Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2eRd5imEKU.exe

Overview

General Information

Sample name:2eRd5imEKU.exe
renamed because original name is a hash value
Original sample name:e844c45831ec146a5c82479c1381a32827034b11078e433870006e40ea13cf15.exe
Analysis ID:1587701
MD5:a5f1d2b0754206f99ad204434058f29d
SHA1:4741635dd9f9839771ee8d5c37a0270b5f3149f6
SHA256:e844c45831ec146a5c82479c1381a32827034b11078e433870006e40ea13cf15
Tags:exeuser-adrian__luca
Infos:

Detection

RedLine
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected RedLine Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 2eRd5imEKU.exe (PID: 3260 cmdline: "C:\Users\user\Desktop\2eRd5imEKU.exe" MD5: A5F1D2B0754206F99AD204434058F29D)
    • 2eRd5imEKU.exe (PID: 5576 cmdline: "C:\Users\user\Desktop\2eRd5imEKU.exe" MD5: A5F1D2B0754206F99AD204434058F29D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["87.120.120.86:1912"], "Bot Id": "LOGS", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2344445600.000000000362C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    00000004.00000002.4028794959.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      00000000.00000002.2344445600.00000000035E9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.2344445600.0000000003677000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          Process Memory Space: 2eRd5imEKU.exe PID: 3260JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.2eRd5imEKU.exe.3634b90.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              0.2.2eRd5imEKU.exe.3634b90.1.raw.unpackinfostealer_win_redline_stringsFinds Redline samples based on characteristic stringsSekoia.io
              • 0x24cc3:$gen01: ChromeGetRoamingName
              • 0x24ce8:$gen02: ChromeGetLocalName
              • 0x24d2b:$gen03: get_UserDomainName
              • 0x28bc4:$gen04: get_encrypted_key
              • 0x27943:$gen05: browserPaths
              • 0x27c19:$gen06: GetBrowsers
              • 0x27501:$gen07: get_InstalledInputLanguages
              • 0x239cc:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION
              • 0x3018:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
              • 0x29006:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole
              • 0x290a4:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\
              • 0x296be:$spe9: *wallet*
              • 0x219ea:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0
              • 0x21f14:$typ03: A937C899247696B6565665BE3BD09607F49A2042
              • 0x21fc1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2
              • 0x21998:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60
              • 0x219c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280
              • 0x21b92:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301
              • 0x21de5:$typ11: 2A19BFD7333718195216588A698752C517111B02
              • 0x220d4:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
              0.2.2eRd5imEKU.exe.3634b90.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                0.2.2eRd5imEKU.exe.3634b90.1.unpackinfostealer_win_redline_stringsFinds Redline samples based on characteristic stringsSekoia.io
                • 0x22ec3:$gen01: ChromeGetRoamingName
                • 0x22ee8:$gen02: ChromeGetLocalName
                • 0x22f2b:$gen03: get_UserDomainName
                • 0x26dc4:$gen04: get_encrypted_key
                • 0x25b43:$gen05: browserPaths
                • 0x25e19:$gen06: GetBrowsers
                • 0x25701:$gen07: get_InstalledInputLanguages
                • 0x21bcc:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION
                • 0x1218:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
                • 0x4a638:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
                • 0x27206:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole
                • 0x272a4:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\
                • 0x278be:$spe9: *wallet*
                • 0x1fbea:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0
                • 0x20114:$typ03: A937C899247696B6565665BE3BD09607F49A2042
                • 0x201c1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2
                • 0x1fb98:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60
                • 0x1fbc1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280
                • 0x1fd92:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301
                • 0x1ffe5:$typ11: 2A19BFD7333718195216588A698752C517111B02
                • 0x202d4:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
                0.2.2eRd5imEKU.exe.35e9970.4.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  Click to see the 5 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000000.00000002.2344445600.000000000362C000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": ["87.120.120.86:1912"], "Bot Id": "LOGS", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
                  Multi AV Scanner detection for submitted file
                  Source: 2eRd5imEKU.exeReversingLabs: Detection: 73%
                  Source: 2eRd5imEKU.exeVirustotal: Detection: 56%Perma Link
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: 2eRd5imEKU.exeJoe Sandbox ML: detected
                  Source: 2eRd5imEKU.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  Source: 2eRd5imEKU.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: 2eRd5imEKU.exe, 00000004.00000002.4029041377.0000000000F86000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: 2eRd5imEKU.exe, 00000004.00000002.4029041377.0000000000F86000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb source: 2eRd5imEKU.exe, 00000004.00000002.4029041377.0000000000F86000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb|b source: 2eRd5imEKU.exe, 00000004.00000002.4029041377.0000000000F86000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb source: 2eRd5imEKU.exe, 00000004.00000002.4029041377.000000000102B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: 2eRd5imEKU.exe, 00000004.00000002.4029041377.0000000000F86000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: 2eRd5imEKU.exe, 00000004.00000002.4029041377.0000000000F86000.00000004.00000020.00020000.00000000.sdmp

