Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
po4877383.exe

Overview

General Information

Sample name:po4877383.exe
Analysis ID:1566505
MD5:a4fa8bbf123fa899ae788e1cf6b27d98
SHA1:e0866c961ba217c7a1dc4345cbade4d5f4deade4
SHA256:a16fd6417221b9f760ee7417a78751d6621726e8d76ab8e82954596c8e99d79c
Tags:exeRedLineStealeruser-abuse_ch
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected RedLine Stealer
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • po4877383.exe (PID: 7036 cmdline: "C:\Users\user\Desktop\po4877383.exe" MD5: A4FA8BBF123FA899AE788E1CF6B27D98)
    • po4877383.exe (PID: 3368 cmdline: "C:\Users\user\Desktop\po4877383.exe" MD5: A4FA8BBF123FA899AE788E1CF6B27D98)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["87.120.120.86:1912"], "Bot Id": "LOGS", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000002.1730761630.0000000003E34000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            00000000.00000002.1730761630.0000000003DD9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              00000002.00000002.1849698001.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                Click to see the 6 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.po4877383.exe.3df1d60.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.2.po4877383.exe.3e3cf80.3.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    0.2.po4877383.exe.3e3cf80.3.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      2.2.po4877383.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                        0.2.po4877383.exe.3df1d60.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                          Click to see the 1 entries

                          Sigma Signatures

                          No Sigma rule has matched

                          Suricata Signatures

                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-02T10:52:05.005492+010020432341A Network Trojan was detected87.120.120.861912192.168.2.449733TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-02T10:52:04.593767+010020432311A Network Trojan was detected192.168.2.44973387.120.120.861912TCP
                          2024-12-02T10:52:10.058958+010020432311A Network Trojan was detected192.168.2.44973387.120.120.861912TCP
                          2024-12-02T10:52:13.143188+010020432311A Network Trojan was detected192.168.2.44973387.120.120.861912TCP
                          2024-12-02T10:52:13.575262+010020432311A Network Trojan was detected192.168.2.44973387.120.120.861912TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-02T10:52:10.472232+010020460561A Network Trojan was detected87.120.120.861912192.168.2.449733TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-02T10:52:04.593767+010020460451A Network Trojan was detected192.168.2.44973387.120.120.861912TCP

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Antivirus / Scanner detection for submitted sample
                          Source: po4877383.exeAvira: detected
                          Found malware configuration
                          Source: 00000000.00000002.1730761630.0000000003E34000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": ["87.120.120.86:1912"], "Bot Id": "LOGS", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
                          Multi AV Scanner detection for submitted file
                          Source: po4877383.exeReversingLabs: Detection: 34%
                          AI detected suspicious sample
                          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                          Machine Learning detection for sample
                          Source: po4877383.exeJoe Sandbox ML: detected
                          Source: po4877383.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: po4877383.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Source: Binary string: OOGB.pdbSHA256 source: po4877383.exe
                          Source: Binary string: OOGB.pdb source: po4877383.exe
                          Source: C:\Users\user\Desktop\po4877383.exeCode function: 4x nop then jmp 06A53EBAh2_2_06A53A98
                          Source: C:\Users\user\Desktop\po4877383.exeCode function: 4x nop then jmp 06A5433Ah2_2_06A53A98
                          Source: C:\Users\user\Desktop\po4877383.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h2_2_06A51218
                          Source: C:\Users\user\Desktop\po4877383.exeCode function: 4x nop then jmp 06A5251Dh2_2_06A524FC
                          Source: C:\Users\user\Desktop\po4877383.exeCode function: 4x nop then jmp 06A50941h2_2_06A50929

                          Networking

                          barindex
                          Suricata IDS alerts for network traffic
                          Source: Network trafficSuricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.4:49733 -> 87.120.120.86:1912
                          Source: Network trafficSuricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.4:49733 -> 87.120.120.86:1912
                          Source: Network trafficSuricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 87.120.120.86:1912 -> 192.168.2.4:49733
                          Source: Network trafficSuricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 87.120.120.86:1912 -> 192.168.2.4:49733
                          C2 URLs / IPs found in malware configuration
                          Source: Malware configuration extractorURLs: 87.120.120.86:1912
                          Source: global trafficTCP traffic: 192.168.2.4:49733 -> 87.120.120.86:1912
                          Source: Joe Sandbox ViewASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                          Source: po4877383.exe, 00000002.00000002.1852041181.0000000000F6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://purl.oen
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmp, po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmp, po4877383.exe, 00000002.00000002.1852537468.00000000029D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002D3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmp, po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmp, po4877383.exe, 00000002.00000002.1852537468.0000000002D3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002D3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3ResponseD
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                          Source: po4877383.exe, 00000000.00000002.1733620135.0000000007242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                          Source: po4877383.exe, 00000000.00000002.1733620135.0000000007242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                          Source: po4877383.exe, 00000000.00000002.1733620135.0000000007242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                          Source: po4877383.exe, 00000000.00000002.1733620135.0000000007242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                          Source: po4877383.exe, 00000000.00000002.1733620135.0000000007242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                          Source: po4877383.exe, 00000000.00000002.1733620135.0000000007242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                          Source: po4877383.exe, 00000000.00000002.1733620135.0000000007242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                          Source: po4877383.exe, 00000000.00000002.1733620135.0000000007242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                          Source: po4877383.exe, 00000000.00000002.1733620135.0000000007242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                          Source: po4877383.exe, 00000000.00000002.1733620135.0000000007242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                          Source: po4877383.exe, 00000000.00000002.1733620135.0000000007242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                          Source: po4877383.exe, 00000000.00000002.1733620135.0000000007242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                          Source: po4877383.exe, 00000000.00000002.1733620135.0000000007242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                          Source: po4877383.exe, 00000000.00000002.1733620135.0000000007242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                          Source: po4877383.exe, 00000000.00000002.1733620135.0000000007242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                          Source: po4877383.exe, 00000000.00000002.1733620135.0000000007242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                          Source: po4877383.exe, 00000000.00000002.1733620135.0000000007242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                          Source: po4877383.exe, 00000000.00000002.1733620135.0000000007242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                          Source: po4877383.exe, 00000000.00000002.1733620135.0000000007242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                          Source: po4877383.exe, 00000000.00000002.1733620135.0000000007242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                          Source: po4877383.exe, 00000000.00000002.1733620135.0000000007242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                          Source: po4877383.exe, 00000000.00000002.1733620135.0000000007242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                          Source: po4877383.exe, 00000000.00000002.1733620135.0000000007242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                          Source: po4877383.exe, 00000000.00000002.1733620135.0000000007242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                          Source: po4877383.exe, 00000000.00000002.1733620135.0000000007242000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002EB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                          Source: po4877383.exe, 00000000.00000002.1730761630.0000000003E34000.00000004.00000800.00020000.00000000.sdmp, po4877383.exe, 00000000.00000002.1730761630.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, po4877383.exe, 00000000.00000002.1730761630.0000000003E9C000.00000004.00000800.00020000.00000000.sdmp, po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmp, po4877383.exe, 00000002.00000002.1849698001.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002EB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002EB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002EB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002EB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002EB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabS
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002EB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002EB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002EB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                          Source: C:\Users\user\Desktop\po4877383.exeCode function: 0_2_012DD3A40_2_012DD3A4
                          Source: C:\Users\user\Desktop\po4877383.exeCode function: 2_2_00E1DC742_2_00E1DC74
                          Source: C:\Users\user\Desktop\po4877383.exeCode function: 2_2_04E3EE582_2_04E3EE58
                          Source: C:\Users\user\Desktop\po4877383.exeCode function: 2_2_04E388502_2_04E38850
                          Source: C:\Users\user\Desktop\po4877383.exeCode function: 2_2_04E300402_2_04E30040
                          Source: C:\Users\user\Desktop\po4877383.exeCode function: 2_2_04E300072_2_04E30007
                          Source: C:\Users\user\Desktop\po4877383.exeCode function: 2_2_04E388402_2_04E38840
                          Source: C:\Users\user\Desktop\po4877383.exeCode function: 2_2_06A50CB02_2_06A50CB0
                          Source: C:\Users\user\Desktop\po4877383.exeCode function: 2_2_06A525B02_2_06A525B0
                          Source: C:\Users\user\Desktop\po4877383.exeCode function: 2_2_06A56DEB2_2_06A56DEB
                          Source: C:\Users\user\Desktop\po4877383.exeCode function: 2_2_06A52D482_2_06A52D48
                          Source: C:\Users\user\Desktop\po4877383.exeCode function: 2_2_06A53A982_2_06A53A98
                          Source: C:\Users\user\Desktop\po4877383.exeCode function: 2_2_06A512182_2_06A51218
                          Source: C:\Users\user\Desktop\po4877383.exeCode function: 2_2_06A518412_2_06A51841
                          Source: C:\Users\user\Desktop\po4877383.exeCode function: 2_2_06A500402_2_06A50040
                          Source: C:\Users\user\Desktop\po4877383.exeCode function: 2_2_06A50CA12_2_06A50CA1
                          Source: C:\Users\user\Desktop\po4877383.exeCode function: 2_2_06A525A12_2_06A525A1
                          Source: C:\Users\user\Desktop\po4877383.exeCode function: 2_2_06A53A882_2_06A53A88
                          Source: C:\Users\user\Desktop\po4877383.exeCode function: 2_2_06A512092_2_06A51209
                          Source: po4877383.exe, 00000000.00000002.1732451445.0000000005600000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs po4877383.exe
                          Source: po4877383.exe, 00000000.00000002.1734570366.0000000007720000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs po4877383.exe
                          Source: po4877383.exe, 00000000.00000000.1659117365.0000000000A5E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameOOGB.exe6 vs po4877383.exe
                          Source: po4877383.exe, 00000000.00000002.1729966325.0000000002E10000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs po4877383.exe
                          Source: po4877383.exe, 00000000.00000002.1729162373.000000000109E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs po4877383.exe
                          Source: po4877383.exe, 00000000.00000002.1730761630.0000000003E34000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs po4877383.exe
                          Source: po4877383.exe, 00000000.00000002.1730761630.0000000003E7F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs po4877383.exe
                          Source: po4877383.exe, 00000000.00000002.1730761630.0000000003E9C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs po4877383.exe
                          Source: po4877383.exe, 00000000.00000002.1730761630.0000000003E9C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs po4877383.exe
                          Source: po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs po4877383.exe
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefirefox.exe0 vs po4877383.exe
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $fq,\\StringFileInfo\\000004B0\\OriginalFilename vs po4877383.exe
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamechrome.exe< vs po4877383.exe
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $fq,\\StringFileInfo\\040904B0\\OriginalFilename vs po4877383.exe
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs po4877383.exe
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXED vs po4877383.exe
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $fq,\\StringFileInfo\\080904B0\\OriginalFilename vs po4877383.exe
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsedge.exe> vs po4877383.exe
                          Source: po4877383.exe, 00000002.00000002.1849698001.0000000000446000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs po4877383.exe
                          Source: po4877383.exeBinary or memory string: OriginalFilenameOOGB.exe6 vs po4877383.exe
                          Source: po4877383.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: po4877383.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: 0.2.po4877383.exe.3ea9008.2.raw.unpack, Gl1vdAK3BoM1XrupxB.csSecurity API names: _0020.SetAccessControl
                          Source: 0.2.po4877383.exe.3ea9008.2.raw.unpack, Gl1vdAK3BoM1XrupxB.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: 0.2.po4877383.exe.3ea9008.2.raw.unpack, Gl1vdAK3BoM1XrupxB.csSecurity API names: _0020.AddAccessRule
                          Source: 0.2.po4877383.exe.40608d0.1.raw.unpack, Gl1vdAK3BoM1XrupxB.csSecurity API names: _0020.SetAccessControl
                          Source: 0.2.po4877383.exe.40608d0.1.raw.unpack, Gl1vdAK3BoM1XrupxB.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: 0.2.po4877383.exe.40608d0.1.raw.unpack, Gl1vdAK3BoM1XrupxB.csSecurity API names: _0020.AddAccessRule
                          Source: 0.2.po4877383.exe.7720000.5.raw.unpack, Gl1vdAK3BoM1XrupxB.csSecurity API names: _0020.SetAccessControl
                          Source: 0.2.po4877383.exe.7720000.5.raw.unpack, Gl1vdAK3BoM1XrupxB.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: 0.2.po4877383.exe.7720000.5.raw.unpack, Gl1vdAK3BoM1XrupxB.csSecurity API names: _0020.AddAccessRule
                          Source: 0.2.po4877383.exe.7720000.5.raw.unpack, xoi2pNYYZ9aAHA8Hjt.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: 0.2.po4877383.exe.3ea9008.2.raw.unpack, xoi2pNYYZ9aAHA8Hjt.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: 0.2.po4877383.exe.40608d0.1.raw.unpack, xoi2pNYYZ9aAHA8Hjt.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@0/1
                          Source: C:\Users\user\Desktop\po4877383.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\po4877383.exe.logJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeMutant created: NULL
                          Source: po4877383.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: po4877383.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                          Source: C:\Users\user\Desktop\po4877383.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                          Source: C:\Users\user\Desktop\po4877383.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\Desktop\po4877383.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                          Source: C:\Users\user\Desktop\po4877383.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: po4877383.exeReversingLabs: Detection: 34%
                          Source: unknownProcess created: C:\Users\user\Desktop\po4877383.exe "C:\Users\user\Desktop\po4877383.exe"
                          Source: C:\Users\user\Desktop\po4877383.exeProcess created: C:\Users\user\Desktop\po4877383.exe "C:\Users\user\Desktop\po4877383.exe"
                          Source: C:\Users\user\Desktop\po4877383.exeProcess created: C:\Users\user\Desktop\po4877383.exe "C:\Users\user\Desktop\po4877383.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: windowscodecs.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: dwrite.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: dwrite.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: windowscodecs.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: rstrtmgr.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                          Source: po4877383.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                          Source: po4877383.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Source: po4877383.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                          Source: Binary string: OOGB.pdbSHA256 source: po4877383.exe
                          Source: Binary string: OOGB.pdb source: po4877383.exe

