1384 1385 7ffb4a0cae37-7ffb4a0cae65 1377->1385 1389 7ffb4a0caeb4-7ffb4a0caec9 1384->1389 1385->1389 1389->1163 1391 7ffb4a0caecf-7ffb4a0caee4 1389->1391 1391->1163 1393 7ffb4a0caeea-7ffb4a0caf2a 1391->1393 1400 7ffb4a0caf5c-7ffb4a0cafa0 1393->1400 1401 7ffb4a0caf2c-7ffb4a0caf5a 1393->1401 1404 7ffb4a0cafa9-7ffb4a0cafbe 1400->1404 1401->1404 1404->1163 1407 7ffb4a0cafc4-7ffb4a0cafd9 1404->1407 1407->1163 1409 7ffb4a0cafdf-7ffb4a0cb022 1407->1409 1416 7ffb4a0cb024-7ffb4a0cb04f 1409->1416 1417 7ffb4a0cb051-7ffb4a0cb089 1409->1417 1421 7ffb4a0cb090-7ffb4a0cb0a5 1416->1421 1417->1421 1421->1163 1423 7ffb4a0cb0ab-7ffb4a0cb0f3 1421->1423 1430 7ffb4a0cb0f5-7ffb4a0cb12a 1423->1430 1431 7ffb4a0cb12c-7ffb4a0cb143 1423->1431 1439 7ffb4a0cb178-7ffb4a0cb18d 1430->1439 1436 7ffb4a0cb145-7ffb4a0cb171 1431->1436 1437 7ffb4a0cb18e-7ffb4a0cb1db 1431->1437 1436->1439 1448 7ffb4a0cb214-7ffb4a0cb232 1437->1448 1449 7ffb4a0cb1dd-7ffb4a0cb1e9 1437->1449 1439->1163 1439->1437 1451 7ffb4a0cb234-7ffb4a0cb259 1448->1451 1449->1451 1452 7ffb4a0cb1eb-7ffb4a0cb212 1449->1452 1455 7ffb4a0cb260-7ffb4a0cb275 1451->1455 1452->1455 1455->1163 1459 7ffb4a0cb27b-7ffb4a0cb2c6 1455->1459 1465 7ffb4a0cb2c8-7ffb4a0cb2f3 1459->1465 1466 7ffb4a0cb2f5-7ffb4a0cb32d 1459->1466 1470 7ffb4a0cb334-7ffb4a0cb349 1465->1470 1466->1470 1470->1163 1472 7ffb4a0cb34f-7ffb4a0cb39a 1470->1472 1478 7ffb4a0cb3d3-7ffb4a0cb418 1472->1478 1479 7ffb4a0cb39c-7ffb4a0cb3d1 1472->1479 1485 7ffb4a0cb41f-7ffb4a0cb434 1478->1485 1479->1485 1485->1163 1487 7ffb4a0cb43a-7ffb4a0cb485 1485->1487 1493 7ffb4a0cb487-7ffb4a0cb4b2 1487->1493 1494 7ffb4a0cb4b4-7ffb4a0cb4ec 1487->1494 1497 7ffb4a0cb4f3-7ffb4a0cb517 1493->1497 1494->1497
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1654496716.00007FFB4A0C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A0C0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb4a0c0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                              • Opcode ID: 9aeabda8dfa7e3c8221f4f4c11a0c963c3bf8468bc1109eb137a26b06680830c
                                                                                                                                                                                                                                                              • Instruction ID: 3722adb12b63b5bf5a5f5c6a5ff8f3e58f4d091c561e45d140800f8e086670f4
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9aeabda8dfa7e3c8221f4f4c11a0c963c3bf8468bc1109eb137a26b06680830c
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F713C271A1DA8A4FD799EF2CC855669BBE1FF99300B1405FEE08EC7293DD28AC418741
                                                                                                                                                                                                                                                              Function 00007FFB4A231309 Relevance: 1.3, Instructions: 1293COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1656406266.00007FFB4A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A210000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb4a210000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                              • Opcode ID: 61fb1d3c8d149c8398905193a83c2e52a5389c59af510b68fe67aa178435f46e
                                                                                                                                                                                                                                                              • Instruction ID: 82b6e82bb1b53d4ef7ae5818c8286ede1ea9023b0c6d8b4b966ece06f54b3a2b
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 61fb1d3c8d149c8398905193a83c2e52a5389c59af510b68fe67aa178435f46e
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0D92D3B1A0DA464FE798FF39C4552B4B7D1EF99300F2441BED48EC7292DE28A846D781
                                                                                                                                                                                                                                                              Function 00007FFB4A229F91 Relevance: 1.1, Instructions: 1141COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1656406266.00007FFB4A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A210000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb4a210000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                              • Opcode ID: 9c983e54a7f2aaa90dbcdae9c5023ab363f0fdb6a5a7858188280afb6cc0a477
                                                                                                                                                                                                                                                              • Instruction ID: bacb0f759df1a88ebd3a1e769dd391c4c4fac74829488990f3a639a9179945f8
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9c983e54a7f2aaa90dbcdae9c5023ab363f0fdb6a5a7858188280afb6cc0a477
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8D8290B1A1CA4A8FDB99EF28C491AA9B7E1FF58300F5005BDD04AC7692DE34F845DB41
                                                                                                                                                                                                                                                              Function 00007FFB4A0C16B3 Relevance: 1.0, Instructions: 1002COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1654496716.00007FFB4A0C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A0C0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb4a0c0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                              • Opcode ID: 1bb0ba9337b3b1388ca3b526d1e656c45ce351f7e79ff67d496f320d74407820
                                                                                                                                                                                                                                                              • Instruction ID: 8a5238fcfb6b35ddca6bb18a0e6ec18e78d86f3c6ed227e0222c8c102d10c302
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1bb0ba9337b3b1388ca3b526d1e656c45ce351f7e79ff67d496f320d74407820
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: ED52D260A0DA4A4FE799EF2CD8556747BD6EF9A310B1402FBD44EC72E3DD18AC428781
                                                                                                                                                                                                                                                              Function 00007FFB4A21F5CD Relevance: 1.0, Instructions: 1000COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1656406266.00007FFB4A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A210000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb4a210000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                              • Opcode ID: ea79c6305fcbe236e2437ff5602cd14bd843edd51bd1f30a9d9e47f84bb6ffbe
                                                                                                                                                                                                                                                              • Instruction ID: a26697e4875bc99f349ec4c0474e5931849402f8fd026534400725de6f61c682
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: ea79c6305fcbe236e2437ff5602cd14bd843edd51bd1f30a9d9e47f84bb6ffbe
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 76527D71A1CA0A8FEB58FF2CD455A7577D2FF58300B6401BAE45EC72A2DE24EC429781
                                                                                                                                                                                                                                                              Function 00007FFB4A220275 Relevance: .8, Instructions: 849COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1656406266.00007FFB4A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A210000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb4a210000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                              • Opcode ID: 12ef5c62403b179d50d883f449da7f327b72bef447def6998b751ba467ef2bf5
                                                                                                                                                                                                                                                              • Instruction ID: 2b8427d959acfd0c50bf6677da9c8f28bba491b660a520feaee3cebdf8612462
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 12ef5c62403b179d50d883f449da7f327b72bef447def6998b751ba467ef2bf5
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5C527571A1CA4A8FEBA8FF28C495BA5B7E1FF58300F5441A9D44DD7292CE34AC81DB41
                                                                                                                                                                                                                                                              Function 00007FFB4A0CC50A Relevance: .7, Instructions: 746COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1654496716.00007FFB4A0C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A0C0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb4a0c0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                              • Opcode ID: 5b1964b8d053360863dd024628fb51a291b6e8fea74edc12f013e77ca5233844
                                                                                                                                                                                                                                                              • Instruction ID: f8bd3409a0660293786a569cf19065e92a532c73db032974179cff1e6480d750
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5b1964b8d053360863dd024628fb51a291b6e8fea74edc12f013e77ca5233844
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: DD22A1B1A1DA4A4FE798EF2CC499668B7D1FF59700B1501FED44EC72A3DE28AC418741