                  Networking

                  barindex
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 87.120.120.86:1912
                  Source: global trafficTCP traffic: 192.168.2.6:49858 -> 87.120.120.86:1912
                  Source: Joe Sandbox ViewASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10LR
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11LR
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12LR
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13LR
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14LR
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15LR
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16LR
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17LR
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18LR
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19LR
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1LR
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20LR
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21LR
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22LR
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23LR
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24LR
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2LR
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3LR
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4LR
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5LR
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6LR
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7LR
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8LR
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9LR
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/P
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/x
                  Source: 2eRd5imEKU.exe, 00000000.00000002.2344445600.000000000362C000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000000.00000002.2344445600.0000000003677000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000000.00000002.2344445600.00000000035E9000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4028794959.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.2eRd5imEKU.exe.3634b90.1.raw.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 0.2.2eRd5imEKU.exe.3634b90.1.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 0.2.2eRd5imEKU.exe.35e9970.4.raw.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 4.2.2eRd5imEKU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 0.2.2eRd5imEKU.exe.35e9970.4.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeCode function: 0_2_00D0E7140_2_00D0E714
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeCode function: 0_2_04AA7D600_2_04AA7D60
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeCode function: 0_2_04AA07030_2_04AA0703
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeCode function: 0_2_04AA07100_2_04AA0710
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeCode function: 0_2_04AA7D430_2_04AA7D43
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeCode function: 0_2_06A8E4380_2_06A8E438
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeCode function: 0_2_06A8E0000_2_06A8E000
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeCode function: 0_2_06A8A8B80_2_06A8A8B8
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeCode function: 0_2_06A8E8700_2_06A8E870
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeCode function: 4_2_0122DC744_2_0122DC74
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeCode function: 4_2_053CEE584_2_053CEE58
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeCode function: 4_2_053C88504_2_053C8850
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeCode function: 4_2_053C00064_2_053C0006
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeCode function: 4_2_053C00404_2_053C0040
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeCode function: 4_2_053C88404_2_053C8840
                  Source: 2eRd5imEKU.exe, 00000000.00000002.2347175363.0000000004FF0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs 2eRd5imEKU.exe
                  Source: 2eRd5imEKU.exe, 00000000.00000002.2343851900.0000000002629000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs 2eRd5imEKU.exe
                  Source: 2eRd5imEKU.exe, 00000000.00000002.2344445600.000000000362C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs 2eRd5imEKU.exe
                  Source: 2eRd5imEKU.exe, 00000000.00000002.2344445600.0000000003677000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs 2eRd5imEKU.exe
                  Source: 2eRd5imEKU.exe, 00000000.00000002.2344445600.0000000003677000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs 2eRd5imEKU.exe
                  Source: 2eRd5imEKU.exe, 00000000.00000002.2344445600.000000000375B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs 2eRd5imEKU.exe
                  Source: 2eRd5imEKU.exe, 00000000.00000002.2344445600.000000000375B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs 2eRd5imEKU.exe
                  Source: 2eRd5imEKU.exe, 00000000.00000002.2341808623.000000000061E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 2eRd5imEKU.exe
                  Source: 2eRd5imEKU.exe, 00000000.00000000.2178626207.0000000000234000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamechmK.exe. vs 2eRd5imEKU.exe
                  Source: 2eRd5imEKU.exe, 00000000.00000002.2347748039.0000000006AA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs 2eRd5imEKU.exe
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4029041377.0000000000F58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 2eRd5imEKU.exe
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4028794959.0000000000446000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs 2eRd5imEKU.exe
                  Source: 2eRd5imEKU.exeBinary or memory string: OriginalFilenamechmK.exe. vs 2eRd5imEKU.exe
                  Source: 2eRd5imEKU.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  Source: 0.2.2eRd5imEKU.exe.3634b90.1.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 0.2.2eRd5imEKU.exe.3634b90.1.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 0.2.2eRd5imEKU.exe.35e9970.4.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 4.2.2eRd5imEKU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 0.2.2eRd5imEKU.exe.35e9970.4.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 2eRd5imEKU.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: classification engineClassification label: mal92.troj.evad.winEXE@3/1@0/1
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2eRd5imEKU.exe.logJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeMutant created: NULL
                  Source: 2eRd5imEKU.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 2eRd5imEKU.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: 2eRd5imEKU.exeReversingLabs: Detection: 73%
                  Source: 2eRd5imEKU.exeVirustotal: Detection: 56%
                  Source: unknownProcess created: C:\Users\user\Desktop\2eRd5imEKU.exe "C:\Users\user\Desktop\2eRd5imEKU.exe"
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess created: C:\Users\user\Desktop\2eRd5imEKU.exe "C:\Users\user\Desktop\2eRd5imEKU.exe"
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess created: C:\Users\user\Desktop\2eRd5imEKU.exe "C:\Users\user\Desktop\2eRd5imEKU.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeSection loaded: iconcodecservice.dllJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: 2eRd5imEKU.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: 2eRd5imEKU.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: 2eRd5imEKU.exe, 00000004.00000002.4029041377.0000000000F86000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: 2eRd5imEKU.exe, 00000004.00000002.4029041377.0000000000F86000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb source: 2eRd5imEKU.exe, 00000004.00000002.4029041377.0000000000F86000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb|b source: 2eRd5imEKU.exe, 00000004.00000002.4029041377.0000000000F86000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb source: 2eRd5imEKU.exe, 00000004.00000002.4029041377.000000000102B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: 2eRd5imEKU.exe, 00000004.00000002.4029041377.0000000000F86000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: 2eRd5imEKU.exe, 00000004.00000002.4029041377.0000000000F86000.00000004.00000020.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeCode function: 4_2_053CD442 push eax; ret 4_2_053CD451
                  Source: 2eRd5imEKU.exeStatic PE information: section name: .text entropy: 7.789811569487894
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: 2eRd5imEKU.exe PID: 3260, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeMemory allocated: D00000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeMemory allocated: 25E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeMemory allocated: 2400000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeMemory allocated: 8490000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeMemory allocated: 9490000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeMemory allocated: 9690000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeMemory allocated: A690000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeMemory allocated: 1220000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeMemory allocated: 2D80000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeMemory allocated: 4D80000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exe TID: 6404Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: 2eRd5imEKU.exe, 00000004.00000002.4029041377.0000000001020000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllH
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeMemory allocated: page read and write | page guardJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeProcess created: C:\Users\user\Desktop\2eRd5imEKU.exe "C:\Users\user\Desktop\2eRd5imEKU.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeQueries volume information: C:\Users\user\Desktop\2eRd5imEKU.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeQueries volume information: C:\Users\user\Desktop\2eRd5imEKU.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\2eRd5imEKU.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: 0.2.2eRd5imEKU.exe.3634b90.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2eRd5imEKU.exe.3634b90.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2eRd5imEKU.exe.35e9970.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.2eRd5imEKU.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2eRd5imEKU.exe.35e9970.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2344445600.000000000362C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4028794959.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2344445600.00000000035E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2344445600.0000000003677000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 2eRd5imEKU.exe PID: 3260, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: 2eRd5imEKU.exe PID: 5576, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: 0.2.2eRd5imEKU.exe.3634b90.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2eRd5imEKU.exe.3634b90.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2eRd5imEKU.exe.35e9970.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.2eRd5imEKU.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.2eRd5imEKU.exe.35e9970.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2344445600.000000000362C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4028794959.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2344445600.00000000035E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2344445600.0000000003677000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 2eRd5imEKU.exe PID: 3260, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: 2eRd5imEKU.exe PID: 5576, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                  DLL Side-Loading                  		11
                  Process Injection                  		1
                  Masquerading                  		OS Credential Dumping1
                  Security Software Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		LSASS Memory31
                  Virtualization/Sandbox Evasion                  		Remote Desktop ProtocolData from Removable Media1
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                  Virtualization/Sandbox Evasion                  		Security Account Manager12
                  System Information Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                  Software Packing                  		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                  Process Injection                  		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading                  		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                  Obfuscated Files or Information                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  2eRd5imEKU.exe74%ReversingLabsByteCode-MSIL.Trojan.Remcos
                  2eRd5imEKU.exe56%VirustotalBrowse
                  2eRd5imEKU.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  87.120.120.86:19120%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  87.120.120.86:1912true
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://tempuri.org/Entity/Id10Response2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://tempuri.org/Entity/Id24LR2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://tempuri.org/Entity/Id8Response2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://tempuri.org/Entity/Id22LR2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://tempuri.org/Entity/Id20LR2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://tempuri.org/Entity/Id12Response2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/soap/envelope/2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://tempuri.org/Entity/Id2Response2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id21Response2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id19LR2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id23Response2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/Entity/Id17LR2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id15LR2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://tempuri.org/Entity/Id9LR2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://tempuri.org/Entity/Id19Response2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://tempuri.org/Entity/Id13LR2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://tempuri.org/Entity/Id7LR2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://tempuri.org/Entity/Id11LR2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2004/08/addressing/fault2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://tempuri.org/Entity/Id17Response2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://tempuri.org/Entity/Id1LR2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://tempuri.org/Entity/Id5LR2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://tempuri.org/Entity/Id20Response2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://tempuri.org/Entity/Id3LR2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://tempuri.org/Entity/Id15Response2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://tempuri.org/Entity/Id13Response2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/Entity/Id4Response2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://tempuri.org/Entity/Id6Response2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://api.ip.sb/ip2eRd5imEKU.exe, 00000000.00000002.2344445600.000000000362C000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000000.00000002.2344445600.0000000003677000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000000.00000002.2344445600.00000000035E9000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4028794959.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://tempuri.org/Entity/Id23LR2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://tempuri.org/Entity/Id7Response2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://tempuri.org/Entity/Id21LR2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://tempuri.org/x2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://tempuri.org/Entity/Id11Response2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://tempuri.org/Entity/Id9Response2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://tempuri.org/Entity/Id22Response2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://tempuri.org/Entity/Id24Response2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://tempuri.org/Entity/Id1Response2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://tempuri.org/Entity/Id18LR2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://tempuri.org/Entity/Id16LR2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://tempuri.org/Entity/Id8LR2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://tempuri.org/Entity/Id14LR2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://tempuri.org/Entity/Id6LR2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://tempuri.org/Entity/Id18Response2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://tempuri.org/Entity/2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://tempuri.org/Entity/Id12LR2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://schemas.xmlsoap.org/ws/2004/08/addressing2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://tempuri.org/Entity/Id10LR2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://tempuri.org/Entity/Id4LR2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://tempuri.org/Entity/Id2LR2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/rmX2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://tempuri.org/Entity/Id3Response2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://tempuri.org/Entity/Id16Response2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://tempuri.org/Entity/P2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://tempuri.org/Entity/Id5Response2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://schemas.xmlsoap.org/soap/actor/next2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://tempuri.org/Entity/Id14Response2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, 2eRd5imEKU.exe, 00000004.00000002.4030063820.0000000002F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high