                          Data Obfuscation

                          barindex
                          .NET source code contains potential unpacker
                          Source: 0.2.po4877383.exe.3ea9008.2.raw.unpack, Gl1vdAK3BoM1XrupxB.cs.Net Code: x8mf65ltd9 System.Reflection.Assembly.Load(byte[])
                          Source: 0.2.po4877383.exe.7720000.5.raw.unpack, Gl1vdAK3BoM1XrupxB.cs.Net Code: x8mf65ltd9 System.Reflection.Assembly.Load(byte[])
                          Source: 0.2.po4877383.exe.5600000.4.raw.unpack, L2.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                          Source: 0.2.po4877383.exe.40608d0.1.raw.unpack, Gl1vdAK3BoM1XrupxB.cs.Net Code: x8mf65ltd9 System.Reflection.Assembly.Load(byte[])
                          Source: po4877383.exeStatic PE information: 0xAF11C509 [Sun Jan 28 02:35:53 2063 UTC]
                          Source: C:\Users\user\Desktop\po4877383.exeCode function: 2_2_04E3D442 push eax; ret 2_2_04E3D451
                          Source: po4877383.exeStatic PE information: section name: .text entropy: 7.7861025495254665
                          Source: 0.2.po4877383.exe.3ea9008.2.raw.unpack, lcufcQSZwVJWOV2cak.csHigh entropy of concatenated method names: 'naNRxtnVrc', 'OZXR8hax7Y', 'kDmR6RnuFu', 'k4hRZNUkT7', 'TTmRBOgSvP', 'B9xRttf7qO', 'xyRRAWfunN', 'E7cRYRHtKg', 'vANR4v1yJQ', 'OsKRhxlE2B'
                          Source: 0.2.po4877383.exe.3ea9008.2.raw.unpack, JysYXMw9A6a44w53Fm.csHigh entropy of concatenated method names: 'jAlkpeaxB7', 'IZ4kdPLX5H', 'ToString', 'kpBkOmYJot', 'brfkiyi25m', 'iDYkWWXcCk', 'mbHkV31Bjy', 'r36kJtoquA', 'z4jkRHlj1r', 'tsCkK72WHk'
                          Source: 0.2.po4877383.exe.3ea9008.2.raw.unpack, rfCk5nymcKN9rCipXy.csHigh entropy of concatenated method names: 'dyD66wWvy', 'vJWZhY692', 'F94tc6ROn', 'OPtAXPXaj', 'o3Y4LQI2U', 'S0Qh5ayT4', 'l1KV1ywODMOPejx1cq', 'nM4sDd36ugEVxxCRtO', 'BPJPXDGgk', 'vIf5g2d3Z'
                          Source: 0.2.po4877383.exe.3ea9008.2.raw.unpack, Mbu1ZKrRhLGA6VhRj8.csHigh entropy of concatenated method names: 'H4mROEiAhM', 'FRhRWJhJ00', 'WLhRJlaGrp', 'R1UJId7g8n', 'bsMJzTAFDm', 'DJKRgFcCt3', 'kIlReTV2J0', 'QRRRynYWCR', 'WIgR0x06u8', 'zI9RfxgaME'
                          Source: 0.2.po4877383.exe.3ea9008.2.raw.unpack, vsykXwUnyjWMMtZusD.csHigh entropy of concatenated method names: 'zEcJEIb7dV', 'nRaJi9oO9s', 'SCEJVTp0co', 'MwyJRMFWrd', 'hTSJKqAqs6', 'U0tVCll2Pa', 'LUCVj3mBu5', 'fvOVNItB8R', 'LQvVlwCZln', 'dmZVcx2rNP'
                          Source: 0.2.po4877383.exe.3ea9008.2.raw.unpack, YrW1I8f7Aa7r8ynTgr.csHigh entropy of concatenated method names: 'OfqeRoi2pN', 'DZ9eKaAHA8', 'opsepr5Gqc', 'Lw0edsxtKs', 'ks3eXcLHsy', 'qXweunyjWM', 'efsHKkqKG8mQm4Vof6', 'h00a6NpmXjZA6JqUcK', 'YRueenkA4E', 'nmHe0vgit4'
                          Source: 0.2.po4877383.exe.3ea9008.2.raw.unpack, BH869VNoZpH5BrPQLv.csHigh entropy of concatenated method names: 'YipQXQxd53', 'XxMQktYted', 'Dl6QQ3O7E1', 'PSYQs6NSnF', 'UVHQHvWhlk', 'GooQqYj9V8', 'Dispose', 'IhjPOqAE8x', 'DZUPiytYeX', 'kGZPWbywdH'
                          Source: 0.2.po4877383.exe.3ea9008.2.raw.unpack, ug0cLfeg7pP1BuXDYdH.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gIq5vE18x6', 'K3Y57vFLSZ', 'kpo5DeimAe', 'k5R5GrQpuh', 'Y4253FhsEH', 'thR5nmG6EU', 'wZ25wVACb9'
                          Source: 0.2.po4877383.exe.3ea9008.2.raw.unpack, NgXlekzv3xdYrGRkuW.csHigh entropy of concatenated method names: 'Wx85tqR2hG', 'Hc65YovdxB', 'yFC54FLMWO', 'jBE5Uhrihl', 'DZ25oyDNqU', 'pFF59KmvjO', 'RLW5Mb439t', 'Nfi5qyR3lu', 'kg25xrJ8n0', 'SBg58DJ5md'
                          Source: 0.2.po4877383.exe.3ea9008.2.raw.unpack, FcvUVceeD0b5FHJvoMb.csHigh entropy of concatenated method names: 'uI55IbHMmq', 'Xrn5z92yXX', 'gXusgqHZVj', 'OlnseZE3q6', 'C6KsyGUoXe', 'OECs0xJySi', 'EWpsfEnpfa', 'O87sEmI9Lf', 'KissOFhb1R', 'Htksiy3tPZ'
                          Source: 0.2.po4877383.exe.3ea9008.2.raw.unpack, KPdNFAigiIuPOmUDy0.csHigh entropy of concatenated method names: 'Dispose', 'mH5ecBrPQL', 'EdPyoFJp2r', 'ui4pjII99y', 'OkkeIR8FFb', 'qm7ez6tAmQ', 'ProcessDialogKey', 'wFbygXBruy', 'zkpyeB404P', 'frDyyY9Ixv'
                          Source: 0.2.po4877383.exe.3ea9008.2.raw.unpack, ytKsDyhL4jMUvFs3cL.csHigh entropy of concatenated method names: 'JF3VB9lmGJ', 'VSDVA3tVYc', 'TMKW1N0Zi6', 'XB0W9IZggb', 'yQoWMHduXp', 'wcCW27nMNd', 'DKkWrQkboJ', 'L44WTHteIL', 'yXcWSFgoVu', 'DBYWaMpF58'
                          Source: 0.2.po4877383.exe.3ea9008.2.raw.unpack, DykSXdDYkS44vMyRoV.csHigh entropy of concatenated method names: 'hWgbYA3Ano', 'tOKb45KiD2', 'JNWbUM4Agl', 'Nnqbo9JSYi', 'lg2b94ZsTv', 'zwybMAu0ns', 'txFbrigM8l', 'NS9bTViqXS', 'Torbaajdgp', 'TlRbvta5DV'
                          Source: 0.2.po4877383.exe.3ea9008.2.raw.unpack, m3Xhf7nRILFOousH06.csHigh entropy of concatenated method names: 'ToString', 'UKYuvSsDow', 'sFOuofNuI1', 'oMru1TYXo5', 'n4Pu9SboAP', 'mPnuMI79VP', 'lO5u2Hq3s1', 'Itrurp0J8B', 'R1luTSfR4f', 'kQyuSSpXYw'
                          Source: 0.2.po4877383.exe.3ea9008.2.raw.unpack, G7dNjXGB0R1dSyVCZK.csHigh entropy of concatenated method names: 'zWIXaDbyqB', 'FTVX7wYkne', 'zItXGruUVQ', 'L8WX3bVCi4', 'WN3XoEu77Q', 'hXZX1AqJZ6', 'sDBX9DGcBa', 'TAcXMbWllw', 's1eX2crcAB', 'SEYXrQnIbM'
                          Source: 0.2.po4877383.exe.3ea9008.2.raw.unpack, XfYGhX4psr5Gqcrw0s.csHigh entropy of concatenated method names: 'W4rWZbvODW', 'egCWtOGOTH', 'XAwWYGmqoZ', 'RSnW4D04ZL', 'P13WXOOKCa', 'c6EWu3JHZ8', 'IywWkf9HuX', 'yphWPYDlOl', 'v8lWQN83PP', 'vafW5FtEVt'
                          Source: 0.2.po4877383.exe.3ea9008.2.raw.unpack, D9IxvrIC1AyfGsCHrO.csHigh entropy of concatenated method names: 'm775WBGG5A', 'uGH5Ver0vH', 'N9n5JA0ukJ', 'ay95RP99CQ', 'vSH5QaPTpq', 'ycL5KiCwef', 'Next', 'Next', 'Next', 'NextBytes'
                          Source: 0.2.po4877383.exe.3ea9008.2.raw.unpack, Gl1vdAK3BoM1XrupxB.csHigh entropy of concatenated method names: 'XgX0EtHoCi', 'Gq20OexpUf', 'WJL0iofjVO', 'Cup0WrUThT', 's650VdypMy', 'YTl0JL0DTt', 'EJF0Rlt6cA', 'uSf0KW5ZQt', 'Uo00F92iyy', 'hWB0pk8avx'
                          Source: 0.2.po4877383.exe.3ea9008.2.raw.unpack, xoi2pNYYZ9aAHA8Hjt.csHigh entropy of concatenated method names: 'GVViGDqSpy', 'pI7i3DNFHw', 'pupinndBtl', 'j5aiwoh5Zi', 'M5eiCPrV1A', 'wJtij0AHqO', 'C8TiNe53gF', 'Liqil4ct80', 'Oc0icQ4Eub', 'cJyiIbIj6C'
                          Source: 0.2.po4877383.exe.3ea9008.2.raw.unpack, qp3MbxjDL8Qp7T4up0.csHigh entropy of concatenated method names: 'iA1kl0FoSf', 'pNwkIWrXgS', 'v1xPgh62PV', 'BJ1PeOaQGu', 'BuKkvQ1wMA', 'MLVk7eNCGn', 'V7IkDnTLEK', 'IE2kGHhOh2', 'plRk3VstTC', 'n1rknAaGlI'
                          Source: 0.2.po4877383.exe.3ea9008.2.raw.unpack, nXBruyc6kpB404POrD.csHigh entropy of concatenated method names: 'RbIQU7HSHS', 'kj4QotmhkO', 'rqKQ1YidTO', 'eJSQ9LRLsx', 'At3QMAuIgF', 'CsnQ2kxm5s', 'T6PQr81N48', 'fKIQThFGhO', 'CBEQSGWphW', 'gaJQa0HhY3'
                          Source: 0.2.po4877383.exe.7720000.5.raw.unpack, lcufcQSZwVJWOV2cak.csHigh entropy of concatenated method names: 'naNRxtnVrc', 'OZXR8hax7Y', 'kDmR6RnuFu', 'k4hRZNUkT7', 'TTmRBOgSvP', 'B9xRttf7qO', 'xyRRAWfunN', 'E7cRYRHtKg', 'vANR4v1yJQ', 'OsKRhxlE2B'
                          Source: 0.2.po4877383.exe.7720000.5.raw.unpack, JysYXMw9A6a44w53Fm.csHigh entropy of concatenated method names: 'jAlkpeaxB7', 'IZ4kdPLX5H', 'ToString', 'kpBkOmYJot', 'brfkiyi25m', 'iDYkWWXcCk', 'mbHkV31Bjy', 'r36kJtoquA', 'z4jkRHlj1r', 'tsCkK72WHk'
                          Source: 0.2.po4877383.exe.7720000.5.raw.unpack, rfCk5nymcKN9rCipXy.csHigh entropy of concatenated method names: 'dyD66wWvy', 'vJWZhY692', 'F94tc6ROn', 'OPtAXPXaj', 'o3Y4LQI2U', 'S0Qh5ayT4', 'l1KV1ywODMOPejx1cq', 'nM4sDd36ugEVxxCRtO', 'BPJPXDGgk', 'vIf5g2d3Z'
                          Source: 0.2.po4877383.exe.7720000.5.raw.unpack, Mbu1ZKrRhLGA6VhRj8.csHigh entropy of concatenated method names: 'H4mROEiAhM', 'FRhRWJhJ00', 'WLhRJlaGrp', 'R1UJId7g8n', 'bsMJzTAFDm', 'DJKRgFcCt3', 'kIlReTV2J0', 'QRRRynYWCR', 'WIgR0x06u8', 'zI9RfxgaME'
                          Source: 0.2.po4877383.exe.7720000.5.raw.unpack, vsykXwUnyjWMMtZusD.csHigh entropy of concatenated method names: 'zEcJEIb7dV', 'nRaJi9oO9s', 'SCEJVTp0co', 'MwyJRMFWrd', 'hTSJKqAqs6', 'U0tVCll2Pa', 'LUCVj3mBu5', 'fvOVNItB8R', 'LQvVlwCZln', 'dmZVcx2rNP'
                          Source: 0.2.po4877383.exe.7720000.5.raw.unpack, YrW1I8f7Aa7r8ynTgr.csHigh entropy of concatenated method names: 'OfqeRoi2pN', 'DZ9eKaAHA8', 'opsepr5Gqc', 'Lw0edsxtKs', 'ks3eXcLHsy', 'qXweunyjWM', 'efsHKkqKG8mQm4Vof6', 'h00a6NpmXjZA6JqUcK', 'YRueenkA4E', 'nmHe0vgit4'
                          Source: 0.2.po4877383.exe.7720000.5.raw.unpack, BH869VNoZpH5BrPQLv.csHigh entropy of concatenated method names: 'YipQXQxd53', 'XxMQktYted', 'Dl6QQ3O7E1', 'PSYQs6NSnF', 'UVHQHvWhlk', 'GooQqYj9V8', 'Dispose', 'IhjPOqAE8x', 'DZUPiytYeX', 'kGZPWbywdH'
                          Source: 0.2.po4877383.exe.7720000.5.raw.unpack, ug0cLfeg7pP1BuXDYdH.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gIq5vE18x6', 'K3Y57vFLSZ', 'kpo5DeimAe', 'k5R5GrQpuh', 'Y4253FhsEH', 'thR5nmG6EU', 'wZ25wVACb9'
                          Source: 0.2.po4877383.exe.7720000.5.raw.unpack, NgXlekzv3xdYrGRkuW.csHigh entropy of concatenated method names: 'Wx85tqR2hG', 'Hc65YovdxB', 'yFC54FLMWO', 'jBE5Uhrihl', 'DZ25oyDNqU', 'pFF59KmvjO', 'RLW5Mb439t', 'Nfi5qyR3lu', 'kg25xrJ8n0', 'SBg58DJ5md'
                          Source: 0.2.po4877383.exe.7720000.5.raw.unpack, FcvUVceeD0b5FHJvoMb.csHigh entropy of concatenated method names: 'uI55IbHMmq', 'Xrn5z92yXX', 'gXusgqHZVj', 'OlnseZE3q6', 'C6KsyGUoXe', 'OECs0xJySi', 'EWpsfEnpfa', 'O87sEmI9Lf', 'KissOFhb1R', 'Htksiy3tPZ'
                          Source: 0.2.po4877383.exe.7720000.5.raw.unpack, KPdNFAigiIuPOmUDy0.csHigh entropy of concatenated method names: 'Dispose', 'mH5ecBrPQL', 'EdPyoFJp2r', 'ui4pjII99y', 'OkkeIR8FFb', 'qm7ez6tAmQ', 'ProcessDialogKey', 'wFbygXBruy', 'zkpyeB404P', 'frDyyY9Ixv'
                          Source: 0.2.po4877383.exe.7720000.5.raw.unpack, ytKsDyhL4jMUvFs3cL.csHigh entropy of concatenated method names: 'JF3VB9lmGJ', 'VSDVA3tVYc', 'TMKW1N0Zi6', 'XB0W9IZggb', 'yQoWMHduXp', 'wcCW27nMNd', 'DKkWrQkboJ', 'L44WTHteIL', 'yXcWSFgoVu', 'DBYWaMpF58'
                          Source: 0.2.po4877383.exe.7720000.5.raw.unpack, DykSXdDYkS44vMyRoV.csHigh entropy of concatenated method names: 'hWgbYA3Ano', 'tOKb45KiD2', 'JNWbUM4Agl', 'Nnqbo9JSYi', 'lg2b94ZsTv', 'zwybMAu0ns', 'txFbrigM8l', 'NS9bTViqXS', 'Torbaajdgp', 'TlRbvta5DV'
                          Source: 0.2.po4877383.exe.7720000.5.raw.unpack, m3Xhf7nRILFOousH06.csHigh entropy of concatenated method names: 'ToString', 'UKYuvSsDow', 'sFOuofNuI1', 'oMru1TYXo5', 'n4Pu9SboAP', 'mPnuMI79VP', 'lO5u2Hq3s1', 'Itrurp0J8B', 'R1luTSfR4f', 'kQyuSSpXYw'
                          Source: 0.2.po4877383.exe.7720000.5.raw.unpack, G7dNjXGB0R1dSyVCZK.csHigh entropy of concatenated method names: 'zWIXaDbyqB', 'FTVX7wYkne', 'zItXGruUVQ', 'L8WX3bVCi4', 'WN3XoEu77Q', 'hXZX1AqJZ6', 'sDBX9DGcBa', 'TAcXMbWllw', 's1eX2crcAB', 'SEYXrQnIbM'
                          Source: 0.2.po4877383.exe.7720000.5.raw.unpack, XfYGhX4psr5Gqcrw0s.csHigh entropy of concatenated method names: 'W4rWZbvODW', 'egCWtOGOTH', 'XAwWYGmqoZ', 'RSnW4D04ZL', 'P13WXOOKCa', 'c6EWu3JHZ8', 'IywWkf9HuX', 'yphWPYDlOl', 'v8lWQN83PP', 'vafW5FtEVt'
                          Source: 0.2.po4877383.exe.7720000.5.raw.unpack, D9IxvrIC1AyfGsCHrO.csHigh entropy of concatenated method names: 'm775WBGG5A', 'uGH5Ver0vH', 'N9n5JA0ukJ', 'ay95RP99CQ', 'vSH5QaPTpq', 'ycL5KiCwef', 'Next', 'Next', 'Next', 'NextBytes'
                          Source: 0.2.po4877383.exe.7720000.5.raw.unpack, Gl1vdAK3BoM1XrupxB.csHigh entropy of concatenated method names: 'XgX0EtHoCi', 'Gq20OexpUf', 'WJL0iofjVO', 'Cup0WrUThT', 's650VdypMy', 'YTl0JL0DTt', 'EJF0Rlt6cA', 'uSf0KW5ZQt', 'Uo00F92iyy', 'hWB0pk8avx'
                          Source: 0.2.po4877383.exe.7720000.5.raw.unpack, xoi2pNYYZ9aAHA8Hjt.csHigh entropy of concatenated method names: 'GVViGDqSpy', 'pI7i3DNFHw', 'pupinndBtl', 'j5aiwoh5Zi', 'M5eiCPrV1A', 'wJtij0AHqO', 'C8TiNe53gF', 'Liqil4ct80', 'Oc0icQ4Eub', 'cJyiIbIj6C'
                          Source: 0.2.po4877383.exe.7720000.5.raw.unpack, qp3MbxjDL8Qp7T4up0.csHigh entropy of concatenated method names: 'iA1kl0FoSf', 'pNwkIWrXgS', 'v1xPgh62PV', 'BJ1PeOaQGu', 'BuKkvQ1wMA', 'MLVk7eNCGn', 'V7IkDnTLEK', 'IE2kGHhOh2', 'plRk3VstTC', 'n1rknAaGlI'
                          Source: 0.2.po4877383.exe.7720000.5.raw.unpack, nXBruyc6kpB404POrD.csHigh entropy of concatenated method names: 'RbIQU7HSHS', 'kj4QotmhkO', 'rqKQ1YidTO', 'eJSQ9LRLsx', 'At3QMAuIgF', 'CsnQ2kxm5s', 'T6PQr81N48', 'fKIQThFGhO', 'CBEQSGWphW', 'gaJQa0HhY3'
                          Source: 0.2.po4877383.exe.40608d0.1.raw.unpack, lcufcQSZwVJWOV2cak.csHigh entropy of concatenated method names: 'naNRxtnVrc', 'OZXR8hax7Y', 'kDmR6RnuFu', 'k4hRZNUkT7', 'TTmRBOgSvP', 'B9xRttf7qO', 'xyRRAWfunN', 'E7cRYRHtKg', 'vANR4v1yJQ', 'OsKRhxlE2B'
                          Source: 0.2.po4877383.exe.40608d0.1.raw.unpack, JysYXMw9A6a44w53Fm.csHigh entropy of concatenated method names: 'jAlkpeaxB7', 'IZ4kdPLX5H', 'ToString', 'kpBkOmYJot', 'brfkiyi25m', 'iDYkWWXcCk', 'mbHkV31Bjy', 'r36kJtoquA', 'z4jkRHlj1r', 'tsCkK72WHk'
                          Source: 0.2.po4877383.exe.40608d0.1.raw.unpack, rfCk5nymcKN9rCipXy.csHigh entropy of concatenated method names: 'dyD66wWvy', 'vJWZhY692', 'F94tc6ROn', 'OPtAXPXaj', 'o3Y4LQI2U', 'S0Qh5ayT4', 'l1KV1ywODMOPejx1cq', 'nM4sDd36ugEVxxCRtO', 'BPJPXDGgk', 'vIf5g2d3Z'
                          Source: 0.2.po4877383.exe.40608d0.1.raw.unpack, Mbu1ZKrRhLGA6VhRj8.csHigh entropy of concatenated method names: 'H4mROEiAhM', 'FRhRWJhJ00', 'WLhRJlaGrp', 'R1UJId7g8n', 'bsMJzTAFDm', 'DJKRgFcCt3', 'kIlReTV2J0', 'QRRRynYWCR', 'WIgR0x06u8', 'zI9RfxgaME'
                          Source: 0.2.po4877383.exe.40608d0.1.raw.unpack, vsykXwUnyjWMMtZusD.csHigh entropy of concatenated method names: 'zEcJEIb7dV', 'nRaJi9oO9s', 'SCEJVTp0co', 'MwyJRMFWrd', 'hTSJKqAqs6', 'U0tVCll2Pa', 'LUCVj3mBu5', 'fvOVNItB8R', 'LQvVlwCZln', 'dmZVcx2rNP'
                          Source: 0.2.po4877383.exe.40608d0.1.raw.unpack, YrW1I8f7Aa7r8ynTgr.csHigh entropy of concatenated method names: 'OfqeRoi2pN', 'DZ9eKaAHA8', 'opsepr5Gqc', 'Lw0edsxtKs', 'ks3eXcLHsy', 'qXweunyjWM', 'efsHKkqKG8mQm4Vof6', 'h00a6NpmXjZA6JqUcK', 'YRueenkA4E', 'nmHe0vgit4'
                          Source: 0.2.po4877383.exe.40608d0.1.raw.unpack, BH869VNoZpH5BrPQLv.csHigh entropy of concatenated method names: 'YipQXQxd53', 'XxMQktYted', 'Dl6QQ3O7E1', 'PSYQs6NSnF', 'UVHQHvWhlk', 'GooQqYj9V8', 'Dispose', 'IhjPOqAE8x', 'DZUPiytYeX', 'kGZPWbywdH'
                          Source: 0.2.po4877383.exe.40608d0.1.raw.unpack, ug0cLfeg7pP1BuXDYdH.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gIq5vE18x6', 'K3Y57vFLSZ', 'kpo5DeimAe', 'k5R5GrQpuh', 'Y4253FhsEH', 'thR5nmG6EU', 'wZ25wVACb9'
                          Source: 0.2.po4877383.exe.40608d0.1.raw.unpack, NgXlekzv3xdYrGRkuW.csHigh entropy of concatenated method names: 'Wx85tqR2hG', 'Hc65YovdxB', 'yFC54FLMWO', 'jBE5Uhrihl', 'DZ25oyDNqU', 'pFF59KmvjO', 'RLW5Mb439t', 'Nfi5qyR3lu', 'kg25xrJ8n0', 'SBg58DJ5md'
                          Source: 0.2.po4877383.exe.40608d0.1.raw.unpack, FcvUVceeD0b5FHJvoMb.csHigh entropy of concatenated method names: 'uI55IbHMmq', 'Xrn5z92yXX', 'gXusgqHZVj', 'OlnseZE3q6', 'C6KsyGUoXe', 'OECs0xJySi', 'EWpsfEnpfa', 'O87sEmI9Lf', 'KissOFhb1R', 'Htksiy3tPZ'
                          Source: 0.2.po4877383.exe.40608d0.1.raw.unpack, KPdNFAigiIuPOmUDy0.csHigh entropy of concatenated method names: 'Dispose', 'mH5ecBrPQL', 'EdPyoFJp2r', 'ui4pjII99y', 'OkkeIR8FFb', 'qm7ez6tAmQ', 'ProcessDialogKey', 'wFbygXBruy', 'zkpyeB404P', 'frDyyY9Ixv'
                          Source: 0.2.po4877383.exe.40608d0.1.raw.unpack, ytKsDyhL4jMUvFs3cL.csHigh entropy of concatenated method names: 'JF3VB9lmGJ', 'VSDVA3tVYc', 'TMKW1N0Zi6', 'XB0W9IZggb', 'yQoWMHduXp', 'wcCW27nMNd', 'DKkWrQkboJ', 'L44WTHteIL', 'yXcWSFgoVu', 'DBYWaMpF58'
                          Source: 0.2.po4877383.exe.40608d0.1.raw.unpack, DykSXdDYkS44vMyRoV.csHigh entropy of concatenated method names: 'hWgbYA3Ano', 'tOKb45KiD2', 'JNWbUM4Agl', 'Nnqbo9JSYi', 'lg2b94ZsTv', 'zwybMAu0ns', 'txFbrigM8l', 'NS9bTViqXS', 'Torbaajdgp', 'TlRbvta5DV'
                          Source: 0.2.po4877383.exe.40608d0.1.raw.unpack, m3Xhf7nRILFOousH06.csHigh entropy of concatenated method names: 'ToString', 'UKYuvSsDow', 'sFOuofNuI1', 'oMru1TYXo5', 'n4Pu9SboAP', 'mPnuMI79VP', 'lO5u2Hq3s1', 'Itrurp0J8B', 'R1luTSfR4f', 'kQyuSSpXYw'
                          Source: 0.2.po4877383.exe.40608d0.1.raw.unpack, G7dNjXGB0R1dSyVCZK.csHigh entropy of concatenated method names: 'zWIXaDbyqB', 'FTVX7wYkne', 'zItXGruUVQ', 'L8WX3bVCi4', 'WN3XoEu77Q', 'hXZX1AqJZ6', 'sDBX9DGcBa', 'TAcXMbWllw', 's1eX2crcAB', 'SEYXrQnIbM'
                          Source: 0.2.po4877383.exe.40608d0.1.raw.unpack, XfYGhX4psr5Gqcrw0s.csHigh entropy of concatenated method names: 'W4rWZbvODW', 'egCWtOGOTH', 'XAwWYGmqoZ', 'RSnW4D04ZL', 'P13WXOOKCa', 'c6EWu3JHZ8', 'IywWkf9HuX', 'yphWPYDlOl', 'v8lWQN83PP', 'vafW5FtEVt'
                          Source: 0.2.po4877383.exe.40608d0.1.raw.unpack, D9IxvrIC1AyfGsCHrO.csHigh entropy of concatenated method names: 'm775WBGG5A', 'uGH5Ver0vH', 'N9n5JA0ukJ', 'ay95RP99CQ', 'vSH5QaPTpq', 'ycL5KiCwef', 'Next', 'Next', 'Next', 'NextBytes'
                          Source: 0.2.po4877383.exe.40608d0.1.raw.unpack, Gl1vdAK3BoM1XrupxB.csHigh entropy of concatenated method names: 'XgX0EtHoCi', 'Gq20OexpUf', 'WJL0iofjVO', 'Cup0WrUThT', 's650VdypMy', 'YTl0JL0DTt', 'EJF0Rlt6cA', 'uSf0KW5ZQt', 'Uo00F92iyy', 'hWB0pk8avx'
                          Source: 0.2.po4877383.exe.40608d0.1.raw.unpack, xoi2pNYYZ9aAHA8Hjt.csHigh entropy of concatenated method names: 'GVViGDqSpy', 'pI7i3DNFHw', 'pupinndBtl', 'j5aiwoh5Zi', 'M5eiCPrV1A', 'wJtij0AHqO', 'C8TiNe53gF', 'Liqil4ct80', 'Oc0icQ4Eub', 'cJyiIbIj6C'
                          Source: 0.2.po4877383.exe.40608d0.1.raw.unpack, qp3MbxjDL8Qp7T4up0.csHigh entropy of concatenated method names: 'iA1kl0FoSf', 'pNwkIWrXgS', 'v1xPgh62PV', 'BJ1PeOaQGu', 'BuKkvQ1wMA', 'MLVk7eNCGn', 'V7IkDnTLEK', 'IE2kGHhOh2', 'plRk3VstTC', 'n1rknAaGlI'
                          Source: 0.2.po4877383.exe.40608d0.1.raw.unpack, nXBruyc6kpB404POrD.csHigh entropy of concatenated method names: 'RbIQU7HSHS', 'kj4QotmhkO', 'rqKQ1YidTO', 'eJSQ9LRLsx', 'At3QMAuIgF', 'CsnQ2kxm5s', 'T6PQr81N48', 'fKIQThFGhO', 'CBEQSGWphW', 'gaJQa0HhY3'
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                          Malware Analysis System Evasion