                                                                                                                                                                                                                                                              Function 00007FFB4A23070D Relevance: .7, Instructions: 731COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1656406266.00007FFB4A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A210000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb4a210000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                              • Opcode ID: 24257c993d4db8c4e4fafa4b36b062cbb5d464ebaed1c351c460a9dc7dcd5133
                                                                                                                                                                                                                                                              • Instruction ID: 5e696fbcdd91ed037d506140f612fe27ae1202d03dd5824c219cddd039923fe8
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 24257c993d4db8c4e4fafa4b36b062cbb5d464ebaed1c351c460a9dc7dcd5133
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 43325E71A1CA4A8FEB98FF28C455AA9B7E1FF59300F2041B9D44AC7296DE35EC41D780
                                                                                                                                                                                                                                                              Function 00007FFB49FF0DF5 Relevance: 2.8, Strings: 2, Instructions: 313COMMON
                                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                                              control_flow_graph 1500 7ffb49ff0df5-7ffb49ff0e1c 1502 7ffb49ff0e66-7ffb49ff0e7c 1500->1502 1503 7ffb49ff0e1e-7ffb49ff0e4d 1500->1503 1506 7ffb49ff1696-7ffb49ff16ca 1502->1506 1507 7ffb49ff0e82-7ffb49ff0eb1 1502->1507 1504 7ffb49ff0e54-7ffb49ff0e65 1503->1504 1505 7ffb49ff0e4f 1503->1505 1504->1502 1505->1504 1512 7ffb49ff16cd-7ffb49ff16da 1506->1512 1513 7ffb49ff0ec9-7ffb49ff0ee7 1507->1513 1514 7ffb49ff0eb3-7ffb49ff0ec8 1507->1514 1515 7ffb49ff16e0-7ffb49ff16ef 1512->1515 1516 7ffb49ff207e-7ffb49ff2089 1512->1516 1513->1506 1514->1513 1517 7ffb49ff16f6-7ffb49ff17e6 1515->1517 1518 7ffb49ff16f1 1515->1518 1528 7ffb49ff17e8-7ffb49ff181d 1517->1528 1518->1517 1529 7ffb49ff1823-7ffb49ff1865 1528->1529 1532 7ffb49ff18d9-7ffb49ff192b 1529->1532 1533 7ffb49ff1867-7ffb49ff1890 1529->1533 1537 7ffb49ff2070-7ffb49ff2079 1532->1537 1535 7ffb49ff1896-7ffb49ff18a5 1533->1535 1538 7ffb49ff18b0-7ffb49ff18d4 1535->1538 1537->1512 1538->1537
                                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1653586020.00007FFB49FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49FF0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb49ff0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID: XeI$XeI
                                                                                                                                                                                                                                                              • API String ID: 0-1011707637
                                                                                                                                                                                                                                                              • Opcode ID: 601ddd6a616b30e229f9102a7758e3a02a4ce9ce22cb21136f11f86edad9d37a
                                                                                                                                                                                                                                                              • Instruction ID: b14c6c4d7e143cf713def34813dc61686211d363c51c70a3893176b687ae7bcf
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 601ddd6a616b30e229f9102a7758e3a02a4ce9ce22cb21136f11f86edad9d37a
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6AC1C971A09A1D8FDB95EF18C899BA8B7B5FB58300F1441EAD40DE7295DA30AE81CF40
                                                                                                                                                                                                                                                              Function 00007FFB4A214977 Relevance: 1.7, APIs: 1, Instructions: 195fileCOMMON
                                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                                              control_flow_graph 1644 7ffb4a214977-7ffb4a2149cf 1647 7ffb4a214a2d-7ffb4a214b00 CreateFileA 1644->1647 1648 7ffb4a2149d1-7ffb4a2149e0 1644->1648 1658 7ffb4a214b02 1647->1658 1659 7ffb4a214b08-7ffb4a214b44 call 7ffb4a214b68 1647->1659 1648->1647 1649 7ffb4a2149e2-7ffb4a2149e5 1648->1649 1650 7ffb4a214a1f-7ffb4a214a27 1649->1650 1651 7ffb4a2149e7-7ffb4a2149fa 1649->1651 1650->1647 1653 7ffb4a2149fc 1651->1653 1654 7ffb4a2149fe-7ffb4a214a11 1651->1654 1653->1654 1654->1654 1656 7ffb4a214a13-7ffb4a214a1b 1654->1656 1656->1650 1658->1659
                                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1656406266.00007FFB4A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A210000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb4a210000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID: CreateFile
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID: 823142352-0
                                                                                                                                                                                                                                                              • Opcode ID: 757322d8699815aa2996f21df4776cd3dcb7fc711a1d3a5612cf85b38a9ab054
                                                                                                                                                                                                                                                              • Instruction ID: 1c674e2de855a39c2feabb38837a3487022e7ed7c48765da0b86ceef97b507b4
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 757322d8699815aa2996f21df4776cd3dcb7fc711a1d3a5612cf85b38a9ab054
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 23517470918B8D8FDB68EF2CC8557E97BD1FB58310F14426AE84DC3252DA74E9418BC2
                                                                                                                                                                                                                                                              Function 00007FFB4A21575D Relevance: 1.7, APIs: 1, Instructions: 166fileCOMMON
                                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                                              control_flow_graph 1663 7ffb4a21575d-7ffb4a215813 1668 7ffb4a21581d-7ffb4a21587b ReadFile 1663->1668 1669 7ffb4a215815-7ffb4a21581a 1663->1669 1671 7ffb4a21587d 1668->1671 1672 7ffb4a215883-7ffb4a2158cb call 7ffb4a2158cc 1668->1672 1669->1668 1671->1672
                                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1656406266.00007FFB4A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A210000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb4a210000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID: FileRead
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID: 2738559852-0
                                                                                                                                                                                                                                                              • Opcode ID: e4a5c2bd858510cb3e3f39ae8b7b76da767097901f46e021b8b58172dbd1d3ed
                                                                                                                                                                                                                                                              • Instruction ID: aa3959ba74bf968c133be51d0544166ca313079b795cae1e56bdf4c12e7108ce
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e4a5c2bd858510cb3e3f39ae8b7b76da767097901f46e021b8b58172dbd1d3ed
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: DA51B07190CB1D8FDB58EF68D8456EDBBF1FB99310F0482AAD44DD7246CA34A845CB81
                                                                                                                                                                                                                                                              Function 00007FFB4A213113 Relevance: 1.7, APIs: 1, Instructions: 162COMMON
                                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                                              control_flow_graph 1676 7ffb4a213113-7ffb4a21311c 1677 7ffb4a21311e-7ffb4a213143 1676->1677 1678 7ffb4a213166-7ffb4a213171 1676->1678 1679 7ffb4a213173 1678->1679 1680 7ffb4a213174-7ffb4a213181 1678->1680 1679->1680 1681 7ffb4a213183 1680->1681 1682 7ffb4a213184-7ffb4a213191 1680->1682 1681->1682 1683 7ffb4a213193 1682->1683 1684 7ffb4a213194-7ffb4a2131ff 1682->1684 1683->1684 1688 7ffb4a213206-7ffb4a213238 CreateCompatibleBitmap 1684->1688 1689 7ffb4a213240-7ffb4a213268 1688->1689 1690 7ffb4a21323a 1688->1690 1690->1689
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1656406266.00007FFB4A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A210000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb4a210000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                              • Opcode ID: 948ed990f2e15492f2280fa5a0e9f7efa2245578fef42d7ab1aaa5041888db8e
                                                                                                                                                                                                                                                              • Instruction ID: 0aecf088bdbee6da335af10a579c6a1d8317e5a2059b73537b21d8963134fc73
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 948ed990f2e15492f2280fa5a0e9f7efa2245578fef42d7ab1aaa5041888db8e