                                                                                                                                                      World Map of Contacted IPs

                                                                                                                                                      • No. of IPs < 25%
                                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                                      • 75% < No. of IPs

                                                                                                                                                      Public IPs

                                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                      87.120.120.86
                                                                                                                                                      		unknownBulgaria
                                                                                                                                                      		25206UNACS-AS-BG8000BurgasBGtrue

                                                                                                                                                      General Information

                                                                                                                                                      Joe Sandbox version:42.0.0 Malachite
                                                                                                                                                      Analysis ID:1587701
                                                                                                                                                      Start date and time:2025-01-10 17:13:47 +01:00
                                                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                                                      Overall analysis duration:0h 6m 0s
                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                      Report type:full
                                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                      Run name:Run with higher sleep bypass
                                                                                                                                                      Number of analysed new started processes analysed:6
                                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                                      Technologies:
                                                                                                                                                      • HCA enabled
                                                                                                                                                      • EGA enabled
                                                                                                                                                      • AMSI enabled
                                                                                                                                                      Analysis Mode:default
                                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                                      Sample name:2eRd5imEKU.exe
                                                                                                                                                      renamed because original name is a hash value
                                                                                                                                                      Original Sample Name:e844c45831ec146a5c82479c1381a32827034b11078e433870006e40ea13cf15.exe
                                                                                                                                                      Detection:MAL
                                                                                                                                                      Classification:mal92.troj.evad.winEXE@3/1@0/1
                                                                                                                                                      EGA Information:
                                                                                                                                                      • Successful, ratio: 100%
                                                                                                                                                      HCA Information:
                                                                                                                                                      • Successful, ratio: 94%
                                                                                                                                                      • Number of executed functions: 87
                                                                                                                                                      • Number of non-executed functions: 7
                                                                                                                                                      Cookbook Comments:
                                                                                                                                                      • Found application associated with file extension: .exe
                                                                                                                                                      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                                                                                                      • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                                                                                                                      Warnings

                                                                                                                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                                                                                      • Excluded IPs from analysis (whitelisted): 13.107.246.45, 2.23.242.162, 4.245.163.56
                                                                                                                                                      • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                      Simulations

                                                                                                                                                      Behavior and APIs

                                                                                                                                                      No simulations

                                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                                      IPs

                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                      87.120.120.8617.12.2024 ________.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                        #U0417#U0430#U043f#U0440#U043e#U0441 11.12.2024.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                          po4877383.exeGet hashmaliciousRedLineBrowse

                                                                                                                                                            Domains

                                                                                                                                                            No context

                                                                                                                                                            ASNs

                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                            UNACS-AS-BG8000BurgasBG17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeGet hashmaliciousXWormBrowse
                                                                                                                                                            • 87.120.116.179
                                                                                                                                                            Material Requirments.pif.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                                                                                            • 87.120.116.245
                                                                                                                                                            Material requirements_1.pif.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                            • 87.120.116.245
                                                                                                                                                            17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeGet hashmaliciousXWormBrowse
                                                                                                                                                            • 87.120.116.179
                                                                                                                                                            17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeGet hashmaliciousXWormBrowse
                                                                                                                                                            • 87.120.116.179
                                                                                                                                                            Inquiry List.docGet hashmaliciousDarkVision RatBrowse
                                                                                                                                                            • 87.120.113.91
                                                                                                                                                            3lhrJ4X.exeGet hashmaliciousLiteHTTP BotBrowse
                                                                                                                                                            • 87.120.126.5
                                                                                                                                                            XClient.exeGet hashmaliciousXWormBrowse
                                                                                                                                                            • 87.120.125.47
                                                                                                                                                            file.exeGet hashmaliciousDcRat, JasonRATBrowse
                                                                                                                                                            • 87.120.113.91

                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                            No context

                                                                                                                                                            Dropped Files

                                                                                                                                                            No context

                                                                                                                                                            Created / dropped Files

                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2eRd5imEKU.exe.log

                                                                                                                                                            Download File
                                                                                                                                                            Process:C:\Users\user\Desktop\2eRd5imEKU.exe
                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):1216
                                                                                                                                                            Entropy (8bit):5.34331486778365
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                                                            Malicious:true
                                                                                                                                                            Reputation:high, very likely benign file
                                                                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                            Static File Info

                                                                                                                                                            General

                                                                                                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                            Entropy (8bit):7.774268600609801
                                                                                                                                                            TrID:
                                                                                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                                                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                            • Windows Screen Saver (13104/52) 0.07%
                                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                            File name:2eRd5imEKU.exe
                                                                                                                                                            File size:794'624 bytes
                                                                                                                                                            MD5:a5f1d2b0754206f99ad204434058f29d
                                                                                                                                                            SHA1:4741635dd9f9839771ee8d5c37a0270b5f3149f6
                                                                                                                                                            SHA256:e844c45831ec146a5c82479c1381a32827034b11078e433870006e40ea13cf15
                                                                                                                                                            SHA512:4ff320f9ebe550d20649d2e42a5cb58be6bf9ddf75a3c73a3840574b7b972bf56b07a578a9075812c28aca91f6fefa93492cffec7e3597cf1393cc487fc5937f
                                                                                                                                                            SSDEEP:12288:3WASwBlF55OHTDPEZcq7fh2KFL/2geR2C0fteSU9WNBpjhi/P:3Z/FXOP2hpUMCQjXpjhi
                                                                                                                                                            TLSH:B6F401687A49E807C86126B80931F27523B95EEDBA01C3836FD57EEF7863B439C55483
                                                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....$jg.............................%... ...@....@.. ....................................@................................