                          barindex
                          Yara detected AntiVM3
                          Source: Yara matchFile source: Process Memory Space: po4877383.exe PID: 7036, type: MEMORYSTR
                          Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                          Source: C:\Users\user\Desktop\po4877383.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                          Source: C:\Users\user\Desktop\po4877383.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\user\Desktop\po4877383.exeMemory allocated: 12D0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeMemory allocated: 2DD0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeMemory allocated: 4DD0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeMemory allocated: 7D00000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeMemory allocated: 78F0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeMemory allocated: 8D00000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeMemory allocated: 9D00000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeMemory allocated: E10000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeMemory allocated: 2940000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeMemory allocated: 4940000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeWindow / User API: threadDelayed 1424Jump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeWindow / User API: threadDelayed 2849Jump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exe TID: 7108Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exe TID: 2120Thread sleep time: -15679732462653109s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exe TID: 3220Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\Desktop\po4877383.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: po4877383.exe, 00000002.00000002.1850656259.0000000000AF3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllC
                          Source: C:\Users\user\Desktop\po4877383.exeProcess information queried: ProcessInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeMemory allocated: page read and write | page guardJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeProcess created: C:\Users\user\Desktop\po4877383.exe "C:\Users\user\Desktop\po4877383.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Users\user\Desktop\po4877383.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Users\user\Desktop\po4877383.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                          Source: po4877383.exe, 00000002.00000002.1863058913.0000000005EBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                          Source: C:\Users\user\Desktop\po4877383.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                          Source: C:\Users\user\Desktop\po4877383.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                          Source: C:\Users\user\Desktop\po4877383.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                          Source: C:\Users\user\Desktop\po4877383.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                          Source: C:\Users\user\Desktop\po4877383.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                          Source: C:\Users\user\Desktop\po4877383.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                          Stealing of Sensitive Information

                          barindex
                          Yara detected RedLine Stealer
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Source: Yara matchFile source: 0.2.po4877383.exe.3df1d60.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.po4877383.exe.3e3cf80.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.po4877383.exe.3e3cf80.3.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.po4877383.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.po4877383.exe.3df1d60.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.po4877383.exe.3ea9008.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1730761630.0000000003E34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1730761630.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.1849698001.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1730761630.0000000003E9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: po4877383.exe PID: 7036, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: po4877383.exe PID: 3368, type: MEMORYSTR
                          Found many strings related to Crypto-Wallets (likely being stolen)
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002B25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Electrum\walletsLRfq
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002B25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $fq1C:\Users\user\AppData\Roaming\Electrum\wallets\*
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002B25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $fq-cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002B25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.walletLRfq`
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002B25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\walletsLRfq(w
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002B25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.walletLRfq`
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002B25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $fq%appdata%`,fqdC:\Users\user\AppData\Roaming`,fqdC:\Users\user\AppData\Roaming\Binance
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002B25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\walletsLRfq(w
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002B25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $fq&%localappdata%\Coinomi\Coinomi\walletsLRfq
                          Source: po4877383.exe, 00000002.00000002.1852537468.0000000002B25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $fq5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                          Tries to harvest and steal browser information (history, passwords, etc)
                          Source: C:\Users\user\Desktop\po4877383.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                          Tries to steal Crypto Currency Wallets
                          Source: C:\Users\user\Desktop\po4877383.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                          Source: C:\Users\user\Desktop\po4877383.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                          Source: Yara matchFile source: 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.1852537468.0000000002B25000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: po4877383.exe PID: 3368, type: MEMORYSTR