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7A41787194CA4C4FDB19AF78AC065FABBE4EB42321F0402BFD04DC3182DE696956C791
                                                                                                                                                                                                                                                              Function 00007FFB4A213145 Relevance: 1.7, APIs: 1, Instructions: 157windowCOMMON
                                                                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                                                              control_flow_graph 1692 7ffb4a213145-7ffb4a213161 1693 7ffb4a213163 1692->1693 1694 7ffb4a213164-7ffb4a213171 1692->1694 1693->1694 1695 7ffb4a213173 1694->1695 1696 7ffb4a213174-7ffb4a213181 1694->1696 1695->1696 1697 7ffb4a213183 1696->1697 1698 7ffb4a213184-7ffb4a213191 1696->1698 1697->1698 1699 7ffb4a213193 1698->1699 1700 7ffb4a213194-7ffb4a213238 CreateCompatibleBitmap 1698->1700 1699->1700 1705 7ffb4a213240-7ffb4a213268 1700->1705 1706 7ffb4a21323a 1700->1706 1706->1705
                                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1656406266.00007FFB4A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A210000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb4a210000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID: BitmapCompatibleCreate
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID: 1901715728-0
                                                                                                                                                                                                                                                              • Opcode ID: 43cd50636387e84d24924ec913d1d9ff49501ee03a215ff5247fb813008c4772
                                                                                                                                                                                                                                                              • Instruction ID: 3928727ad870a2b9a9267ca8064acba99bafbc4cda3340ba195ae757ed499439
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 43cd50636387e84d24924ec913d1d9ff49501ee03a215ff5247fb813008c4772
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5741797184D6885FD71AAB78AC175F6BFE4EB42321F0442AFD089C3593C96D2443C791
                                                                                                                                                                                                                                                              Function 00007FFB4A216259 Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1656406266.00007FFB4A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A210000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb4a210000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID: Delete
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID: 1035893169-0
                                                                                                                                                                                                                                                              • Opcode ID: 38295b6965bbafd09b9e32e72ab0d232cb1ac4fd277a75a34fdd09a55cf186f2
                                                                                                                                                                                                                                                              • Instruction ID: 0061d14e2768bba913b2207054f1d89e41c3a5642cb3bfc4e88765148de0d4da
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 38295b6965bbafd09b9e32e72ab0d232cb1ac4fd277a75a34fdd09a55cf186f2
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3521457190CA0C8FDB59EF68C44A6FDBBE0EF95321F04416FD449C7152CA749806CB81
                                                                                                                                                                                                                                                              Function 00007FFB49FF0F4F Relevance: 1.6, Strings: 1, Instructions: 316COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1653586020.00007FFB49FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49FF0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb49ff0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID: XeI
                                                                                                                                                                                                                                                              • API String ID: 0-515379846
                                                                                                                                                                                                                                                              • Opcode ID: f580ef031724dccc55ea1c1e61289e44aee15f44a222a6fa43332db78e2286b3
                                                                                                                                                                                                                                                              • Instruction ID: 621a6e58a983ce7f1281c3111e1f7ad6ea127b2913daad9cd5460237def87389
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: f580ef031724dccc55ea1c1e61289e44aee15f44a222a6fa43332db78e2286b3
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B3D16270A09A1D8FDBA4EF18C898BA8B7F1FF58301F1441E9950DE7265CA30AE81CF40
                                                                                                                                                                                                                                                              Function 00007FFB49FF1EDE Relevance: 1.5, Strings: 1, Instructions: 297COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1653586020.00007FFB49FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49FF0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb49ff0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID: XeI
                                                                                                                                                                                                                                                              • API String ID: 0-515379846
                                                                                                                                                                                                                                                              • Opcode ID: 1e2f6d7155f1986710c6cc097de91d4513a5a879ffccdb43004fcb396e1ed489
                                                                                                                                                                                                                                                              • Instruction ID: cefbdc82e63df8793eb88c74bd673d70c7c3eddfdec44df1313da7e135944c5c
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1e2f6d7155f1986710c6cc097de91d4513a5a879ffccdb43004fcb396e1ed489
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 65B1F871A09A1E8FDBA9EF28C895BA877B5EF58300F1001E9D40DD7695DB34AE85CF40
                                                                                                                                                                                                                                                              Function 00007FFB4A0CBDAC Relevance: 1.5, Strings: 1, Instructions: 286COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1654496716.00007FFB4A0C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A0C0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb4a0c0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID: ~>_H
                                                                                                                                                                                                                                                              • API String ID: 0-3245688848
                                                                                                                                                                                                                                                              • Opcode ID: 506fe10939369aeeb2bc9bd4a99db1a35e715bdca1c5ab52dd1569159d24a078
                                                                                                                                                                                                                                                              • Instruction ID: 903c106f6c171a3550aab31819083642f974f6d3d71f4db3ef70710202f57744
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 506fe10939369aeeb2bc9bd4a99db1a35e715bdca1c5ab52dd1569159d24a078
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0771F57170CA494FD798EF2CD465A657BE1EBAA710B1501EFE48AC73A3DD24DC028781
                                                                                                                                                                                                                                                              Function 00007FFB49FF15AE Relevance: 1.5, Strings: 1, Instructions: 262COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1653586020.00007FFB49FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49FF0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb49ff0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID: XeI
                                                                                                                                                                                                                                                              • API String ID: 0-515379846