                                                                                                                                                            File Icon

                                                                                                                                                            Icon Hash:32642092d4f29244

                                                                                                                                                            Static PE Info

                                                                                                                                                            General

                                                                                                                                                            Entrypoint:0x4c2506
                                                                                                                                                            Entrypoint Section:.text
                                                                                                                                                            Digitally signed:false
                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                            Subsystem:windows gui
                                                                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                            Time Stamp:0x676A24C7 [Tue Dec 24 03:04:39 2024 UTC]
                                                                                                                                                            TLS Callbacks:
                                                                                                                                                            CLR (.Net) Version:
                                                                                                                                                            OS Version Major:4
                                                                                                                                                            OS Version Minor:0
                                                                                                                                                            File Version Major:4
                                                                                                                                                            File Version Minor:0
                                                                                                                                                            Subsystem Version Major:4
                                                                                                                                                            Subsystem Version Minor:0
                                                                                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                            Entrypoint Preview

                                                                                                                                                            Instruction
                                                                                                                                                            jmp dword ptr [00402000h]
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                            add byte ptr [eax], al

                                                                                                                                                            Data Directories

                                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xc24ac0x57.text
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x14ec.rsrc
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xc60000xc.reloc
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                            Sections

                                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                            .text0x20000xc050c0xc060088dcbe13b64f05e796de07c153fb2583False0.9171578033625731data7.789811569487894IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                            .rsrc0xc40000x14ec0x1600aff89be198c6e47acb6438aee3e9e9a5False0.36381392045454547data4.479450460692481IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                            .reloc0xc60000xc0x200fffbc7c20c7200bfdab406b82ec92d84False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                            Resources

                                                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                            RT_ICON0xc41180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.3726547842401501
                                                                                                                                                            RT_GROUP_ICON0xc51c00x14data1.1
                                                                                                                                                            RT_GROUP_ICON0xc51d40x14data1.05
                                                                                                                                                            RT_VERSION0xc51e80x304data0.4365284974093264

                                                                                                                                                            Imports

                                                                                                                                                            DLLImport
                                                                                                                                                            mscoree.dll_CorExeMain

                                                                                                                                                            Network Behavior

                                                                                                                                                            Network Port Distribution

                                                                                                                                                            TCP Packets

                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                            Jan 10, 2025 17:15:11.804764986 CET498581912192.168.2.687.120.120.86
                                                                                                                                                            Jan 10, 2025 17:15:11.809525013 CET19124985887.120.120.86192.168.2.6
                                                                                                                                                            Jan 10, 2025 17:15:11.809643030 CET498581912192.168.2.687.120.120.86
                                                                                                                                                            Jan 10, 2025 17:15:11.820555925 CET498581912192.168.2.687.120.120.86
                                                                                                                                                            Jan 10, 2025 17:15:11.825314999 CET19124985887.120.120.86192.168.2.6
                                                                                                                                                            Jan 10, 2025 17:15:33.189003944 CET19124985887.120.120.86192.168.2.6
                                                                                                                                                            Jan 10, 2025 17:15:33.189071894 CET498581912192.168.2.687.120.120.86
                                                                                                                                                            Jan 10, 2025 17:15:33.735972881 CET498581912192.168.2.687.120.120.86
                                                                                                                                                            Jan 10, 2025 17:15:39.243094921 CET499891912192.168.2.687.120.120.86
                                                                                                                                                            Jan 10, 2025 17:15:39.247951984 CET19124998987.120.120.86192.168.2.6
                                                                                                                                                            Jan 10, 2025 17:15:39.248095036 CET499891912192.168.2.687.120.120.86
                                                                                                                                                            Jan 10, 2025 17:15:39.248394012 CET499891912192.168.2.687.120.120.86
                                                                                                                                                            Jan 10, 2025 17:15:39.253295898 CET19124998987.120.120.86192.168.2.6
                                                                                                                                                            Jan 10, 2025 17:16:00.625279903 CET19124998987.120.120.86192.168.2.6
                                                                                                                                                            Jan 10, 2025 17:16:00.625526905 CET499891912192.168.2.687.120.120.86
                                                                                                                                                            Jan 10, 2025 17:16:00.626204014 CET499891912192.168.2.687.120.120.86
                                                                                                                                                            Jan 10, 2025 17:16:05.634464979 CET499911912192.168.2.687.120.120.86
                                                                                                                                                            Jan 10, 2025 17:16:05.639365911 CET19124999187.120.120.86192.168.2.6
                                                                                                                                                            Jan 10, 2025 17:16:05.644207001 CET499911912192.168.2.687.120.120.86
                                                                                                                                                            Jan 10, 2025 17:16:05.644457102 CET499911912192.168.2.687.120.120.86
                                                                                                                                                            Jan 10, 2025 17:16:05.649262905 CET19124999187.120.120.86192.168.2.6
                                                                                                                                                            Jan 10, 2025 17:16:27.027090073 CET19124999187.120.120.86192.168.2.6
                                                                                                                                                            Jan 10, 2025 17:16:27.027167082 CET499911912192.168.2.687.120.120.86
                                                                                                                                                            Jan 10, 2025 17:16:27.027405977 CET499911912192.168.2.687.120.120.86
                                                                                                                                                            Jan 10, 2025 17:16:32.039120913 CET499931912192.168.2.687.120.120.86
                                                                                                                                                            Jan 10, 2025 17:16:32.044104099 CET19124999387.120.120.86192.168.2.6
                                                                                                                                                            Jan 10, 2025 17:16:32.044209003 CET499931912192.168.2.687.120.120.86
                                                                                                                                                            Jan 10, 2025 17:16:32.044435978 CET499931912192.168.2.687.120.120.86
                                                                                                                                                            Jan 10, 2025 17:16:32.049261093 CET19124999387.120.120.86192.168.2.6
                                                                                                                                                            Jan 10, 2025 17:16:53.419363022 CET19124999387.120.120.86192.168.2.6
                                                                                                                                                            Jan 10, 2025 17:16:53.419516087 CET499931912192.168.2.687.120.120.86
                                                                                                                                                            Jan 10, 2025 17:16:53.420845032 CET499931912192.168.2.687.120.120.86
                                                                                                                                                            Jan 10, 2025 17:16:58.429927111 CET499951912192.168.2.687.120.120.86
                                                                                                                                                            Jan 10, 2025 17:16:58.434912920 CET19124999587.120.120.86192.168.2.6
                                                                                                                                                            Jan 10, 2025 17:16:58.435043097 CET499951912192.168.2.687.120.120.86
                                                                                                                                                            Jan 10, 2025 17:16:58.435278893 CET499951912192.168.2.687.120.120.86
                                                                                                                                                            Jan 10, 2025 17:16:58.440403938 CET19124999587.120.120.86192.168.2.6
                                                                                                                                                            Jan 10, 2025 17:17:19.794176102 CET19124999587.120.120.86192.168.2.6
                                                                                                                                                            Jan 10, 2025 17:17:19.794349909 CET499951912192.168.2.687.120.120.86
                                                                                                                                                            Jan 10, 2025 17:17:19.794631004 CET499951912192.168.2.687.120.120.86
                                                                                                                                                            Jan 10, 2025 17:17:24.805051088 CET499971912192.168.2.687.120.120.86
                                                                                                                                                            Jan 10, 2025 17:17:24.809856892 CET19124999787.120.120.86192.168.2.6
                                                                                                                                                            Jan 10, 2025 17:17:24.810204029 CET499971912192.168.2.687.120.120.86
                                                                                                                                                            Jan 10, 2025 17:17:24.810204029 CET499971912192.168.2.687.120.120.86
                                                                                                                                                            Jan 10, 2025 17:17:24.815083981 CET19124999787.120.120.86192.168.2.6
                                                                                                                                                            Jan 10, 2025 17:17:46.172038078 CET19124999787.120.120.86192.168.2.6
                                                                                                                                                            Jan 10, 2025 17:17:46.172380924 CET499971912192.168.2.687.120.120.86
                                                                                                                                                            Jan 10, 2025 17:17:46.172380924 CET499971912192.168.2.687.120.120.86