                          Remote Access Functionality

                          barindex
                          Yara detected RedLine Stealer
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Source: Yara matchFile source: 0.2.po4877383.exe.3df1d60.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.po4877383.exe.3e3cf80.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.po4877383.exe.3e3cf80.3.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.po4877383.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.po4877383.exe.3df1d60.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.po4877383.exe.3ea9008.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1730761630.0000000003E34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1730761630.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.1849698001.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1730761630.0000000003E9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: po4877383.exe PID: 7036, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: po4877383.exe PID: 3368, type: MEMORYSTR

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                          Windows Management Instrumentation                          		1
                          DLL Side-Loading                          		11
                          Process Injection                          		1
                          Masquerading                          		1
                          OS Credential Dumping                          		231
                          Security Software Discovery                          		Remote Services1
                          Archive Collected Data                          		1
                          Encrypted Channel                          		Exfiltration Over Other Network MediumAbuse Accessibility Features
                          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                          DLL Side-Loading                          		1
                          Disable or Modify Tools                          		LSASS Memory1
                          Process Discovery                          		Remote Desktop Protocol3
                          Data from Local System                          		1
                          Non-Standard Port                          		Exfiltration Over BluetoothNetwork Denial of Service
                          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                          Virtualization/Sandbox Evasion                          		Security Account Manager241
                          Virtualization/Sandbox Evasion                          		SMB/Windows Admin SharesData from Network Shared Drive1
                          Application Layer Protocol                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                          Process Injection                          		NTDS1
                          Application Window Discovery                          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
                          Obfuscated Files or Information                          		LSA Secrets113
                          System Information Discovery                          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
                          Software Packing                          		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                          Timestomp                          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                          DLL Side-Loading                          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          po4877383.exe34%ReversingLabsWin32.Infostealer.Genie8DN
                          po4877383.exe100%AviraHEUR/AGEN.1309499
                          po4877383.exe100%Joe Sandbox ML

                          Dropped Files

                          No Antivirus matches

                          Unpacked PE Files

                          No Antivirus matches

                          Domains

                          No Antivirus matches

                          URLs

                          No Antivirus matches

                          Domains and IPs

                          Contacted Domains

                          No contacted domains info

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Textpo4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2005/02/sc/sctpo4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkpo4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://duckduckgo.com/ac/?q=po4877383.exe, 00000002.00000002.1852537468.0000000002EB9000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id23ResponseDpo4877383.exe, 00000002.00000002.1852537468.0000000002D3F000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinarypo4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id12Responsepo4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id2Responsepo4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmp, po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.fontbureau.com/designerspo4877383.exe, 00000000.00000002.1733620135.0000000007242000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://tempuri.org/Entity/Id21Responsepo4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrappo4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://tempuri.org/Entity/Id9po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDpo4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://tempuri.org/Entity/Id8po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://tempuri.org/Entity/Id5po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Preparepo4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://tempuri.org/Entity/Id4po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://tempuri.org/Entity/Id7po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://purl.oenpo4877383.exe, 00000002.00000002.1852041181.0000000000F6E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://tempuri.org/Entity/Id6po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.sajatypeworks.compo4877383.exe, 00000000.00000002.1733620135.0000000007242000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretpo4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/Entity/Id19Responsepo4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.founder.com.cn/cn/cThepo4877383.exe, 00000000.00000002.1733620135.0000000007242000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licensepo4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuepo4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Abortedpo4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequencepo4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/faultpo4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsatpo4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://www.galapagosdesign.com/DPleasepo4877383.exe, 00000000.00000002.1733620135.0000000007242000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeypo4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://tempuri.org/Entity/Id15Responsepo4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://www.urwpp.deDPleasepo4877383.exe, 00000000.00000002.1733620135.0000000007242000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.zhongyicts.com.cnpo4877383.exe, 00000000.00000002.1733620135.0000000007242000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepo4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renewpo4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/Registerpo4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://tempuri.org/Entity/Id6Responsepo4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeypo4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://api.ip.sb/ippo4877383.exe, 00000000.00000002.1730761630.0000000003E34000.00000004.00000800.00020000.00000000.sdmp, po4877383.exe, 00000000.00000002.1730761630.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, po4877383.exe, 00000000.00000002.1730761630.0000000003E9C000.00000004.00000800.00020000.00000000.sdmp, po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmp, po4877383.exe, 00000002.00000002.1849698001.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/scpo4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://tempuri.org/Entity/Id1ResponseDpo4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCpo4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancelpo4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://tempuri.org/Entity/Id9Responsepo4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=po4877383.exe, 00000002.00000002.1852537468.0000000002EB9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://tempuri.org/Entity/Id20po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://tempuri.org/Entity/Id21po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://tempuri.org/Entity/Id22po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://tempuri.org/Entity/Id23po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://tempuri.org/Entity/Id24po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issuepo4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://tempuri.org/Entity/Id24Responsepo4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://www.ecosia.org/newtab/po4877383.exe, 00000002.00000002.1852537468.0000000002EB9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://tempuri.org/Entity/Id1Responsepo4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedpo4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://www.carterandcone.comlpo4877383.exe, 00000000.00000002.1733620135.0000000007242000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlypo4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Replaypo4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegopo4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binarypo4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCpo4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeypo4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://www.fontbureau.com/designers/frere-user.htmlpo4877383.exe, 00000000.00000002.1733620135.0000000007242000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/08/addressingpo4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuepo4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Completionpo4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/trustpo4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            http://tempuri.org/Entity/Id10po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              http://tempuri.org/Entity/Id11po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                http://tempuri.org/Entity/Id12po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  http://tempuri.org/Entity/Id16Responsepo4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponsepo4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancelpo4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        http://tempuri.org/Entity/Id13po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          http://tempuri.org/Entity/Id14po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            http://tempuri.org/Entity/Id15po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              http://tempuri.org/Entity/Id16po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/Noncepo4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  http://tempuri.org/Entity/Id17po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    http://tempuri.org/Entity/Id18po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      http://tempuri.org/Entity/Id5Responsepo4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        http://tempuri.org/Entity/Id19po4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnspo4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            http://tempuri.org/Entity/Id10Responsepo4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/Renewpo4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                http://www.fontbureau.com/designersGpo4877383.exe, 00000000.00000002.1733620135.0000000007242000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                  http://tempuri.org/Entity/Id8Responsepo4877383.exe, 00000002.00000002.1852537468.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                    http://www.fontbureau.com/designers/?po4877383.exe, 00000000.00000002.1733620135.0000000007242000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                      http://www.founder.com.cn/cn/bThepo4877383.exe, 00000000.00000002.1733620135.0000000007242000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeypo4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0po4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            		high
                                                                                                                                                                                                                            http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDpo4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                              		high
                                                                                                                                                                                                                              http://www.fontbureau.com/designers?po4877383.exe, 00000000.00000002.1733620135.0000000007242000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                		high
                                                                                                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTpo4877383.exe, 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                  		high

                                                                                                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                                                                                                  Public IPs

                                                                                                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                                  87.120.120.86
                                                                                                                                                                                                                                  		unknownBulgaria
                                                                                                                                                                                                                                  		25206UNACS-AS-BG8000BurgasBGtrue

                                                                                                                                                                                                                                  General Information

                                                                                                                                                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                                  Analysis ID:1566505
                                                                                                                                                                                                                                  Start date and time:2024-12-02 10:51:04 +01:00
                                                                                                                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                                  Overall analysis duration:0h 5m 19s
                                                                                                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                                  Report type:full
                                                                                                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                                  Number of analysed new started processes analysed:7
                                                                                                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                                                                                                  Technologies:
                                                                                                                                                                                                                                  • HCA enabled
                                                                                                                                                                                                                                  • EGA enabled
                                                                                                                                                                                                                                  • AMSI enabled
                                                                                                                                                                                                                                  Analysis Mode:default
                                                                                                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                                                                                                  Sample name:po4877383.exe
                                                                                                                                                                                                                                  Detection:MAL
                                                                                                                                                                                                                                  Classification:mal100.troj.spyw.evad.winEXE@3/1@0/1
                                                                                                                                                                                                                                  EGA Information:
                                                                                                                                                                                                                                  • Successful, ratio: 100%
                                                                                                                                                                                                                                  HCA Information:
                                                                                                                                                                                                                                  • Successful, ratio: 100%
                                                                                                                                                                                                                                  • Number of executed functions: 36
                                                                                                                                                                                                                                  • Number of non-executed functions: 3
                                                                                                                                                                                                                                  Cookbook Comments:
                                                                                                                                                                                                                                  • Found application associated with file extension: .exe

                                                                                                                                                                                                                                  Warnings

                                                                                                                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                                                                                                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                                                  • VT rate limit hit for: po4877383.exe

                                                                                                                                                                                                                                  Simulations

                                                                                                                                                                                                                                  Behavior and APIs

                                                                                                                                                                                                                                  TimeTypeDescription
                                                                                                                                                                                                                                  04:52:00API Interceptor24x Sleep call for process: po4877383.exe modified

                                                                                                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                                                                                                  IPs

                                                                                                                                                                                                                                  No context

                                                                                                                                                                                                                                  Domains

                                                                                                                                                                                                                                  No context

                                                                                                                                                                                                                                  ASNs

                                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                  UNACS-AS-BG8000BurgasBGe824975.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                  • 87.120.114.172
                                                                                                                                                                                                                                  qqig1mHX8U.exeGet hashmaliciousAveMaria, DBatLoader, UACMeBrowse
                                                                                                                                                                                                                                  • 87.120.125.217
                                                                                                                                                                                                                                  RFQ LIST 767655776478637584637865763478634365634444444444444444453.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                                                                  • 87.120.114.159
                                                                                                                                                                                                                                  New listed items 7648767856387547354734567465647568487.exeGet hashmaliciousDiscord Token Stealer, GuLoaderBrowse
                                                                                                                                                                                                                                  • 87.120.114.159
                                                                                                                                                                                                                                  file.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                                                                                  • 87.120.113.179
                                                                                                                                                                                                                                  https://www.google.co.kr/url?url=https://hrtyuytitwagtxswxzqxpcm&jtdm=hjstxxb&qhwocq=elw&vrszx=mrursi&rtz=qksmlok&sdyxm=kxlpun&hnkj=iujyvng&vochgqf=ylsd&pkhfd=vyifcj&nymdhak=ffn&ylzv=xpddvxaj&zoadnebgoj=rccejsmuqd&q=amp/hmf1bnz.s%C2%ADlf%C2%ADpg%C2%ADq%C2%ADq%C2%ADwzu%C2%ADx%C2%ADppns%C2%ADc%C2%ADs%C2%AD.com%E2%80%8B/n7brnx1iy&lbgq=ihcrvpx&isffrcc=xjcvvbbd&hokv=buitobfj&nfzezydbgm=lhtjhglyxx&pjwu=tdsgcse&cesnzrb=ekoykarj&ifpv=yabmwecd&acyeqkflup=bacwibnnwl&dovx=vqvcdxk&rwbvdtj=khlezois&efgx=ktfpexjt&iqggbgjmwh=cvqmvfdelx&gqsh=ghsdgye&hipceti=hpqeesqk&hkvbucxuvo=drwoirzwsq&dril=qbpemxo&xziwtam=tdvywqlj&nndiwyldry=kjqbehmdbj&kqef=faiqetj&peigggc=vbyfdxky&fstmbbtmkx=rjxugltfmc&rpws=borxqez&rijvxqj=ntedqhtd&wohxxxgtmq=jpiozpkrbp&cxah=gcmtksp&tzidqah=syxnwioo&szzishkfke=xmnmodwwoc&xmif=xdxtrqz&ajzcojq=fmtqkshw&gkmh=vmwdknp&xvlhpuf=zkhqqziq&rvfh=igbqint&gdnzlky=hyzlhjke&dqkq=ophpttl&yoamsuz=cuykisoc&frzr=lajcnwi&chdmjpw=hymhkhbw&wnxy=zwkomqb&duxkrfq=asjrwcgu&fzya=hrpcnke&hxrusxm=foudbois&yqgm=uhfvxoo&uynyplq=iryzkatx&qfzs=stmleud&vkbxzkf=hxgbjzit&dnro=vjxntck&kfrldgj=vpyfihbn&nsko=sdzidzb&unudtuz=mnvrwokv&lisf=zxdfari&tdyzrah=otrtzuun&rfza=trokalr&vkfduyc=wpwvnxpe&jjsq=pgkbofh&uatnbjp=gtwiypfq&zilu=kagobvs&jqfufkw=bckrzetp&tjng=jgmmmod&fvdtpsk=vlyzfjep&mgoi=fklhysh&llyljdv=jxpogtdn&gcjv=vjlzkuf&erlhvti=peuprtov&kbxk=jviffkg&lklbxhl=uhzpnzfw&upaw=gfmiehp&ismxijp=hmwbsmgj&zdkc=kodikna&njllvzf=oodglyrw&urdk=cktezyn&vmqhwgh=kqcbhffu&riqy=tlnbqzr&nmlgrkn=inyeynzg&vebu=pwpghzr&ckpmyoc=tmeufjen&otic=svrqsdo&tbwzubGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                  • 87.120.114.172
                                                                                                                                                                                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                  • 87.120.125.16
                                                                                                                                                                                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                  • 87.120.125.16
                                                                                                                                                                                                                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                  • 87.120.113.179

                                                                                                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                                                                                                  No context

                                                                                                                                                                                                                                  Dropped Files

                                                                                                                                                                                                                                  No context

                                                                                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\po4877383.exe.log

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\po4877383.exe
                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):1216
                                                                                                                                                                                                                                  Entropy (8bit):5.34331486778365
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                                                                                                                                  MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                                                                                                                                  SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                                                                                                                                  SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                                                                                                                                  SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Reputation:high, very likely benign file
                                                                                                                                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                                                                                                  Static File Info

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                  Entropy (8bit):7.6224380698541685
                                                                                                                                                                                                                                  TrID:
                                                                                                                                                                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                                                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                                                                                                  File name:po4877383.exe
                                                                                                                                                                                                                                  File size:835'584 bytes
                                                                                                                                                                                                                                  MD5:a4fa8bbf123fa899ae788e1cf6b27d98
                                                                                                                                                                                                                                  SHA1:e0866c961ba217c7a1dc4345cbade4d5f4deade4
                                                                                                                                                                                                                                  SHA256:a16fd6417221b9f760ee7417a78751d6621726e8d76ab8e82954596c8e99d79c
                                                                                                                                                                                                                                  SHA512:3eab239a9792b32b975271f28f8dd66e10c9f42ab38dbbc610e0e68de647cbf44d1e36ced85a5f976dbb702e61e7f227d61eb138d0c6d8f5e4ccf541ee3b4c1e
                                                                                                                                                                                                                                  SSDEEP:12288:0+YNQKbM0NWWUV8v4oX3ZcPc9crEee9jc8zeb8BXw/ORnNyAd1n2l5usx+Xt7:0+QfWagwp9cbe28zeY4ORgrx
                                                                                                                                                                                                                                  TLSH:B005F1A4B256CC0AD8A553B00E36F17013B92EDEA511D30F6FCA7EEBB873B121951647
                                                                                                                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................... ............@................................