                                                                                                                                                                                                                                                              • Opcode ID: 0d277a8bc58d8e5caf270dd84c738741ad9061d8c8a2a183572abe2a4a6c22bb
                                                                                                                                                                                                                                                              • Instruction ID: e6a2a2226ebc44c0038e1f62eda7ced21898f82d9f9d8a00a39149f6e6d18366
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0d277a8bc58d8e5caf270dd84c738741ad9061d8c8a2a183572abe2a4a6c22bb
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4DB17571A09A198FDBA9EF58C895BA8B7B5FF59300F5001E9D40DE7295CB34AE81CF40
                                                                                                                                                                                                                                                              Function 00007FFB4A0CD968 Relevance: 1.5, Strings: 1, Instructions: 252COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1654496716.00007FFB4A0C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A0C0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb4a0c0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID: 0-3916222277
                                                                                                                                                                                                                                                              • Opcode ID: 4a46e408d9b78f18db95726ea78d5bc36a58401ab2285667102b4a380bd4ccb8
                                                                                                                                                                                                                                                              • Instruction ID: 6ddd05456750b1e61c5ccb8ddf3bed0ef8cd5a149424c35b4dfe2d858fed4891
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4a46e408d9b78f18db95726ea78d5bc36a58401ab2285667102b4a380bd4ccb8
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3A61E1B170CA4A4FEB98EF2CD455A6577D2EB99710B1501BFE08AC33A2DD24EC428781
                                                                                                                                                                                                                                                              Function 00007FFB49FF1F71 Relevance: 1.5, Strings: 1, Instructions: 218COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1653586020.00007FFB49FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49FF0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb49ff0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID: XeI
                                                                                                                                                                                                                                                              • API String ID: 0-515379846
                                                                                                                                                                                                                                                              • Opcode ID: 62a870f64de752f5c0a051179c5f6222a0c804e5fd56f2487153f733f9381c56
                                                                                                                                                                                                                                                              • Instruction ID: 4c61eef31960f18108f27bccf29a40ac44a24cb0fd595050c5870a00f3f2cb60
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 62a870f64de752f5c0a051179c5f6222a0c804e5fd56f2487153f733f9381c56
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 67917770A09A198FDBA9EF18C894BA8B7B5FB59301F1001E9D00DE7255CB74AE81CF40
                                                                                                                                                                                                                                                              Function 00007FFB49FF1E4F Relevance: 1.5, Strings: 1, Instructions: 206COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1653586020.00007FFB49FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49FF0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb49ff0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID: XeI
                                                                                                                                                                                                                                                              • API String ID: 0-515379846
                                                                                                                                                                                                                                                              • Opcode ID: be7d901e23e87a1c4ee193aa167127fad4584b573b12d219b745fca547b25449
                                                                                                                                                                                                                                                              • Instruction ID: f1b6f8ea2c49386f70761e7b20148065938f2fd92973c7cde1e6e8a6af87862d
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: be7d901e23e87a1c4ee193aa167127fad4584b573b12d219b745fca547b25449
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4281A771A09A198FDBA9EF18C895BA8B7F5EF59301F1001E9D40DE7295DB34AE81CF40
                                                                                                                                                                                                                                                              Function 00007FFB49FF30DD Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1653586020.00007FFB49FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49FF0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb49ff0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID: HJ
                                                                                                                                                                                                                                                              • API String ID: 0-303943369
                                                                                                                                                                                                                                                              • Opcode ID: 00f867a61cce72071919b49870e735e8a03bf827501a338673b1a652d83ca5a8
                                                                                                                                                                                                                                                              • Instruction ID: b6e223d1adfe2d1ab39bee3aa0c0d55001c393f08fa534c600a4329760c7d972
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 00f867a61cce72071919b49870e735e8a03bf827501a338673b1a652d83ca5a8
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B541EA62E0E6974BE752BFBCE8960E97BA0EF42365B0841B7D088C90D7DD582849C391
                                                                                                                                                                                                                                                              Function 00007FFB49FF2CDD Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1653586020.00007FFB49FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49FF0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb49ff0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID: XgI
                                                                                                                                                                                                                                                              • API String ID: 0-1685602790
                                                                                                                                                                                                                                                              • Opcode ID: 7dc0c576501b1541b65089624cd9e8ab3c3df1e3a53bca9cfd3d3677e9ef3915
                                                                                                                                                                                                                                                              • Instruction ID: 519244e44e7834ee99d5db473349522f4e6a045502f63d3b91147626ac822ed1
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7dc0c576501b1541b65089624cd9e8ab3c3df1e3a53bca9cfd3d3677e9ef3915
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 88319FB180DA8E9FEB56EFB8C9991EDBFA0FF55300F4400EAD448C71D6DA25A944C741
                                                                                                                                                                                                                                                              Function 00007FFB49FF3299 Relevance: .3, Instructions: 317COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1653586020.00007FFB49FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49FF0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb49ff0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                              • Opcode ID: 7197aba86f8d1f37119216e5289fb5015d1f37160f8189dccf4c35f1ba5c6a10
                                                                                                                                                                                                                                                              • Instruction ID: a7d52773e5d9f20f0f7ff8f515d5bc6304385a597c26df947603c96bd99cd247