                                                                                                                                                            Statistics

                                                                                                                                                            CPU Usage

                                                                                                                                                            Click to jump to process

                                                                                                                                                            Memory Usage

                                                                                                                                                            Click to jump to process

                                                                                                                                                            High Level Behavior Distribution

                                                                                                                                                            Click to dive into process behavior distribution

                                                                                                                                                            Behavior

                                                                                                                                                            Click to jump to process

                                                                                                                                                            System Behavior

                                                                                                                                                            General

                                                                                                                                                            Target ID:0
                                                                                                                                                            Start time:11:14:44
                                                                                                                                                            Start date:10/01/2025
                                                                                                                                                            Path:C:\Users\user\Desktop\2eRd5imEKU.exe
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:"C:\Users\user\Desktop\2eRd5imEKU.exe"
                                                                                                                                                            Imagebase:0x170000
                                                                                                                                                            File size:794'624 bytes
                                                                                                                                                            MD5 hash:A5F1D2B0754206F99AD204434058F29D
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Yara matches:
                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2344445600.000000000362C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2344445600.00000000035E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2344445600.0000000003677000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                            Reputation:low
                                                                                                                                                            Has exited:true

                                                                                                                                                            General

                                                                                                                                                            Target ID:4
                                                                                                                                                            Start time:11:15:00
                                                                                                                                                            Start date:10/01/2025
                                                                                                                                                            Path:C:\Users\user\Desktop\2eRd5imEKU.exe
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:"C:\Users\user\Desktop\2eRd5imEKU.exe"
                                                                                                                                                            Imagebase:0xa50000
                                                                                                                                                            File size:794'624 bytes
                                                                                                                                                            MD5 hash:A5F1D2B0754206F99AD204434058F29D
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Yara matches:
                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000002.4028794959.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                            Reputation:low
                                                                                                                                                            Has exited:false