                                                                                                                                                                                                                                  File Icon

                                                                                                                                                                                                                                  Icon Hash:4b66a4ecc5ce527b

                                                                                                                                                                                                                                  Static PE Info

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Entrypoint:0x4bca8a
                                                                                                                                                                                                                                  Entrypoint Section:.text
                                                                                                                                                                                                                                  Digitally signed:false
                                                                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                                                                  Subsystem:windows gui
                                                                                                                                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                  Time Stamp:0xAF11C509 [Sun Jan 28 02:35:53 2063 UTC]
                                                                                                                                                                                                                                  TLS Callbacks:
                                                                                                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                                                                                                  OS Version Major:4
                                                                                                                                                                                                                                  OS Version Minor:0
                                                                                                                                                                                                                                  File Version Major:4
                                                                                                                                                                                                                                  File Version Minor:0
                                                                                                                                                                                                                                  Subsystem Version Major:4
                                                                                                                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                                                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                                                                                  Entrypoint Preview

                                                                                                                                                                                                                                  Instruction
                                                                                                                                                                                                                                  jmp dword ptr [00402000h]
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                                                                  add byte ptr [eax], al

                                                                                                                                                                                                                                  Data Directories

                                                                                                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xbca360x4f.text
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xbe0000x10e6c.rsrc
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xd00000xc.reloc
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0xbadd40x70.text
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                  Sections

                                                                                                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                  .text0x20000xbaa900xbac007dc032a52cacac2f00e74a48a802b5e9False0.9194081011546185data7.7861025495254665IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                  .rsrc0xbe0000x10e6c0x11000933631efc4e373b649b81884c9cd82ddFalse0.22002814797794118data4.387834898303855IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                  .reloc0xd00000xc0x200b010118018df05c60d00365ee0fa3986False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                  Resources

                                                                                                                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                  RT_ICON0xbe1300x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2834 x 2834 px/m0.21470188098899798
                                                                                                                                                                                                                                  RT_GROUP_ICON0xce9580x14data1.0
                                                                                                                                                                                                                                  RT_VERSION0xce96c0x314data0.434010152284264
                                                                                                                                                                                                                                  RT_MANIFEST0xcec800x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                                                                                                                  Imports

                                                                                                                                                                                                                                  DLLImport
                                                                                                                                                                                                                                  mscoree.dll_CorExeMain

                                                                                                                                                                                                                                  Network Behavior

                                                                                                                                                                                                                                  Suricata IDS Alerts

                                                                                                                                                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                  2024-12-02T10:52:04.593767+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.44973387.120.120.861912TCP
                                                                                                                                                                                                                                  2024-12-02T10:52:04.593767+01002046045ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)1192.168.2.44973387.120.120.861912TCP
                                                                                                                                                                                                                                  2024-12-02T10:52:05.005492+01002043234ET MALWARE Redline Stealer TCP CnC - Id1Response187.120.120.861912192.168.2.449733TCP
                                                                                                                                                                                                                                  2024-12-02T10:52:10.058958+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.44973387.120.120.861912TCP
                                                                                                                                                                                                                                  2024-12-02T10:52:10.472232+01002046056ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)187.120.120.861912192.168.2.449733TCP
                                                                                                                                                                                                                                  2024-12-02T10:52:13.143188+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.44973387.120.120.861912TCP
                                                                                                                                                                                                                                  2024-12-02T10:52:13.575262+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.44973387.120.120.861912TCP

                                                                                                                                                                                                                                  Network Port Distribution

                                                                                                                                                                                                                                  TCP Packets

                                                                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:03.147655010 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:03.267669916 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:03.267771959 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:03.277944088 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:03.398247957 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:04.561110973 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:04.593766928 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:04.713871956 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:05.005491972 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:05.054863930 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:10.058958054 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:10.178908110 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:10.472137928 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:10.472163916 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:10.472220898 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:10.472232103 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:10.472244024 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:10.472255945 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:10.472282887 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:10.523601055 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.531141996 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.651196003 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.651225090 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.651269913 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.651299000 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.651401043 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.651415110 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.651456118 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.651485920 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.651496887 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.651523113 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.651573896 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.651598930 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.651653051 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.651742935 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.651777029 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.651804924 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.651822090 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.652318001 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.771395922 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.771408081 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.771446943 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.771466017 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.771527052 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.771575928 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.771585941 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.771631002 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.771750927 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.771764994 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.771806002 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.771881104 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.771924019 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.771951914 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.772001982 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.772032022 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.772078991 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.772111893 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.772166967 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.772239923 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.772274017 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.772288084 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.772322893 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.772334099 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.772382021 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.891464949 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.891520023 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.891525984 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.891577005 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.891581059 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.891638994 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.891670942 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.891719103 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.891755104 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.891804934 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.891892910 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.891958952 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.891977072 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.892007113 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.892054081 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.892105103 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.892133951 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.892177105 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.892191887 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.892242908 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.892369032 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.892412901 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.892441034 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.892451048 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.892513037 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.892522097 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.892530918 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.892589092 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.892623901 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.892632961 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.892685890 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.892733097 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.892741919 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.892759085 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.892776012 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.892798901 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.892801046 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.892842054 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.892898083 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.892906904 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.892951012 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.892972946 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.892982960 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.893030882 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.893069983 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.893079042 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.893119097 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.893135071 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:11.893176079 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.011600018 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.011612892 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.011674881 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.011684895 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.011737108 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.011742115 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.011787891 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.011794090 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.011852980 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.011926889 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.011940956 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.011981010 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.012003899 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.012013912 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.012053013 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.012085915 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.012104034 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.012137890 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.012193918 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.012212992 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.012274981 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.012341022 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.012449980 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.012463093 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.012521029 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.012537956 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.012661934 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.012671947 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.012775898 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.012795925 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.012897968 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.012907982 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.013027906 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.013036013 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.013137102 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.013145924 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.013197899 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.013211966 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.013324976 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.013334990 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.013387918 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.013406038 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.013509989 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.013520956 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.013536930 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.013612032 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.013622999 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.013783932 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.013799906 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.013811111 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.013829947 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.013839006 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.013851881 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.013855934 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.013865948 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.013933897 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.013957977 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.014048100 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.014081001 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.014199972 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.014209986 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.014265060 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.014273882 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.014379025 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.014426947 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.014444113 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.014452934 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.014549017 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.014589071 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.014616966 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.014664888 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.014787912 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.014888048 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.014897108 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.014906883 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.014965057 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.015016079 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.015111923 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.015120983 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.015163898 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.131850004 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.131897926 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.131968975 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.131978035 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.132111073 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.132153034 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.132227898 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.132236958 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.132273912 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.132293940 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.132428885 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.132450104 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.132515907 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.132635117 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.132652998 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.132765055 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.132785082 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.132857084 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.132867098 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.132929087 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.133240938 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.133321047 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.133733988 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.133822918 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.133858919 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.133979082 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.134016037 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.134079933 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.134104013 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.134201050 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.134210110 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.134315014 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.134339094 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.134349108 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.134380102 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.134504080 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.134512901 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.134598970 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.134660006 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.134728909 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.134768963 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.134807110 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.134826899 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.134931087 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.134951115 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.135071039 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.135123014 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.135217905 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.135303974 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.135318995 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.135329962 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.135375023 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.135394096 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.135451078 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.135490894 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.135550976 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.135570049 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.135668993 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.135710001 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.135842085 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.135859966 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.135960102 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.135968924 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.136027098 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.136079073 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.136224031 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.136241913 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.136317015 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.136356115 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.136420965 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.136468887 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.136523008 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.136598110 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.136712074 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.136730909 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.156764030 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.156985998 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.157052040 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.253365040 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.253379107 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.253495932 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.253551006 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.253637075 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.253669977 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.253910065 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.253921032 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.254009008 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.254019022 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.254159927 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.254215002 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.254347086 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.254390955 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.254461050 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.254534960 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.254663944 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.254741907 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.254834890 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.254884005 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.254961967 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.255027056 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.255134106 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.255192995 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.255328894 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.255373955 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.255476952 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.255518913 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.255634069 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.255687952 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.255775928 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.255800962 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.255916119 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.255924940 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.256017923 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.256027937 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.256201029 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.256242990 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.256359100 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.256416082 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.256493092 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.256619930 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.256637096 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.256745100 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.256753922 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.256808043 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.256886005 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.256983995 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.256998062 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.257069111 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.257078886 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.257144928 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.257153988 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.257224083 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.257497072 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.257564068 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.276962996 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.277142048 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.277151108 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.277266026 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.277275085 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.277358055 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.277420044 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.277457952 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.277522087 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.277607918 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.277673960 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.277745008 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.277754068 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.277841091 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.277849913 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.277945042 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.277997971 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.278073072 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.278129101 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.278213978 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.278239965 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.278301954 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.278350115 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.278439999 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.278489113 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.278579950 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.278589010 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.278650999 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.278774977 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.278784037 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.278795004 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.278851986 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.278878927 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.278959990 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.279001951 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.279061079 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.279110909 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.279181957 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.279231071 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.279275894 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.279331923 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.279387951 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.279436111 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.279515982 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.279536009 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.279633045 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.279650927 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.279750109 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.279758930 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.279841900 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.279851913 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.279926062 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.279944897 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.280054092 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.280323029 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.280397892 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.377671003 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.377682924 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.377784967 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.377794981 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.377955914 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.377975941 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.378106117 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.378164053 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.378308058 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.378317118 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.378364086 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.378446102 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.378454924 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.378489017 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.378608942 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.378621101 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.378740072 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.378751040 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.378854036 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.378868103 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.378947020 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.378956079 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.379081964 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.379096985 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.379179001 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.379189014 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.379285097 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.379297018 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.379388094 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.379502058 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.379512072 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.379519939 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.379586935 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.379605055 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.379714966 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.379761934 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.379812002 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.379825115 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.379920006 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.379936934 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.380034924 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.380053043 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.380152941 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.380166054 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.380250931 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.380270958 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.380392075 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.380403996 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.380439997 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.380449057 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.380556107 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.380568027 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.380635977 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.380691051 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.380919933 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.380980968 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.400557995 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.400604010 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.400686979 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.400736094 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.400837898 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.400887966 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.401009083 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.401017904 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.401097059 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.401170969 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.401180029 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.401190042 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.401305914 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.401351929 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.401431084 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.401479006 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.401556969 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.401601076 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.401674986 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.401706934 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.401787996 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.401798964 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.401937008 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.401947975 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.402041912 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.402053118 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.402127981 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.402211905 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.402221918 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.402337074 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.402345896 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.402354002 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.402445078 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.402455091 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.402472019 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.402512074 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.402615070 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.402628899 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.402703047 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.402781963 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.402872086 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.402889967 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.403033018 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.403043032 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.403083086 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.403120041 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.403175116 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.403234959 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.403326988 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.403345108 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.403424025 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.403511047 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.403520107 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.403531075 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.403740883 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.403805971 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.501058102 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.501080990 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.501230955 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.501277924 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.501322031 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.501365900 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.501467943 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.501487970 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.501612902 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.501630068 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.501774073 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.501856089 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.501962900 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.502042055 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.502121925 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.502131939 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.502172947 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.502237082 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.502247095 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.502336979 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.502356052 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.502450943 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.502460003 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.502574921 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.502584934 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.502645969 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.502655029 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.502790928 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.502800941 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.502851963 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.502933025 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.502979040 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.502990007 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.503074884 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.503086090 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.503184080 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.503195047 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.503268957 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.503298998 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.503410101 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.503418922 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.503465891 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.503519058 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.503575087 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.503624916 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.503720045 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.503729105 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.503834009 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.503853083 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.503969908 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.504112005 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.504122019 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.504131079 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.504139900 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.504359961 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.504441977 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.523874044 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.523931980 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.524092913 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.524151087 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.524271965 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.524353981 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.524490118 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.524560928 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.524642944 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.524701118 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.524804115 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.524849892 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.524960041 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.524992943 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.525149107 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.525206089 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.525291920 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.525353909 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.525440931 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.525513887 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.525619030 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.525654078 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.525794983 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.525928020 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.526040077 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.526179075 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.526273012 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.526417017 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.526515007 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.526680946 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.526784897 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.526793957 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.526829004 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.526918888 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.526995897 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.527062893 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.527144909 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.527196884 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.527302980 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.624480963 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.624535084 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.624665976 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.624736071 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.624838114 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.624931097 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.624980927 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.625071049 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.625184059 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.625207901 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.625325918 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.625492096 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.625622988 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.625642061 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.625677109 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.625750065 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.625799894 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.625886917 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.625977039 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.626158953 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.626240969 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.626487970 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.626588106 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.626647949 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.626751900 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.626893044 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.626971960 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.647325039 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:12.647336006 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:13.142337084 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:13.143188000 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:13.263119936 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:13.547478914 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                  Dec 2, 2024 10:52:13.575262070 CET497331912192.168.2.487.120.120.86

                                                                                                                                                                                                                                  Statistics

                                                                                                                                                                                                                                  CPU Usage

                                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                                  Memory Usage

                                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                                                                                                  Behavior

                                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                                  System Behavior

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:0
                                                                                                                                                                                                                                  Start time:04:51:54
                                                                                                                                                                                                                                  Start date:02/12/2024
                                                                                                                                                                                                                                  Path:C:\Users\user\Desktop\po4877383.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                  Commandline:"C:\Users\user\Desktop\po4877383.exe"
                                                                                                                                                                                                                                  Imagebase:0x9a0000
                                                                                                                                                                                                                                  File size:835'584 bytes
                                                                                                                                                                                                                                  MD5 hash:A4FA8BBF123FA899AE788E1CF6B27D98
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1730761630.0000000003E34000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1730761630.0000000003DD9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1730761630.0000000003E9C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:2
                                                                                                                                                                                                                                  Start time:04:52:00
                                                                                                                                                                                                                                  Start date:02/12/2024
                                                                                                                                                                                                                                  Path:C:\Users\user\Desktop\po4877383.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                  Commandline:"C:\Users\user\Desktop\po4877383.exe"
                                                                                                                                                                                                                                  Imagebase:0x4c0000
                                                                                                                                                                                                                                  File size:835'584 bytes
                                                                                                                                                                                                                                  MD5 hash:A4FA8BBF123FA899AE788E1CF6B27D98
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.1852537468.00000000029DA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.1849698001.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1852537468.0000000002B25000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  Disassembly

                                                                                                                                                                                                                                  Reset < >

                                                                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                                                                    Execution Coverage:9.1%
                                                                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                    Signature Coverage:0%
                                                                                                                                                                                                                                    Total number of Nodes:38
                                                                                                                                                                                                                                    Total number of Limit Nodes:7
                                                                                                                                                                                                                                    execution_graph 15456 12d4668 15457 12d467a 15456->15457 15458 12d4686 15457->15458 15460 12d4778 15457->15460 15461 12d479d 15460->15461 15465 12d4878 15461->15465 15469 12d4888 15461->15469 15466 12d48af 15465->15466 15468 12d498c 15466->15468 15473 12d44b4 15466->15473 15470 12d48af 15469->15470 15471 12d44b4 CreateActCtxA 15470->15471 15472 12d498c 15470->15472 15471->15472 15474 12d5918 CreateActCtxA 15473->15474 15476 12d59db 15474->15476 15477 12dd478 15478 12dd4be GetCurrentProcess 15477->15478 15480 12dd509 15478->15480 15481 12dd510 GetCurrentThread 15478->15481 15480->15481 15482 12dd54d GetCurrentProcess 15481->15482 15483 12dd546 15481->15483 15484 12dd583 15482->15484 15483->15482 15485 12dd5ab GetCurrentThreadId 15484->15485 15486 12dd5dc 15485->15486 15487 12dacf0 15491 12dade8 15487->15491 15496 12dadd8 15487->15496 15488 12dacff 15492 12dae1c 15491->15492 15493 12dadf9 15491->15493 15492->15488 15493->15492 15494 12db020 GetModuleHandleW 15493->15494 15495 12db04d 15494->15495 15495->15488 15497 12dae1c 15496->15497 15498 12dadf9 15496->15498 15497->15488 15498->15497 15499 12db020 GetModuleHandleW 15498->15499 15500 12db04d 15499->15500 15500->15488 15501 12dd6c0 DuplicateHandle 15502 12dd756 15501->15502