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7197aba86f8d1f37119216e5289fb5015d1f37160f8189dccf4c35f1ba5c6a10
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0CC13CB1D0C65A8FEB99EF68C8557A8B7B1FF58300F5441BAD00DE3286DE746985CB40
                                                                                                                                                                                                                                                              Function 00007FFB4A0CBFFD Relevance: .3, Instructions: 307COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1654496716.00007FFB4A0C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A0C0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb4a0c0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                              • Opcode ID: 293db029c0ffc10f1a000e30e95b5d8fcf150ed6ac2d828aec3826b6c60bd1b5
                                                                                                                                                                                                                                                              • Instruction ID: f7d24029c681db4174d7c171fc7655d30a76bc01f45e66db8fee2b75796c2f44
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 293db029c0ffc10f1a000e30e95b5d8fcf150ed6ac2d828aec3826b6c60bd1b5
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3291E5A2A0DBC60FE39AAF3CC8955647BE5EF66210B1901FFD489C72A3D9189C45C352
                                                                                                                                                                                                                                                              Function 00007FFB4A0C22EB Relevance: .3, Instructions: 294COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1654496716.00007FFB4A0C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A0C0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb4a0c0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                              • Opcode ID: f6efbe4dd5e8cbb9f683e4af7ef0c25a86c7335c5023fdfde9df7a7dc2c34be4
                                                                                                                                                                                                                                                              • Instruction ID: b6531f425b31a334bfe4e0d21657456462e2f80958fc293eaefe3ccbdf48fc24
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: f6efbe4dd5e8cbb9f683e4af7ef0c25a86c7335c5023fdfde9df7a7dc2c34be4
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6981E4A0A0DA4A4FE799EE2CD8556753BD5EB9A310F1401FBD44DCB6E3DD28AC428381
                                                                                                                                                                                                                                                              Function 00007FFB4A0CD1F9 Relevance: .3, Instructions: 284COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1654496716.00007FFB4A0C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A0C0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb4a0c0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                              • Opcode ID: 280c0ed51cee7d8a80617facddb48c5d49d951e192065d33df833ac5384782c4
                                                                                                                                                                                                                                                              • Instruction ID: 2e3010994985ca59c5f690558be32a4210a0e6bce9ea0de7ba87acb90a940206
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 280c0ed51cee7d8a80617facddb48c5d49d951e192065d33df833ac5384782c4
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2D71D97170CA494FE799DF2CD8669647BE1EFA931071901EFE489C72A7DD14AC02C781
                                                                                                                                                                                                                                                              Function 00007FFB49FF2FF0 Relevance: .3, Instructions: 279COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1653586020.00007FFB49FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49FF0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb49ff0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                              • Opcode ID: 5439bcbe03d39f3b5ca43d63ea38b2991701c7c4d3b280f7d71015994de8e26c
                                                                                                                                                                                                                                                              • Instruction ID: 074d37fcf3d43e632fcecdcc70fd2b5f437ad54a2ddafcd9897cc5ce408cd18d
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5439bcbe03d39f3b5ca43d63ea38b2991701c7c4d3b280f7d71015994de8e26c
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8991C3B2A0CA5A4FDB58DF68C9556BD7BE1EF98304F14027BD04DE32CAEE246901C751
                                                                                                                                                                                                                                                              Function 00007FFB49FF251D Relevance: .3, Instructions: 275COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1653586020.00007FFB49FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49FF0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb49ff0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                              • Opcode ID: 6b71bf3941252550fd60539f6e7fd9407b122333ec8d35c88e028db2b616df82
                                                                                                                                                                                                                                                              • Instruction ID: 8efd1a35a25031e94928dbb59a80ae8edfdeaf1e973fd5cce72179332634e06a
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6b71bf3941252550fd60539f6e7fd9407b122333ec8d35c88e028db2b616df82
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B681F9A290E6875AF762BFBCE8661E97F90EF41325B0841BBD48CC54D3DC193859C392
                                                                                                                                                                                                                                                              Function 00007FFB49FF2E90 Relevance: .3, Instructions: 261COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1653586020.00007FFB49FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49FF0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb49ff0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                              • Opcode ID: 4cb5fb08c96b8379102e16d1ebd17c8f2559a6e6bd9ca617c76e737fbf7cf918
                                                                                                                                                                                                                                                              • Instruction ID: 13cb4317bd63ca57d4f743e71f51f93946e1f53db286e74bc4b5f9fdab514618
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4cb5fb08c96b8379102e16d1ebd17c8f2559a6e6bd9ca617c76e737fbf7cf918
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9B91E570A1891E8FDB94EF68C495BAC77F1FF58301F5401AAD40DE7296DE35A881CB40
                                                                                                                                                                                                                                                              Function 00007FFB4A0CC2A0 Relevance: .2, Instructions: 228COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1654496716.00007FFB4A0C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A0C0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb4a0c0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                              • Opcode ID: 082d19d3bb1f6012ce2810b1a128def9d9507fcf1d6bd134c15395be8a8d456a
                                                                                                                                                                                                                                                              • Instruction ID: 042dd55e6fe0c920328b6f86bf991c5defa993b4d17be965ff84d424a284f171
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 082d19d3bb1f6012ce2810b1a128def9d9507fcf1d6bd134c15395be8a8d456a
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A55106B170CE494FD798EF2CD855A757BD2EB99710B5401EFE48AC3292DD24EC028781
                                                                                                                                                                                                                                                              Function 00007FFB49FF2F0D Relevance: .1, Instructions: 149COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1653586020.00007FFB49FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49FF0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb49ff0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                              • Opcode ID: 0f06a2cf52e4310bebf317b1a678c526bf81c81b3e0372de5c27d9b50e867a9a
                                                                                                                                                                                                                                                              • Instruction ID: bc7342921892919d1b6e38a483e4adc7329e3db3ae39da035fb5fcad59dd5bf3
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0f06a2cf52e4310bebf317b1a678c526bf81c81b3e0372de5c27d9b50e867a9a