                                                                                                                                                            Disassembly

                                                                                                                                                            Reset < >

                                                                                                                                                              Execution Graph

                                                                                                                                                              Execution Coverage:9.3%
                                                                                                                                                              Dynamic/Decrypted Code Coverage:96.3%
                                                                                                                                                              Signature Coverage:0%
                                                                                                                                                              Total number of Nodes:82
                                                                                                                                                              Total number of Limit Nodes:6
                                                                                                                                                              execution_graph 33830 d0bac0 33831 d0bb02 33830->33831 33832 d0bb08 GetModuleHandleW 33830->33832 33831->33832 33833 d0bb35 33832->33833 33834 d0dda0 DuplicateHandle 33835 d0de36 33834->33835 33820 d0db58 33821 d0db9e GetCurrentProcess 33820->33821 33823 d0dbf0 GetCurrentThread 33821->33823 33824 d0dbe9 33821->33824 33825 d0dc26 33823->33825 33826 d0dc2d GetCurrentProcess 33823->33826 33824->33823 33825->33826 33827 d0dc63 GetCurrentThreadId 33826->33827 33829 d0dcbc 33827->33829 33836 d04668 33837 d04672 33836->33837 33839 d04758 33836->33839 33840 d0477d 33839->33840 33844 d04858 33840->33844 33848 d04868 33840->33848 33845 d0488f 33844->33845 33846 d0496c 33845->33846 33852 d044c4 33845->33852 33850 d0488f 33848->33850 33849 d0496c 33849->33849 33850->33849 33851 d044c4 CreateActCtxA 33850->33851 33851->33849 33853 d058f8 CreateActCtxA 33852->33853 33855 d059bb 33853->33855 33856 4aa23d0 33857 4aa2438 CreateWindowExW 33856->33857 33859 4aa24f4 33857->33859 33859->33859 33860 a1d01c 33861 a1d034 33860->33861 33862 a1d08e 33861->33862 33867 4aa2588 33861->33867 33871 4aa11a4 33861->33871 33880 4aa32e8 33861->33880 33889 4aa2578 33861->33889 33868 4aa25ae 33867->33868 33869 4aa11a4 CallWindowProcW 33868->33869 33870 4aa25cf 33869->33870 33870->33862 33872 4aa11af 33871->33872 33873 4aa3359 33872->33873 33875 4aa3349 33872->33875 33909 4aa12cc 33873->33909 33893 4aa354c 33875->33893 33899 4aa3470 33875->33899 33904 4aa3480 33875->33904 33876 4aa3357 33883 4aa3325 33880->33883 33881 4aa3359 33882 4aa12cc CallWindowProcW 33881->33882 33885 4aa3357 33882->33885 33883->33881 33884 4aa3349 33883->33884 33886 4aa354c CallWindowProcW 33884->33886 33887 4aa3480 CallWindowProcW 33884->33887 33888 4aa3470 CallWindowProcW 33884->33888 33886->33885 33887->33885 33888->33885 33890 4aa25ae 33889->33890 33891 4aa11a4 CallWindowProcW 33890->33891 33892 4aa25cf 33891->33892 33892->33862 33894 4aa350a 33893->33894 33895 4aa355a 33893->33895 33913 4aa3528 33894->33913 33916 4aa3538 33894->33916 33896 4aa3520 33896->33876 33901 4aa3494 33899->33901 33900 4aa3520 33900->33876 33902 4aa3528 CallWindowProcW 33901->33902 33903 4aa3538 CallWindowProcW 33901->33903 33902->33900 33903->33900 33906 4aa3494 33904->33906 33905 4aa3520 33905->33876 33907 4aa3528 CallWindowProcW 33906->33907 33908 4aa3538 CallWindowProcW 33906->33908 33907->33905 33908->33905 33910 4aa12d7 33909->33910 33911 4aa4a3a CallWindowProcW 33910->33911 33912 4aa49e9 33910->33912 33911->33912 33912->33876 33914 4aa3549 33913->33914 33919 4aa4971 33913->33919 33914->33896 33917 4aa3549 33916->33917 33918 4aa4971 CallWindowProcW 33916->33918 33917->33896 33918->33917 33920 4aa12cc CallWindowProcW 33919->33920 33921 4aa498a 33920->33921 33921->33914