                                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                                    Function 012DD468 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 294 12dd468-12dd507 GetCurrentProcess 298 12dd509-12dd50f 294->298 299 12dd510-12dd544 GetCurrentThread 294->299 298->299 300 12dd54d-12dd581 GetCurrentProcess 299->300 301 12dd546-12dd54c 299->301 303 12dd58a-12dd5a5 call 12dd647 300->303 304 12dd583-12dd589 300->304 301->300 307 12dd5ab-12dd5da GetCurrentThreadId 303->307 304->303 308 12dd5dc-12dd5e2 307->308 309 12dd5e3-12dd645 307->309 308->309
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 012DD4F6
                                                                                                                                                                                                                                    • GetCurrentThread.KERNEL32 ref: 012DD533
                                                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 012DD570
                                                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 012DD5C9
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1729448435.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_12d0000_po4877383.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Current$ProcessThread
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 2063062207-0
                                                                                                                                                                                                                                    • Opcode ID: 8495059e51caf13ce3e817640c9968604f8c81c116259653a0a2becff21f0f91
                                                                                                                                                                                                                                    • Instruction ID: d2768124e10daac1a8d0bb5fd08db9bc1505d54cd7f3df425b180d4dd23a7c50
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8495059e51caf13ce3e817640c9968604f8c81c116259653a0a2becff21f0f91
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 685157B0900649CFDB58CFA9E588B9EBBF1FF88314F24845EE509AB3A0D7345944CB61
                                                                                                                                                                                                                                    Function 012DD478 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 316 12dd478-12dd507 GetCurrentProcess 320 12dd509-12dd50f 316->320 321 12dd510-12dd544 GetCurrentThread 316->321 320->321 322 12dd54d-12dd581 GetCurrentProcess 321->322 323 12dd546-12dd54c 321->323 325 12dd58a-12dd5a5 call 12dd647 322->325 326 12dd583-12dd589 322->326 323->322 329 12dd5ab-12dd5da GetCurrentThreadId 325->329 326->325 330 12dd5dc-12dd5e2 329->330 331 12dd5e3-12dd645 329->331 330->331
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 012DD4F6
                                                                                                                                                                                                                                    • GetCurrentThread.KERNEL32 ref: 012DD533
                                                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 012DD570
                                                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 012DD5C9
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1729448435.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_12d0000_po4877383.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Current$ProcessThread
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 2063062207-0
                                                                                                                                                                                                                                    • Opcode ID: 4138310695686cf5ce3b19e7dd7d30878d885f95d50c063c5f90dcca3e4c8dc7
                                                                                                                                                                                                                                    • Instruction ID: 89002aa90d50440b0d89ff0310af529fdae27f552b9df46032bb11660ddfa700
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4138310695686cf5ce3b19e7dd7d30878d885f95d50c063c5f90dcca3e4c8dc7
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0D5157B090064ACFDB54CFAAD588B9EBBF5FF88314F24841EE509A73A0D7345944CB65
                                                                                                                                                                                                                                    Function 012DADE8 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 360 12dade8-12dadf7 361 12dadf9-12dae06 call 12d9414 360->361 362 12dae23-12dae27 360->362 367 12dae1c 361->367 368 12dae08 361->368 363 12dae29-12dae33 362->363 364 12dae3b-12dae7c 362->364 363->364 371 12dae7e-12dae86 364->371 372 12dae89-12dae97 364->372 367->362 415 12dae0e call 12db070 368->415 416 12dae0e call 12db080 368->416 371->372 374 12dae99-12dae9e 372->374 375 12daebb-12daebd 372->375 373 12dae14-12dae16 373->367 376 12daf58-12db018 373->376 378 12daea9 374->378 379 12daea0-12daea7 call 12da150 374->379 377 12daec0-12daec7 375->377 410 12db01a-12db01d 376->410 411 12db020-12db04b GetModuleHandleW 376->411 382 12daec9-12daed1 377->382 383 12daed4-12daedb 377->383 381 12daeab-12daeb9 378->381 379->381 381->377 382->383 385 12daedd-12daee5 383->385 386 12daee8-12daef1 call 12da160 383->386 385->386 391 12daefe-12daf03 386->391 392 12daef3-12daefb 386->392 393 12daf05-12daf0c 391->393 394 12daf21-12daf2e 391->394 392->391 393->394 396 12daf0e-12daf1e call 12da170 call 12da180 393->396 401 12daf51-12daf57 394->401 402 12daf30-12daf4e 394->402 396->394 402->401 410->411 412 12db04d-12db053 411->412 413 12db054-12db068 411->413 412->413 415->373 416->373
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 012DB03E
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1729448435.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_12d0000_po4877383.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: HandleModule
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 4139908857-0
                                                                                                                                                                                                                                    • Opcode ID: 71aea5aa19bdec0bb2e3b64f24ffc3e9e0ede21a7a0fdade664221fbd993c753
                                                                                                                                                                                                                                    • Instruction ID: 0e4f09cec7972e5f884365a69e482f88fc56e67588ca3ddb814e95f04a213ecb
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 71aea5aa19bdec0bb2e3b64f24ffc3e9e0ede21a7a0fdade664221fbd993c753
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4D7126B0A10B068FDB24DF69D494B5ABBF1FF88300F00892DD58ADBA50D775E845CB90
                                                                                                                                                                                                                                    Function 012D44B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 417 12d44b4-12d59d9 CreateActCtxA 420 12d59db-12d59e1 417->420 421 12d59e2-12d5a3c 417->421 420->421 428 12d5a3e-12d5a41 421->428 429 12d5a4b-12d5a4f 421->429 428->429 430 12d5a51-12d5a5d 429->430 431 12d5a60 429->431 430->431 433 12d5a61 431->433 433->433
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • CreateActCtxA.KERNEL32(?), ref: 012D59C9
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1729448435.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_12d0000_po4877383.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Create
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 2289755597-0
                                                                                                                                                                                                                                    • Opcode ID: 5f8a5bdb094e43b116427bb5bdf2737ea88ae3193e58d47d1b825f4fcc9e720e
                                                                                                                                                                                                                                    • Instruction ID: d1e0fbe7ff20885a108b110458c17a0342ae93b183b17556c1a83244d55ad2ee
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5f8a5bdb094e43b116427bb5bdf2737ea88ae3193e58d47d1b825f4fcc9e720e
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4C41B0B0C10719CADB24CFA9C984B9EBBF5BF49304F20806AD508AB251DBB56945CF90
                                                                                                                                                                                                                                    Function 012D590C Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 434 12d590c-12d5913 435 12d591c-12d59d9 CreateActCtxA 434->435 437 12d59db-12d59e1 435->437 438 12d59e2-12d5a3c 435->438 437->438 445 12d5a3e-12d5a41 438->445 446 12d5a4b-12d5a4f 438->446 445->446 447 12d5a51-12d5a5d 446->447 448 12d5a60 446->448 447->448 450 12d5a61 448->450 450->450
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • CreateActCtxA.KERNEL32(?), ref: 012D59C9
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1729448435.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_12d0000_po4877383.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Create
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 2289755597-0
                                                                                                                                                                                                                                    • Opcode ID: 6b575feb20262c50da3ac0855de1a9972b55fdbb2537337815c809c3d926c6f9
                                                                                                                                                                                                                                    • Instruction ID: d8ec7027b414fe89df35d1e260ad4bfa51b7e4fa6cd077e74255573a402f82c3
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6b575feb20262c50da3ac0855de1a9972b55fdbb2537337815c809c3d926c6f9
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7C41E2B0C10719CBDB24CFA9C984BDEBBF5BF49304F24805AD508AB261DBB56946CF90
                                                                                                                                                                                                                                    Function 012DD6B9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 451 12dd6b9-12dd754 DuplicateHandle 452 12dd75d-12dd77a 451->452 453 12dd756-12dd75c 451->453 453->452
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012DD747
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1729448435.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_12d0000_po4877383.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: DuplicateHandle
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 3793708945-0
                                                                                                                                                                                                                                    • Opcode ID: 93ddf41f81b92c01898ff49efe0829e69fe70e10136c8792abbfa679f1b56255
                                                                                                                                                                                                                                    • Instruction ID: 75c562a1a045ba933e2acc5b3e840db3b74cf7f6ac978bb6bc3e083a8f66d2ab
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 93ddf41f81b92c01898ff49efe0829e69fe70e10136c8792abbfa679f1b56255
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9621E3B5D10249DFDB10CFAAD984AEEBBF5EB48320F14801AE918A3350C378A940CF60
                                                                                                                                                                                                                                    Function 012DD6C0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 456 12dd6c0-12dd754 DuplicateHandle 457 12dd75d-12dd77a 456->457 458 12dd756-12dd75c 456->458 458->457
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012DD747
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1729448435.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_12d0000_po4877383.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: DuplicateHandle
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 3793708945-0
                                                                                                                                                                                                                                    • Opcode ID: a28a4b027b4ff55f25ae25f508db51e0371dad1716bf221994d67d2487062049
                                                                                                                                                                                                                                    • Instruction ID: e660e98e993ebd213e18d266c2cfd800bd2e65b5ba145b12ce9591087e6cbe72
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a28a4b027b4ff55f25ae25f508db51e0371dad1716bf221994d67d2487062049
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E621C4B5D002499FDB10CFAAD984ADEFFF9EB48320F14845AE914A7350D374A944CF65
                                                                                                                                                                                                                                    Function 012DAFD8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 461 12dafd8-12db018 462 12db01a-12db01d 461->462 463 12db020-12db04b GetModuleHandleW 461->463 462->463 464 12db04d-12db053 463->464 465 12db054-12db068 463->465 464->465
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 012DB03E
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1729448435.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_12d0000_po4877383.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: HandleModule
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 4139908857-0
                                                                                                                                                                                                                                    • Opcode ID: 26e0c941ef021c3f2d4efe824444a45284d9c00e4465faad16413a7c8a07753c
                                                                                                                                                                                                                                    • Instruction ID: 8f21d6d95c3d6c82976c2b083e4b85ed47fb779afccbdc8a569254e458b34ed2
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 26e0c941ef021c3f2d4efe824444a45284d9c00e4465faad16413a7c8a07753c
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7C110FB6C002498FDB20CF9AD444BDEFBF4AB88324F11841AD528A7600D379A545CFA1
                                                                                                                                                                                                                                    Function 0104D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1728987513.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_104d000_po4877383.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                    • Opcode ID: 6e5ae7fd6422c64cbb0c570cccfa3897040f966ce20e9e66052442ad55f7043c
                                                                                                                                                                                                                                    • Instruction ID: 6f86c66560c014922c0ca50d2a29e5c80c6e7ad8c1baccb6cd070c2292bc880e
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6e5ae7fd6422c64cbb0c570cccfa3897040f966ce20e9e66052442ad55f7043c
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8C2107F1604200EFDB05DF98D6C0B26BBA5FBA4324F24C6BDE9894B252C336D446CB61
                                                                                                                                                                                                                                    Function 0104D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1728987513.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_104d000_po4877383.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                    • Opcode ID: f4afed0508b9e93a9383486e84051938db8c7fccd22898b7858fd19c78d69d5a
                                                                                                                                                                                                                                    • Instruction ID: fb9f9aa30ddf3b6b4ac907c7dafa9c0acb4842ce434730ed144bd40a7eb3e3d5
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f4afed0508b9e93a9383486e84051938db8c7fccd22898b7858fd19c78d69d5a
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FE2122B1604200DFCB15DF98D9C0B26BBA5FB94354F20C9BDE98A4B246C33AD407CB61
                                                                                                                                                                                                                                    Function 0104D006 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1728987513.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_104d000_po4877383.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                    • Opcode ID: 80a9c06835c9bc8a3cd7a95227e9d701827f076a94ba7b38ae53c04f81df4e9d
                                                                                                                                                                                                                                    • Instruction ID: 47194c0101d1e015ea3957a8e10c8e4d5db7ca22c58b910d62bef64ad4a9ab6b
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 80a9c06835c9bc8a3cd7a95227e9d701827f076a94ba7b38ae53c04f81df4e9d
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 952183B55083809FCB13CF54D9D4711BFB1EB56214F24C5EAD8898B2A7C33AD846CB62
                                                                                                                                                                                                                                    Function 0104D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1728987513.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_104d000_po4877383.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                    • Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                                                                                                                                                                                    • Instruction ID: 26e8fc8a99396f23e72227087db2f7dda779d748dc2697ef7cd8a12fa54b10e7
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3711BBB5504280DFDB12DF54C6C4B15BBA2FB94224F24C6AAD8894B696C33AD44ACB61

                                                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                                                    Function 012DD3A4 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.1729448435.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_12d0000_po4877383.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                    • Opcode ID: bc389f0c8e49c396fef5e36bb4af937ae666f8bfc81b2c706b6b6c68651f8d15
                                                                                                                                                                                                                                    • Instruction ID: 681fca1aab2011b4971e5ff58a66b5d18c6b909e5843debe63be6dd3cdab5d5e
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bc389f0c8e49c396fef5e36bb4af937ae666f8bfc81b2c706b6b6c68651f8d15
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8DA19432E10216CFCF19DFB4C5845EEBBB2FF85301B15856AE912AB265DB71D906CB80