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9B515B71918A5E8FDB85EF68C8456EEBBF0FF58315F0001BAE409D3292DA34A844CB81
                                                                                                                                                                                                                                                              Function 00007FFB4A0C031D Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1654496716.00007FFB4A0C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A0C0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb4a0c0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                              • Opcode ID: 95a801cfed4f1cb3b608e8b982da4a49f34a2f6be4f0a2a34088898fe4b56182
                                                                                                                                                                                                                                                              • Instruction ID: 96b5e699b0273651e9ad330606c113e903baa87b9a1cda479fc49690e3c3b7c3
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 95a801cfed4f1cb3b608e8b982da4a49f34a2f6be4f0a2a34088898fe4b56182
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: DC41266160EA854FE75AAF2CDC695757FE5EF96320B1902FBD049C72E3C918AC06C381
                                                                                                                                                                                                                                                              Function 00007FFB49FF0A52 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1653586020.00007FFB49FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49FF0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb49ff0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                              • Opcode ID: ee7d513317190e4e48843d6f7c77127780959c4eda78b90accbf91c0f21936bf
                                                                                                                                                                                                                                                              • Instruction ID: 6dca37487a48bea378d4f0d132786a87c964a028adb06316b7f6337ac57af873
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: ee7d513317190e4e48843d6f7c77127780959c4eda78b90accbf91c0f21936bf
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2741A1B0918A4D8FE789DF68C8AA3A87FE0FB99310F90016EC108D77D9DB752914CB50
                                                                                                                                                                                                                                                              Function 00007FFB49FF30D0 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1653586020.00007FFB49FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49FF0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb49ff0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                              • Opcode ID: 9eb2ac123ab9277e0cabe682996d8b161d936ce4bb1886b5bd6b88dc815a1347
                                                                                                                                                                                                                                                              • Instruction ID: 6fb6a0154cd86baf2d58cf8dca6ca513974dd9dd94a22abf1723fb03d1a5b9bd
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9eb2ac123ab9277e0cabe682996d8b161d936ce4bb1886b5bd6b88dc815a1347
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3021B1B2E08A5E8FDB54DF6CC9452AD7BE2EBD8300F14426BD40DE3289EA3469018791
                                                                                                                                                                                                                                                              Function 00007FFB49FF334B Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1653586020.00007FFB49FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49FF0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb49ff0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                              • Opcode ID: e551b22b4a87cb315635cabe92d15ec7311356358a42a3f32d5b0670624ea9b2
                                                                                                                                                                                                                                                              • Instruction ID: b0131d736908d1ab681b42fb0d2f4f064eb0f8e0500fe961444f5c97d6283458
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e551b22b4a87cb315635cabe92d15ec7311356358a42a3f32d5b0670624ea9b2
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E221F9B1D1D51E8EDBA8EE68D9557ECB7A1FB58340F4040BAD04DE22C5CE756984CF40
                                                                                                                                                                                                                                                              Function 00007FFB49FF275A Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1653586020.00007FFB49FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49FF0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb49ff0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                              • Opcode ID: 8731107d49b127aadedad8764996ae26f7ec8ee7495762c2e4bb5a968f4ba50e
                                                                                                                                                                                                                                                              • Instruction ID: dee68519e5975ebf56d1353b22719742ff67170096c171684e71220a322d3ee3
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8731107d49b127aadedad8764996ae26f7ec8ee7495762c2e4bb5a968f4ba50e
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7321D3B190D68F8FEB84FF78C8666E9BB90FF54300F4405BAD409C21C7DD2468948741
                                                                                                                                                                                                                                                              Function 00007FFB4A0C06E0 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1654496716.00007FFB4A0C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A0C0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb4a0c0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                              • Opcode ID: 24fa099595f3297d2e2cb3ee19894705f243c72e2a54b5a46e76e0cae78a6847
                                                                                                                                                                                                                                                              • Instruction ID: e68faf387c3416096be736202c8290e57f577be7387e1c6570c5de21d9d70f2d
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 24fa099595f3297d2e2cb3ee19894705f243c72e2a54b5a46e76e0cae78a6847
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1911E4A2A1DA965BF799AE28C5951283BD1EF98710B2802FED08CC72E2CD299C01C701
                                                                                                                                                                                                                                                              Function 00007FFB4A0C04FD Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1654496716.00007FFB4A0C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A0C0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb4a0c0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                              • Opcode ID: 396f59d84b98c2e3a1ecb133b3b3d7b7e0d4afb3b35f6b3a66d391e28a2c10c5
                                                                                                                                                                                                                                                              • Instruction ID: 41656f6abc779b7000dbdf37fe54746bfbe4da373aaa4772bab93d2701f4f46d
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 396f59d84b98c2e3a1ecb133b3b3d7b7e0d4afb3b35f6b3a66d391e28a2c10c5
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8711DFA1A0DA865FE39AEF2C84A52257BD1EF99310B2801FED04DC73A2CD289C41C302
                                                                                                                                                                                                                                                              Function 00007FFB4A0C2119 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1654496716.00007FFB4A0C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A0C0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb4a0c0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                              • Opcode ID: 9c95d2182894a0633d0a567fc8295cdce572f14ad5b879a00eeb5ea34e749088
                                                                                                                                                                                                                                                              • Instruction ID: 980f7ed79259f61260c592bd27ec80b5bdc05998c75fda18ac21292d8a9d8c3f
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9c95d2182894a0633d0a567fc8295cdce572f14ad5b879a00eeb5ea34e749088
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B01175B190DA875FE399FE2C849553577D2EFA9310B1400BFD44DCB293DD295C418701
                                                                                                                                                                                                                                                              Function 00007FFB49FF0D01 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1653586020.00007FFB49FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49FF0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb49ff0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                              • Opcode ID: 4d1f94519352ea7f597dbe071bddf13a0a0bafe45838a46fbb2587832e861a5b