                                                                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                                                                    Execution Coverage:13.2%
                                                                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                    Signature Coverage:0%
                                                                                                                                                                                                                                    Total number of Nodes:125
                                                                                                                                                                                                                                    Total number of Limit Nodes:11
                                                                                                                                                                                                                                    execution_graph 36877 e1d300 DuplicateHandle 36878 e1d396 36877->36878 36849 4e31cf0 36850 4e31d58 CreateWindowExW 36849->36850 36852 4e31e14 36850->36852 36734 d8d01c 36735 d8d034 36734->36735 36736 d8d08e 36735->36736 36741 4e30ad4 36735->36741 36750 4e31e98 36735->36750 36754 4e31ea8 36735->36754 36758 4e32c08 36735->36758 36742 4e30adf 36741->36742 36743 4e32c79 36742->36743 36745 4e32c69 36742->36745 36783 4e30bfc 36743->36783 36767 4e32da0 36745->36767 36772 4e32e6c 36745->36772 36778 4e32d90 36745->36778 36746 4e32c77 36751 4e31ea8 36750->36751 36752 4e30ad4 CallWindowProcW 36751->36752 36753 4e31eef 36752->36753 36753->36736 36755 4e31ece 36754->36755 36756 4e30ad4 CallWindowProcW 36755->36756 36757 4e31eef 36756->36757 36757->36736 36759 4e32c18 36758->36759 36760 4e32c79 36759->36760 36762 4e32c69 36759->36762 36761 4e30bfc CallWindowProcW 36760->36761 36763 4e32c77 36761->36763 36764 4e32da0 CallWindowProcW 36762->36764 36765 4e32d90 CallWindowProcW 36762->36765 36766 4e32e6c CallWindowProcW 36762->36766 36764->36763 36765->36763 36766->36763 36768 4e32db4 36767->36768 36787 4e32e48 36768->36787 36791 4e32e58 36768->36791 36769 4e32e40 36769->36746 36773 4e32e2a 36772->36773 36774 4e32e7a 36772->36774 36776 4e32e48 CallWindowProcW 36773->36776 36777 4e32e58 CallWindowProcW 36773->36777 36775 4e32e40 36775->36746 36776->36775 36777->36775 36779 4e32da0 36778->36779 36781 4e32e48 CallWindowProcW 36779->36781 36782 4e32e58 CallWindowProcW 36779->36782 36780 4e32e40 36780->36746 36781->36780 36782->36780 36784 4e30c07 36783->36784 36785 4e3435a CallWindowProcW 36784->36785 36786 4e34309 36784->36786 36785->36786 36786->36746 36788 4e32e58 36787->36788 36789 4e32e69 36788->36789 36794 4e3429e 36788->36794 36789->36769 36792 4e32e69 36791->36792 36793 4e3429e CallWindowProcW 36791->36793 36792->36769 36793->36792 36795 4e30bfc CallWindowProcW 36794->36795 36796 4e342aa 36795->36796 36796->36789 36797 e14668 36798 e14684 36797->36798 36799 e14696 36798->36799 36803 e147a0 36798->36803 36808 e13e10 36799->36808 36801 e146b5 36804 e147c5 36803->36804 36813 e148a1 36804->36813 36817 e148b0 36804->36817 36809 e13e1b 36808->36809 36810 e16ff8 36809->36810 36825 4e36948 36809->36825 36833 4e36938 36809->36833 36810->36801 36814 e148b0 36813->36814 36816 e149b4 36814->36816 36821 e14248 36814->36821 36819 e148d7 36817->36819 36818 e149b4 36818->36818 36819->36818 36820 e14248 CreateActCtxA 36819->36820 36820->36818 36822 e15940 CreateActCtxA 36821->36822 36824 e15a03 36822->36824 36827 4e3696b 36825->36827 36826 4e36c7a 36829 4e37251 KiUserExceptionDispatcher 36826->36829 36830 4e37219 KiUserExceptionDispatcher 36826->36830 36827->36826 36841 4e37219 36827->36841 36845 4e37251 36827->36845 36828 4e36d9e 36829->36828 36830->36828 36835 4e3693c 36833->36835 36834 4e36c7a 36839 4e37251 KiUserExceptionDispatcher 36834->36839 36840 4e37219 KiUserExceptionDispatcher 36834->36840 36835->36834 36837 4e37251 KiUserExceptionDispatcher 36835->36837 36838 4e37219 KiUserExceptionDispatcher 36835->36838 36836 4e36d9e 36837->36835 36838->36835 36839->36836 36840->36836 36843 4e3721c 36841->36843 36842 4e372b7 36842->36827 36843->36827 36843->36842 36844 4e372cd KiUserExceptionDispatcher 36843->36844 36844->36842 36846 4e37254 36845->36846 36847 4e372b7 36846->36847 36848 4e372cd KiUserExceptionDispatcher 36846->36848 36847->36827 36848->36847 36853 e1d0b8 36854 e1d0fe GetCurrentProcess 36853->36854 36856 e1d150 GetCurrentThread 36854->36856 36857 e1d149 36854->36857 36858 e1d186 36856->36858 36859 e1d18d GetCurrentProcess 36856->36859 36857->36856 36858->36859 36860 e1d1c3 36859->36860 36861 e1d1eb GetCurrentThreadId 36860->36861 36862 e1d21c 36861->36862 36863 e1ad38 36864 e1ad47 36863->36864 36867 e1ae20 36863->36867 36872 e1ae30 36863->36872 36868 e1ae64 36867->36868 36869 e1ae41 36867->36869 36868->36864 36869->36868 36870 e1b068 GetModuleHandleW 36869->36870 36871 e1b095 36870->36871 36871->36864 36873 e1ae64 36872->36873 36874 e1ae41 36872->36874 36873->36864 36874->36873 36875 e1b068 GetModuleHandleW 36874->36875 36876 e1b095 36875->36876 36876->36864 36879 6a55e08 36880 6a55f93 36879->36880 36882 6a55e2e 36879->36882 36882->36880 36883 6a54f40 36882->36883 36884 6a56088 PostMessageW 36883->36884 36885 6a560f4 36884->36885 36885->36882

                                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                                    Function 06A53A98 Relevance: 5.5, Strings: 4, Instructions: 496COMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 339 6a53a98-6a53ab8 340 6a53abf-6a53bb4 339->340 341 6a53aba 339->341 350 6a53bb6 340->350 351 6a53bbb-6a53be9 340->351 341->340 350->351 353 6a53f91-6a53f9a 351->353 354 6a53fa0-6a54022 353->354 355 6a53bee-6a53bf7 353->355 369 6a54024 354->369 370 6a54029-6a54057 354->370 356 6a53bfe-6a53cdd 355->356 357 6a53bf9 355->357 388 6a53ce4-6a53d18 356->388 357->356 369->370 374 6a54414-6a5441d 370->374 375 6a54423-6a54453 374->375 376 6a5405c-6a54065 374->376 379 6a54067 376->379 380 6a5406c-6a5414b 376->380 379->380 412 6a54152-6a54186 380->412 392 6a53ebb-6a53ecf 388->392 395 6a53ed5-6a53ef2 392->395 396 6a53d1d-6a53db5 392->396 399 6a53ef4-6a53f00 395->399 400 6a53f01-6a53f02 395->400 415 6a53db7-6a53dcf 396->415 416 6a53dd1 396->416 399->400 400->353 417 6a5433b-6a5434f 412->417 418 6a53dd7-6a53df8 415->418 416->418 421 6a54355-6a54372 417->421 422 6a5418b-6a54229 417->422 423 6a53dfe-6a53e79 418->423 424 6a53eaa-6a53eba 418->424 428 6a54374-6a54380 421->428 429 6a54381-6a54382 421->429 445 6a54245 422->445 446 6a5422b-6a54243 422->446 441 6a53e95 423->441 442 6a53e7b-6a53e93 423->442 424->392 428->429 429->374 443 6a53e9b-6a53ea9 441->443 442->443 443->424 447 6a5424b-6a5426c 445->447 446->447 450 6a54327-6a5433a 447->450 451 6a54272-6a542f6 447->451 450->417 458 6a54312 451->458 459 6a542f8-6a54310 451->459 460 6a54318-6a54326 458->460 459->460 460->450
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1866118780.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_6a50000_po4877383.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID: $fq$$fq$$fq$$fq
                                                                                                                                                                                                                                    • API String ID: 0-2113499236
                                                                                                                                                                                                                                    • Opcode ID: cb9b4e45f18cbd51b081ba28b3a56226703e198e2aaa7730975f00c9f63af3de
                                                                                                                                                                                                                                    • Instruction ID: 9a3e9922a472e788a6df964a32cce0e8edce4803c6e042190808f4b84ce7147e
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cb9b4e45f18cbd51b081ba28b3a56226703e198e2aaa7730975f00c9f63af3de
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 77329074E05228CFDB68DF64C990BDEB7B2BB89300F5085E9D409AB254DB359E85CF90
                                                                                                                                                                                                                                    Function 06A51218 Relevance: 5.3, Strings: 4, Instructions: 271COMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 462 6a51218-6a51238 463 6a5123f-6a51308 462->463 464 6a5123a 462->464 473 6a515ea-6a515f3 463->473 464->463 474 6a5130d-6a51316 473->474 475 6a515f9-6a51614 473->475 477 6a5131d-6a51341 474->477 478 6a51318 474->478 479 6a51616-6a5161f 475->479 480 6a51620 475->480 484 6a51343-6a5134c 477->484 485 6a5134e-6a51393 477->485 478->477 479->480 483 6a51621 480->483 483->483 486 6a513a4-6a513ab 484->486 512 6a5139e 485->512 487 6a513d5 486->487 488 6a513ad-6a513b9 486->488 492 6a513db-6a513e2 487->492 490 6a513c3-6a513c9 488->490 491 6a513bb-6a513c1 488->491 493 6a513d3 490->493 491->493 494 6a513e4-6a513ed 492->494 495 6a513ef-6a51443 492->495 493->492 497 6a51454-6a5145b 494->497 519 6a5144e 495->519 498 6a51485 497->498 499 6a5145d-6a51469 497->499 504 6a5148b-6a5149d 498->504 502 6a51473-6a51479 499->502 503 6a5146b-6a51471 499->503 507 6a51483 502->507 503->507 509 6a5149f-6a514b8 504->509 510 6a514ba-6a514bc 504->510 507->504 513 6a514bf-6a514ca 509->513 510->513 512->486 516 6a515a0-6a515bb 513->516 517 6a514d0-6a5159f 513->517 521 6a515c7 516->521 522 6a515bd-6a515c6 516->522 517->516 519->497 521->473 522->521
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1866118780.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_6a50000_po4877383.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID: $fq$$fq$$fq$$fq
                                                                                                                                                                                                                                    • API String ID: 0-2113499236
                                                                                                                                                                                                                                    • Opcode ID: d3f0b44b8dfac2748f7b01a57bccc78e5db9f36cda53f2636770433d8a545889
                                                                                                                                                                                                                                    • Instruction ID: b8a142f455ce74237cbdf191d6a8b65ed11e30a4d2aa92d32f0d55404d793d57
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d3f0b44b8dfac2748f7b01a57bccc78e5db9f36cda53f2636770433d8a545889
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1DC1C774E01218CFDB58EFA5C990BAEFBB2BF49300F5081A9D409AB255DB349E85CF51
                                                                                                                                                                                                                                    Function 00E1D0A8 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 294 e1d0a8-e1d147 GetCurrentProcess 299 e1d150-e1d184 GetCurrentThread 294->299 300 e1d149-e1d14f 294->300 301 e1d186-e1d18c 299->301 302 e1d18d-e1d1c1 GetCurrentProcess 299->302 300->299 301->302 304 e1d1c3-e1d1c9 302->304 305 e1d1ca-e1d1e5 call e1d289 302->305 304->305 308 e1d1eb-e1d21a GetCurrentThreadId 305->308 309 e1d223-e1d285 308->309 310 e1d21c-e1d222 308->310 310->309
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 00E1D136
                                                                                                                                                                                                                                    • GetCurrentThread.KERNEL32 ref: 00E1D173
                                                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 00E1D1B0
                                                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00E1D209
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1851803956.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_e10000_po4877383.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Current$ProcessThread
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 2063062207-0
                                                                                                                                                                                                                                    • Opcode ID: 43fec27dcab2b6a5321b0528cb4f7683996aa64ddcfad3ce0e82267b0b884f3f
                                                                                                                                                                                                                                    • Instruction ID: dc45423fec672338a0c2c9063763f744dbc430dac30b022d115ba53d135c5969
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 43fec27dcab2b6a5321b0528cb4f7683996aa64ddcfad3ce0e82267b0b884f3f
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D15187B49012499FDB14CFA9D948BDEBBF1EF88314F20845DE019B73A0D774A984CB65
                                                                                                                                                                                                                                    Function 00E1D0B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 317 e1d0b8-e1d147 GetCurrentProcess 321 e1d150-e1d184 GetCurrentThread 317->321 322 e1d149-e1d14f 317->322 323 e1d186-e1d18c 321->323 324 e1d18d-e1d1c1 GetCurrentProcess 321->324 322->321 323->324 326 e1d1c3-e1d1c9 324->326 327 e1d1ca-e1d1e5 call e1d289 324->327 326->327 330 e1d1eb-e1d21a GetCurrentThreadId 327->330 331 e1d223-e1d285 330->331 332 e1d21c-e1d222 330->332 332->331
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 00E1D136
                                                                                                                                                                                                                                    • GetCurrentThread.KERNEL32 ref: 00E1D173
                                                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 00E1D1B0
                                                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00E1D209
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1851803956.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_e10000_po4877383.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Current$ProcessThread
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 2063062207-0
                                                                                                                                                                                                                                    • Opcode ID: 4832447f7142a38c8d3ea0160703d529a7ad990242802589569897000969f6b2
                                                                                                                                                                                                                                    • Instruction ID: 919741d6951f9c736329b5ed1a9b15ebc749dfb1332b1653337bdfd5547ecdaf
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4832447f7142a38c8d3ea0160703d529a7ad990242802589569897000969f6b2
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BE5177B4900209DFDB14CFAAD948BDEBBF1EF88314F208459E119B73A0D774A984CB65
                                                                                                                                                                                                                                    Function 00E1AE30 Relevance: 1.7, APIs: 1, Instructions: 209COMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 1166 e1ae30-e1ae3f 1167 e1ae41-e1ae4e call e19838 1166->1167 1168 e1ae6b-e1ae6f 1166->1168 1174 e1ae50 1167->1174 1175 e1ae64 1167->1175 1170 e1ae71-e1ae7b 1168->1170 1171 e1ae83-e1aec4 1168->1171 1170->1171 1177 e1aed1-e1aedf 1171->1177 1178 e1aec6-e1aece 1171->1178 1226 e1ae56 call e1b0c8 1174->1226 1227 e1ae56 call e1b0b8 1174->1227 1175->1168 1179 e1aee1-e1aee6 1177->1179 1180 e1af03-e1af05 1177->1180 1178->1177 1183 e1aef1 1179->1183 1184 e1aee8-e1aeef call e1a814 1179->1184 1182 e1af08-e1af0f 1180->1182 1181 e1ae5c-e1ae5e 1181->1175 1185 e1afa0-e1afb7 1181->1185 1188 e1af11-e1af19 1182->1188 1189 e1af1c-e1af23 1182->1189 1186 e1aef3-e1af01 1183->1186 1184->1186 1199 e1afb9-e1b018 1185->1199 1186->1182 1188->1189 1192 e1af30-e1af39 call e1a824 1189->1192 1193 e1af25-e1af2d 1189->1193 1197 e1af46-e1af4b 1192->1197 1198 e1af3b-e1af43 1192->1198 1193->1192 1200 e1af69-e1af76 1197->1200 1201 e1af4d-e1af54 1197->1201 1198->1197 1217 e1b01a-e1b01c 1199->1217 1208 e1af99-e1af9f 1200->1208 1209 e1af78-e1af96 1200->1209 1201->1200 1202 e1af56-e1af66 call e1a834 call e1a844 1201->1202 1202->1200 1209->1208 1218 e1b048-e1b060 1217->1218 1219 e1b01e-e1b046 1217->1219 1220 e1b062-e1b065 1218->1220 1221 e1b068-e1b093 GetModuleHandleW 1218->1221 1219->1218 1220->1221 1223 e1b095-e1b09b 1221->1223 1224 e1b09c-e1b0b0 1221->1224 1223->1224 1226->1181 1227->1181
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00E1B086
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1851803956.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_e10000_po4877383.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: HandleModule
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 4139908857-0
                                                                                                                                                                                                                                    • Opcode ID: d7b7a1c07a1b47aa781c27bc6dc18a060e1a3b16822932873682839436eecb16
                                                                                                                                                                                                                                    • Instruction ID: 9e51f815757f1bab0e44ec192a5a9df3f5b19d0cff58a6a2f97b9b6f171ac95c
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d7b7a1c07a1b47aa781c27bc6dc18a060e1a3b16822932873682839436eecb16
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E3817DB0A01B058FD724DF69D0417AABBF1FF48304F04892DE09AE7A51D775E986CB91
                                                                                                                                                                                                                                    Function 04E31CE4 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 1228 4e31ce4-4e31d56 1231 4e31d61-4e31d68 1228->1231 1232 4e31d58-4e31d5e 1228->1232 1233 4e31d73-4e31dab 1231->1233 1234 4e31d6a-4e31d70 1231->1234 1232->1231 1235 4e31db3-4e31e12 CreateWindowExW 1233->1235 1234->1233 1236 4e31e14-4e31e1a 1235->1236 1237 4e31e1b-4e31e53 1235->1237 1236->1237 1241 4e31e60 1237->1241 1242 4e31e55-4e31e58 1237->1242 1243 4e31e61 1241->1243 1242->1241 1243->1243
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04E31E02
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1859073928.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_4e30000_po4877383.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: CreateWindow
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 716092398-0
                                                                                                                                                                                                                                    • Opcode ID: 9414882a5149e654e9024511eb6550bd8c0ef58ca6b67d42d528f8c110438b71
                                                                                                                                                                                                                                    • Instruction ID: 00a581e0cbda113bfff293bebfc9310a5cf646217f1b8cc9a6cc234846ed6e1e
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9414882a5149e654e9024511eb6550bd8c0ef58ca6b67d42d528f8c110438b71
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B251B3B1D103499FDB15CF9AC984ADEFBB6BF48314F64912AE418AB210D771A845CF90
                                                                                                                                                                                                                                    Function 04E31CF0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 1244 4e31cf0-4e31d56 1245 4e31d61-4e31d68 1244->1245 1246 4e31d58-4e31d5e 1244->1246 1247 4e31d73-4e31e12 CreateWindowExW 1245->1247 1248 4e31d6a-4e31d70 1245->1248 1246->1245 1250 4e31e14-4e31e1a 1247->1250 1251 4e31e1b-4e31e53 1247->1251 1248->1247 1250->1251 1255 4e31e60 1251->1255 1256 4e31e55-4e31e58 1251->1256 1257 4e31e61 1255->1257 1256->1255 1257->1257
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04E31E02
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1859073928.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_4e30000_po4877383.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: CreateWindow
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 716092398-0
                                                                                                                                                                                                                                    • Opcode ID: 85225ba8e044e8820c8f46f130da0c18275f0e051664c535bee240f0d0954d2b
                                                                                                                                                                                                                                    • Instruction ID: 1c9d5e2925e5a5c74e218d45f6fb8e26f009ba8abfa31f1bb9b6aef1eb83b26d
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 85225ba8e044e8820c8f46f130da0c18275f0e051664c535bee240f0d0954d2b
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F541C1B1D103499FDB15CF9AC984ADEFBB6BF48314F64912EE818AB210D771A845CF90
                                                                                                                                                                                                                                    Function 04E30BFC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 1275 4e30bfc-4e342fc 1278 4e34302-4e34307 1275->1278 1279 4e343ac-4e343cc call 4e30ad4 1275->1279 1281 4e3435a-4e34392 CallWindowProcW 1278->1281 1282 4e34309-4e34340 1278->1282 1286 4e343cf-4e343dc 1279->1286 1284 4e34394-4e3439a 1281->1284 1285 4e3439b-4e343aa 1281->1285 1288 4e34342-4e34348 1282->1288 1289 4e34349-4e34358 1282->1289 1284->1285 1285->1286 1288->1289 1289->1286
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 04E34381
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1859073928.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_4e30000_po4877383.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: CallProcWindow
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 2714655100-0
                                                                                                                                                                                                                                    • Opcode ID: 6f378563059aef757a4a4ddd063d93072cf62942e68141e084dbec760cd33bc3
                                                                                                                                                                                                                                    • Instruction ID: c8b321b5333f5535816a44d6c9716c12745127aa0c7252001f20ea84f2215ee3
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6f378563059aef757a4a4ddd063d93072cf62942e68141e084dbec760cd33bc3
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 914127B8A00309CFDB15CF99C488AAABBF5FF88314F24C559D519AB361D374A841CBA0
                                                                                                                                                                                                                                    Function 00E15935 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 1258 e15935-e1593c 1259 e15944-e15a01 CreateActCtxA 1258->1259 1261 e15a03-e15a09 1259->1261 1262 e15a0a-e15a64 1259->1262 1261->1262 1269 e15a73-e15a77 1262->1269 1270 e15a66-e15a69 1262->1270 1271 e15a79-e15a85 1269->1271 1272 e15a88 1269->1272 1270->1269 1271->1272 1274 e15a89 1272->1274 1274->1274
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • CreateActCtxA.KERNEL32(?), ref: 00E159F1
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1851803956.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_e10000_po4877383.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Create
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 2289755597-0
                                                                                                                                                                                                                                    • Opcode ID: 78c78c9d839170af332803a2c60372c1438a5fa80e515de8437397f243fef1ea
                                                                                                                                                                                                                                    • Instruction ID: bc314a153495642dfa3d78923c8d9966ae7f8aad1b3a9bfb7599b03b02531a2b
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 78c78c9d839170af332803a2c60372c1438a5fa80e515de8437397f243fef1ea
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7F41CEB5D00719CEDB24CFA9C984ACEBBB5FF88304F20816AD418BB251DB756985CF90
                                                                                                                                                                                                                                    Function 00E14248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 1292 e14248-e15a01 CreateActCtxA 1295 e15a03-e15a09 1292->1295 1296 e15a0a-e15a64 1292->1296 1295->1296 1303 e15a73-e15a77 1296->1303 1304 e15a66-e15a69 1296->1304 1305 e15a79-e15a85 1303->1305 1306 e15a88 1303->1306 1304->1303 1305->1306 1308 e15a89 1306->1308 1308->1308
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • CreateActCtxA.KERNEL32(?), ref: 00E159F1
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1851803956.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_e10000_po4877383.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Create
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 2289755597-0
                                                                                                                                                                                                                                    • Opcode ID: bce8c81c319871da8f420884dcae4d8f9afc2d5ac8188d9e1239a14a32007061
                                                                                                                                                                                                                                    • Instruction ID: 497735bcb6cc18809fac590f2d98c2e183662bf6620849b402ff8a48c1083f25
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bce8c81c319871da8f420884dcae4d8f9afc2d5ac8188d9e1239a14a32007061
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4641D4B5D00719CADB24CFA9C984BDEBBB5FF84304F20816AD408BB251DB756945CF90
                                                                                                                                                                                                                                    Function 04E37219 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1859073928.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E30000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_4e30000_po4877383.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                    • Opcode ID: 2b8ea879d2a4128159b916b1579d15fe65525f647dd061b8176a09775947a415
                                                                                                                                                                                                                                    • Instruction ID: 5cc5a2007ab47956d329c85d7eaaeb56a12aaa23bf29df27eb26d0eb0cdfec61
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2b8ea879d2a4128159b916b1579d15fe65525f647dd061b8176a09775947a415
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5621E7B4E05218DFCB09CFA8E9886ECBBB1BF49315F14916AE405B3361D7305941DB54
                                                                                                                                                                                                                                    Function 00E1D2F9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E1D387
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1851803956.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_e10000_po4877383.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: DuplicateHandle
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 3793708945-0
                                                                                                                                                                                                                                    • Opcode ID: 6fc3503f67aaa42e2eb2fb33048922ed9fcecac698de87e9a8c0c2f7d685e821
                                                                                                                                                                                                                                    • Instruction ID: 9c10cc38528db4c361dd5ea3ea66f36c8c65a2c03fbb8217759ffa53c170276e
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6fc3503f67aaa42e2eb2fb33048922ed9fcecac698de87e9a8c0c2f7d685e821
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AB21E3B5901249AFDB10CF9AD985ADEFBF9FB48324F14841AE918B7310D374A950CFA1
                                                                                                                                                                                                                                    Function 00E1D300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E1D387
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1851803956.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_e10000_po4877383.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: DuplicateHandle
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 3793708945-0
                                                                                                                                                                                                                                    • Opcode ID: c7fa0a6aa51d48a053567bf92e11d6ae28f6ceefc400ecfedd0d42abd7684370
                                                                                                                                                                                                                                    • Instruction ID: 16c64cfe144a32b50c6e9b0ed049d625fc9c9ba806042b7466baf6ae734ec5dc
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c7fa0a6aa51d48a053567bf92e11d6ae28f6ceefc400ecfedd0d42abd7684370
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FD21E4B59002489FDB10CF9AD984ADEFBF9EB48320F14801AE918B3310C374A950CFA1
                                                                                                                                                                                                                                    Function 06A56080 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 06A560E5
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1866118780.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_6a50000_po4877383.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: MessagePost
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 410705778-0
                                                                                                                                                                                                                                    • Opcode ID: d086a748e9047e4bfb4883f1edf01cd82c42bfd253f404869ce7ed3366408f1c
                                                                                                                                                                                                                                    • Instruction ID: 3ca8f9cba276471c81390e3fa1847366627d47396470074ab8c611896401203d
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d086a748e9047e4bfb4883f1edf01cd82c42bfd253f404869ce7ed3366408f1c
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2911F5B58003499FDB10DF9AD845BDEFFF8EB48324F20841AE954A7610C375A944CFA1
                                                                                                                                                                                                                                    Function 06A54F40 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 06A560E5
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1866118780.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_6a50000_po4877383.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: MessagePost
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 410705778-0
                                                                                                                                                                                                                                    • Opcode ID: 1a033bacb94656c09dc60ad5e4e1683a7ac85f31010927e56b9b21cacfa31289
                                                                                                                                                                                                                                    • Instruction ID: a1299fb6d58b6d7a3057dcc2b921bf46bf28e8aa4d16a1a586cae2ab153f34dc
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1a033bacb94656c09dc60ad5e4e1683a7ac85f31010927e56b9b21cacfa31289
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2711F5B58003499FDB60DF99C885BDEFBF8EB48324F24841AE954A7610C375A944CFA1
                                                                                                                                                                                                                                    Function 00E1B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00E1B086
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1851803956.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_e10000_po4877383.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: HandleModule
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 4139908857-0
                                                                                                                                                                                                                                    • Opcode ID: 303ce21559225b7427fc6fe01d4fb5e72d7d997ef6b666353e52991a60f81d86
                                                                                                                                                                                                                                    • Instruction ID: 73568689f7ebee58a90510aa4c7521805ed2d2d4125bcd37721b0cf7fba0afa6
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 303ce21559225b7427fc6fe01d4fb5e72d7d997ef6b666353e52991a60f81d86
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B611DFB5C00349CFDB20CF9AD444ADEFBF9AB88324F14841AD469B7610C379A645CFA1
                                                                                                                                                                                                                                    Function 00D7D654 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1851532580.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_d7d000_po4877383.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                    • Opcode ID: ffe36b5b592492ae7ee5bddf7b8b1c970fb5d18a3b0d712722a9f5decfbaf7e3
                                                                                                                                                                                                                                    • Instruction ID: 06a1b8486a6597aadd1905fe00e13a64770fe2d6385ae153255f9729b5750613
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ffe36b5b592492ae7ee5bddf7b8b1c970fb5d18a3b0d712722a9f5decfbaf7e3
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9021F4B6504244EFCB099F14D9C0B2ABFB6FF88314F24C669E94D0A256D336D816DBB1
                                                                                                                                                                                                                                    Function 00D7D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1851532580.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_d7d000_po4877383.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                    • Opcode ID: 96a6c1a7247bc04f3500da123a9d2797117e5d90c965d6611b2513c0151691b2
                                                                                                                                                                                                                                    • Instruction ID: 1b86b6a5ff84b0ad688db4f15eb4096cb272a0f71621a23af6a391ba6dccfd99
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 96a6c1a7247bc04f3500da123a9d2797117e5d90c965d6611b2513c0151691b2
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B32121B1504200DFCB05DF14C9C0B26BF76FF88328F24C569E9490A256D336D806CAB1
                                                                                                                                                                                                                                    Function 00D8D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1851579427.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_d8d000_po4877383.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                    • Opcode ID: aae9dfdd514f4dbb07703a6cc5746dca9c3e20d7b1a5f3709f9b480f73ef61be
                                                                                                                                                                                                                                    • Instruction ID: b0e6d7758d964e1761e98627b0c7810d01117eddb35b312f7eb6b1904bbb63b9
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: aae9dfdd514f4dbb07703a6cc5746dca9c3e20d7b1a5f3709f9b480f73ef61be
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8221D0B5604204EFDB14EF14D9C0B26BB66EB84314F24C969E94A4B2D6C73AD847CB71
                                                                                                                                                                                                                                    Function 00D8D005 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1851579427.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_d8d000_po4877383.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                    • Opcode ID: d794909375e8c16b3dd0bdfefb35b2a4231777a5d08dcf0891ddbc0ec6fff375
                                                                                                                                                                                                                                    • Instruction ID: 6b2ff8b8acbf15829ad8a03fd0fa4ea9afc628ef4246d613b6c484ffa1eb4bd7
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d794909375e8c16b3dd0bdfefb35b2a4231777a5d08dcf0891ddbc0ec6fff375
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C42180755093808FDB12DF24D990715BF72EB46314F28C5EAD8498B6E7C33A984ACB62
                                                                                                                                                                                                                                    Function 00D7D64F Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1851532580.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_d7d000_po4877383.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                    • Opcode ID: ad2dec59e3151889acede25dbdc09f1e0996748c90a37620c8196c664727292b
                                                                                                                                                                                                                                    • Instruction ID: 2abbc854497bc42eb4df3fca1697f04836fc824dd97a34bc1644799e3cd9462b
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ad2dec59e3151889acede25dbdc09f1e0996748c90a37620c8196c664727292b
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7721AF76504280DFCB1ACF10D9C4B16BF72FF88314F28C6A9D9494B656C33AD866CBA1
                                                                                                                                                                                                                                    Function 00D7D4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1851532580.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_d7d000_po4877383.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                    • Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                                                                                                                                                                                    • Instruction ID: d19224a8eb9f94daf9527bdbd23d6824d6f99183e4aaa4905ba34652f25f9d79
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5511E676504280CFCB16CF14D5C4B16BF72FF94328F28C6A9D8494B656C33AD85ACBA1
                                                                                                                                                                                                                                    Function 00D7D989 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1851532580.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_d7d000_po4877383.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                    • Opcode ID: c7845dc9577fd14723585dd35937f9756b4747445dcfa0bbf1c05a0368603ba4
                                                                                                                                                                                                                                    • Instruction ID: 62913ca0d60f07cbd1bb058c4eb783c203951d4201c564d5acaf4446dc790145
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c7845dc9577fd14723585dd35937f9756b4747445dcfa0bbf1c05a0368603ba4
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F501F772005340AAE7104A29C8C0726FFB9DF51324F1CC41AEE4D5A182D738D840DA71
                                                                                                                                                                                                                                    Function 00D7D988 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1851532580.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_d7d000_po4877383.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                    • Opcode ID: ca915e411f0917a2fc706ba2052f84340f286d141d99badff6fda62bf386a136
                                                                                                                                                                                                                                    • Instruction ID: 3859ace61801d4a990f57db7751b4a9ec5b889428810eb5409c881fa7b8b079b
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ca915e411f0917a2fc706ba2052f84340f286d141d99badff6fda62bf386a136
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 09F0C272404340AEEB208A0AD8C4B66FFE9EF50324F18C05AEE4C5A282C3799840CA71

                                                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                                                    Function 06A524FC Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1866118780.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_6a50000_po4877383.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                    • Opcode ID: fb758a4830d9264f1f1f7c71f6748c07045f3726551b6a2894dad58eb5292c99
                                                                                                                                                                                                                                    • Instruction ID: 12bf7a1364cb28130fc4c36631f49eae763d33ef82855f4d4dcb2e32bbb94384
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fb758a4830d9264f1f1f7c71f6748c07045f3726551b6a2894dad58eb5292c99
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8CF0C970C44219CFEB64EF50D8A87BDBB70BB06305F115055C816B7290C7784A84CFD4
                                                                                                                                                                                                                                    Function 06A50929 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000002.00000002.1866118780.0000000006A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A50000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_2_2_6a50000_po4877383.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                    • Opcode ID: 0808d09c95269485abacca31cf88e7a7b05e423ce0d430f62d4565919d6fbf41
                                                                                                                                                                                                                                    • Instruction ID: a71d28b50f80f3382a94464e39d4de4d7fc8a0314119dd15735f28a8a30259d3
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0808d09c95269485abacca31cf88e7a7b05e423ce0d430f62d4565919d6fbf41
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C2E06D30C5A10EDEFB50EF51C5107FFF6707B02314F215445CC0577244CB704A448A91