                                                                                                                                                                                                                                                              • Instruction ID: 8c1da71ce9826e68004f4bb507ea4792ca8d42e024b3ca177ff106df6e848a4e
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4d1f94519352ea7f597dbe071bddf13a0a0bafe45838a46fbb2587832e861a5b
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: CA0184E2C1D54AAFE796BF74C9562BCBB91EF54700F4401FBDA08C64D3DD2839448641
                                                                                                                                                                                                                                                              Function 00007FFB4A0C07CE Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1654496716.00007FFB4A0C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A0C0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb4a0c0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                              • Opcode ID: 1596233037f1b2ab43387293bb6a4cdd70e479dd2a8e5412d705fac4d60e86eb
                                                                                                                                                                                                                                                              • Instruction ID: 73bc599ee87bcd58a1a7feb59f5087cdf00bfab5ba4f76e3420570cd02d4c85c
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1596233037f1b2ab43387293bb6a4cdd70e479dd2a8e5412d705fac4d60e86eb
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2811A57060D9868FEBA9EF2CC994A247BE5EF55300B6841EEE04DC72D2CE18AC45C781
                                                                                                                                                                                                                                                              Function 00007FFB49FF0850 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1653586020.00007FFB49FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49FF0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb49ff0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                              • Opcode ID: 79b5140dd8d70393af6ad2e704315a7de48eacf67fab5dabca08a76996672805
                                                                                                                                                                                                                                                              • Instruction ID: ee3c6ab88e7535e9ea077244d077bdef57c406f1f7238750f5e5f6254efe2316
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 79b5140dd8d70393af6ad2e704315a7de48eacf67fab5dabca08a76996672805
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B301869390E59786EB227FBCE9521F53B90EF83224F4D01B3E988890C7DC197426C296
                                                                                                                                                                                                                                                              Function 00007FFB49FF3775 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1653586020.00007FFB49FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49FF0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb49ff0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                              • Opcode ID: 785d70bde60b62ec3499a2160dd3e4e43bb966662ade20bc4e7dc9726f26a519
                                                                                                                                                                                                                                                              • Instruction ID: 9a071a664ec0f745c5636f857e3a3a86ffb9a88a2fa042f5d9ff4b92c8ed1c86
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 785d70bde60b62ec3499a2160dd3e4e43bb966662ade20bc4e7dc9726f26a519
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1D014C71808A4D8FDF84EF68C858AAA7BF0FF68300F0005AAD418C72A1D7709554CB81
                                                                                                                                                                                                                                                              Function 00007FFB49FF2EE0 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1653586020.00007FFB49FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49FF0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb49ff0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                              • Opcode ID: a282cb300ef9c510a0636cfbb927f4403b320ec4be0518f4767b22cacfe260ed
                                                                                                                                                                                                                                                              • Instruction ID: 702ea39d87c370afaede5e09761c2fdcb82ead011913126864c87f05c593fc9f
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a282cb300ef9c510a0636cfbb927f4403b320ec4be0518f4767b22cacfe260ed
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4101DA70918A0D9FDF84EF68C849AEE7BF0FB68305F10056AE81DD3250DB71A590CB80
                                                                                                                                                                                                                                                              Function 00007FFB49FF2FA8 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1653586020.00007FFB49FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49FF0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb49ff0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                              • Opcode ID: ea80365ab8b79c856716bf70937de0ae504b3973363983c7700fb99ba564c7a3
                                                                                                                                                                                                                                                              • Instruction ID: dd9c5820b605b2ebaf857e8b1567fb3dc627994f7454d9b732ed464bc301045f
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: ea80365ab8b79c856716bf70937de0ae504b3973363983c7700fb99ba564c7a3
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: D8018870958A4E9FDF84EF68C849AEA7BF0FB68305F10056AA81DD3254DB34A594CB81
                                                                                                                                                                                                                                                              Function 00007FFB49FF2F08 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1653586020.00007FFB49FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49FF0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb49ff0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                              • Opcode ID: 89bd98ca30059461bd649aa8536588732d98728b136068c8739f43687654a152
                                                                                                                                                                                                                                                              • Instruction ID: 7c6162509c0eefe695fc55c670754dcb2c6c5d0eb8935aa944b6b4e8a9a6063a
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 89bd98ca30059461bd649aa8536588732d98728b136068c8739f43687654a152
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 41016B7091491E9FDF85EF68C448AAE7BF0FB68305F10456AE41DD3294DB71A694CB80
                                                                                                                                                                                                                                                              Function 00007FFB49FF21F9 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1653586020.00007FFB49FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49FF0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb49ff0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                              • Opcode ID: 7342a59e936fb94370628a887c98109b7be79e66342b1033a3528898d62ca96b
                                                                                                                                                                                                                                                              • Instruction ID: 010ab6ebc6c25e0a9ce8edb4dd45e740b279e8020a2dcbbce9d44975345362a0
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7342a59e936fb94370628a887c98109b7be79e66342b1033a3528898d62ca96b
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: FE01087090968D8FDB85EF68C8596A97BB0FF1A300F0505EAD418CB2A2DB75A944CB01
                                                                                                                                                                                                                                                              Function 00007FFB49FF0D99 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1653586020.00007FFB49FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49FF0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb49ff0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                              • Opcode ID: 8b520d97aadfbdb5fc7395485a5730392cb726e33f9bce58c5a9f53520a647ea
                                                                                                                                                                                                                                                              • Instruction ID: bd904ac20fdc87548597374a2a604b6edce0b567a0670a9b4188c61b6fadb98b
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8b520d97aadfbdb5fc7395485a5730392cb726e33f9bce58c5a9f53520a647ea
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 14F0C2B290E78E5FE752AF74C8591E87FA0EF56210F4800FBD948C60D3EA2824488301
                                                                                                                                                                                                                                                              Function 00007FFB49FF2D70 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1653586020.00007FFB49FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49FF0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb49ff0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                              • Opcode ID: 839ab63d8fbb0621e9cc3a76cf7e51656bb670f1730475eeef967260f32f3112
                                                                                                                                                                                                                                                              • Instruction ID: 529ffb0cc1767c2cf89dd2dcd129750f01faf84e1a633488497b3b4d8ca6a5be
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 839ab63d8fbb0621e9cc3a76cf7e51656bb670f1730475eeef967260f32f3112
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: EEF0F830914A4D9FDF84EFA8C488AE9BBB0FB68305F4041AAE40DC3190DB31A694CB40
                                                                                                                                                                                                                                                              Function 00007FFB49FFC740 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1653586020.00007FFB49FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49FF0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb49ff0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                              • Opcode ID: aa3cbff7554342d5645ca0644cce8977a2c566613b0452f05f7e48680dcc1f72
                                                                                                                                                                                                                                                              • Instruction ID: 59a0c1f92ef2d0b3c6ba8b8b5bc972c169b1d88685bcc748eb434d76f886c597
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: aa3cbff7554342d5645ca0644cce8977a2c566613b0452f05f7e48680dcc1f72
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 75E0687390CA4C8FDB40AF69D8006D57BA0EF85304F04006BE01CC22C1D2215844C381
                                                                                                                                                                                                                                                              Function 00007FFB49FF0873 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1653586020.00007FFB49FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB49FF0000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb49ff0000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                              • Opcode ID: 3379646263767f87ebfae71cdd8f707d48d0547aba864a799018cd42ad24b856
                                                                                                                                                                                                                                                              • Instruction ID: 79f0616bc0b3f240f254b1c75f841828f2c0a0a7fe7dacb23637f3bd59482aaf
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3379646263767f87ebfae71cdd8f707d48d0547aba864a799018cd42ad24b856
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 26F0A9A180E7CA4EDB137FB489151A4BF30AF43204F4D00FBE499CA0E3DD182928C362

                                                                                                                                                                                                                                                              Non-executed Functions

                                                                                                                                                                                                                                                              Function 00007FFB4A21DAF4 Relevance: 3.1, Strings: 2, Instructions: 569COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1656406266.00007FFB4A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A210000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb4a210000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID: E4_H$C J
                                                                                                                                                                                                                                                              • API String ID: 0-707621651
                                                                                                                                                                                                                                                              • Opcode ID: 897b871ed006aaef67b9ccc32fe1a50d0f6dbeb1aebfbe890fa510cc7907bd62
                                                                                                                                                                                                                                                              • Instruction ID: 09127eb0044b5f4c23bd399177b90aa26fe0fdf9dee3cd38a37a11d858baae0d
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 897b871ed006aaef67b9ccc32fe1a50d0f6dbeb1aebfbe890fa510cc7907bd62
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 86326571D1992D8FEBA8EF18C895BA9B7F1FB98301F1041EA800DE3651CA756E81DF41
                                                                                                                                                                                                                                                              Function 00007FFB4A227090 Relevance: 1.3, Instructions: 1293COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1656406266.00007FFB4A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A210000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb4a210000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                              • Opcode ID: 79d25aa9ba67a633042c7fdc31cf5bf530b6b2b4359b5dbd7a70253906e5a9fd
                                                                                                                                                                                                                                                              • Instruction ID: ebfcb54cd7820936d98670d41ea21cb8680d224ab92025e2a94286732aca2d2f
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 79d25aa9ba67a633042c7fdc31cf5bf530b6b2b4359b5dbd7a70253906e5a9fd
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6F92C2B1A1DA4A4BEBA9BE38C0615B577D1FF98310B2401BDD44EC76D2DE29F802D781
                                                                                                                                                                                                                                                              Function 00007FFB4A226579 Relevance: .8, Instructions: 761COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1656406266.00007FFB4A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A210000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb4a210000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                              • Opcode ID: 60fd4bb71d51a3c1efd961adf3d80cf983af842fab5e1740f0759c49e59ecaad
                                                                                                                                                                                                                                                              • Instruction ID: 170e3386c8cb80ddabf9bb75d91d492ef5b653e9a15dc87d6f3b6c01026dc621
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 60fd4bb71d51a3c1efd961adf3d80cf983af842fab5e1740f0759c49e59ecaad
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E33255B290DB464FD759BF38C4212B57BE1FF95310B1402BED48AC36D2DE29A906D782
                                                                                                                                                                                                                                                              Function 00007FFB4A2270D9 Relevance: .4, Instructions: 372COMMON
                                                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                                                              • Source File: 00000004.00000002.1656406266.00007FFB4A210000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4A210000, based on PE: false
                                                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_7ffb4a210000_ttgtggt.jbxd
                                                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                                                              • Opcode ID: 2c00402f832503d4d0447e59d122e941b8300bdb0fca6137468018b3930739dc
                                                                                                                                                                                                                                                              • Instruction ID: f9a1729ac66b1e332e33fdf8bab2156504029a6348fc2e03eac6aef6e49a5280
                                                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2c00402f832503d4d0447e59d122e941b8300bdb0fca6137468018b3930739dc
                                                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C0C102B2A1DE4B4FE369AE39C46116577D1FF94310B2442BEC44AC39D2DE28F806E781