                                                                                                                                                              Executed Functions

                                                                                                                                                              Function 04AA7D60 Relevance: 46.1, Strings: 35, Instructions: 2309COMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 0 4aa7d60-4aa845b call 4aa7768 call 4aa7778 call 4aa7788 call 4aa7798 * 2 call 4aa7788 * 2 call 4aa7798 call 4aa7788 call 4aa77a8 * 2 call 4aa77b8 call 4aa77c8 call 4aa7768 * 4 call 4aa77a8 call 4aa77d8 call 4aa7798 call 4aa77e8 call 4aa77f8 call 4aa7808 call 4aa7818 call 4aa7828 call 4aa7838 call 4aa7848 call 4aa77f8 call 4aa7858 call 4aa7808 call 4aa7818 call 4aa7868 call 4aa7878 call 4aa7828 145 4aa8461-4aaa456 call 4aa77f8 call 4aa7808 call 4aa7818 call 4aa7828 call 4aa77f8 call 4aa7808 call 4aa7818 call 4aa7828 call 4aa7888 call 4aa7898 call 4aa78a8 call 4aa77f8 call 4aa7808 call 4aa7818 call 4aa7828 call 4aa7888 call 4aa7898 call 4aa78a8 call 4aa77f8 call 4aa7808 call 4aa7818 call 4aa7828 call 4aa77f8 call 4aa7808 call 4aa7818 call 4aa7828 call 4aa77f8 call 4aa7808 call 4aa7818 call 4aa7828 call 4aa7888 call 4aa7898 call 4aa78a8 call 4aa77f8 call 4aa7808 call 4aa7818 call 4aa7828 call 4aa78b8 call 4aa78c8 call 4aa77f8 call 4aa7808 call 4aa7818 call 4aa7828 call 4aa7838 call 4aa78d8 call 4aa77f8 call 4aa7808 call 4aa7818 call 4aa7828 call 4aa7838 call 4aa78d8 call 4aa78e8 call 4aa78f8 call 4aa7908 call 4aa7918 call 4aa7928 call 4aa7938 call 4aa7950 call 4aa77f8 call 4aa7808 call 4aa7818 call 4aa7828 call 4aa7838 call 4aa7848 call 4aa77f8 call 4aa7808 call 4aa7818 call 4aa7828 call 4aa7838 call 4aa7848 call 4aa77f8 call 4aa7808 call 4aa7818 call 4aa7828 call 4aa7838 call 4aa7848 call 4aa77f8 call 4aa7808 call 4aa7818 call 4aa7828 call 4aa7838 call 4aa7848 call 4aa77f8 call 4aa7808 call 4aa7818 call 4aa7828 call 4aa7838 call 4aa7960 call 4aa77f8 call 4aa7808 call 4aa7818 call 4aa7828 call 4aa7970 call 4aa7980 call 4aa7990 call 4aa77f8 call 4aa7808 call 4aa7818 call 4aa7828 call 4aa79a0 call 4aa79b0 call 4aa79c0 call 4aa79d0 call 4aa79e0 call 4aa79f0 * 18 call 4aa7a00 call 4aa7a10 call 4aa7a20 call 4aa7a30 call 4aa7a40 call 4aa7808 call 4aa5e5c 0->145 146 4aaa465-4aaa47b 0->146 568 4aaa45d-4aaa464 145->568 569 4aaa458 call 4aa7a50 145->569 569->568
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2346220557.0000000004AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_4aa0000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: $ $ $ $ $ $ $ 'q$$$$$$$&$&$&$&$'$($($($($($($($2$7$7$7$L$O$]$]$]$i$i$$q
                                                                                                                                                              • API String ID: 0-786060770
                                                                                                                                                              • Opcode ID: 7f3e4d867be578cc1b6ebb148b1dcfa91beebea7c64fc1265eab2187288bb5eb
                                                                                                                                                              • Instruction ID: 1a3b4c9e8fee53edf0629e4483d8d07ccc40552dda302b7bc256448054e3e459
                                                                                                                                                              • Opcode Fuzzy Hash: 7f3e4d867be578cc1b6ebb148b1dcfa91beebea7c64fc1265eab2187288bb5eb
                                                                                                                                                              • Instruction Fuzzy Hash: 87332534A10719CFDB55EF38C884799B7B2FF89304F5086A9D809AB351EB31AA85CF51
                                                                                                                                                              Function 04AA7D43 Relevance: 46.1, Strings: 35, Instructions: 2307COMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 570 4aa7d43-4aa7dd5 577 4aa7ddf-4aa7de3 call 4aa7768 570->577 579 4aa7de8-4aa7df3 577->579 581 4aa7dfd-4aa7e01 call 4aa7778 579->581 583 4aa7e06-4aa7e11 581->583 585 4aa7e1b-4aa7e1f call 4aa7788 583->585 587 4aa7e24-4aa8033 call 4aa7798 * 2 call 4aa7788 * 2 call 4aa7798 call 4aa7788 call 4aa77a8 * 2 call 4aa77b8 call 4aa77c8 call 4aa7768 * 4 call 4aa77a8 call 4aa77d8 call 4aa7798 585->587 657 4aa803d-4aa8041 call 4aa77e8 587->657 659 4aa8046 657->659 660 4aa8051-4aa808d call 4aa77f8 659->660 663 4aa8092-4aa80e4 660->663 665 4aa80eb-4aa80f4 663->665 666 4aa80ff-4aa810c call 4aa7808 665->666 668 4aa8111-4aa8146 call 4aa7818 666->668 670 4aa814b-4aa836a call 4aa7828 call 4aa7838 call 4aa7848 call 4aa77f8 call 4aa7858 call 4aa7808 call 4aa7818 call 4aa7868 call 4aa7878 call 4aa7828 668->670 702 4aa8371-4aa8382 670->702 703 4aa838e-4aa8410 702->703 711 4aa8417-4aa8432 703->711 712 4aa8438-4aa8440 711->712 713 4aa844a-4aa8451 712->713 714 4aa8457-4aa845b 713->714 715 4aa8461-4aa8467 714->715 716 4aaa465-4aaa47b 714->716 718 4aa8472-4aa8492 715->718 720 4aa8498-4aa8545 call 4aa77f8 718->720 724 4aa854c-4aa8593 720->724 725 4aa8599-4aa90c2 call 4aa7808 call 4aa7818 call 4aa7828 call 4aa77f8 call 4aa7808 call 4aa7818 call 4aa7828 call 4aa7888 call 4aa7898 call 4aa78a8 call 4aa77f8 call 4aa7808 call 4aa7818 call 4aa7828 call 4aa7888 call 4aa7898 call 4aa78a8 call 4aa77f8 call 4aa7808 call 4aa7818 call 4aa7828 call 4aa77f8 call 4aa7808 call 4aa7818 call 4aa7828 call 4aa77f8 call 4aa7808 call 4aa7818 call 4aa7828 call 4aa7888 call 4aa7898 call 4aa78a8 call 4aa77f8 call 4aa7808 call 4aa7818 call 4aa7828 724->725 850 4aa90c8-4aa90d5 call 4aa78b8 725->850 852 4aa90da-4aa9e64 call 4aa78c8 call 4aa77f8 call 4aa7808 call 4aa7818 call 4aa7828 call 4aa7838 call 4aa78d8 call 4aa77f8 call 4aa7808 call 4aa7818 call 4aa7828 call 4aa7838 call 4aa78d8 call 4aa78e8 call 4aa78f8 call 4aa7908 call 4aa7918 call 4aa7928 call 4aa7938 call 4aa7950 call 4aa77f8 call 4aa7808 call 4aa7818 call 4aa7828 call 4aa7838 call 4aa7848 call 4aa77f8 call 4aa7808 call 4aa7818 call 4aa7828 call 4aa7838 call 4aa7848 call 4aa77f8 call 4aa7808 call 4aa7818 call 4aa7828 call 4aa7838 call 4aa7848 call 4aa77f8 call 4aa7808 call 4aa7818 call 4aa7828 call 4aa7838 call 4aa7848 call 4aa77f8 call 4aa7808 call 4aa7818 call 4aa7828 call 4aa7838 call 4aa7960 call 4aa77f8 call 4aa7808 call 4aa7818 call 4aa7828 call 4aa7970 850->852 1020 4aa9e69-4aa9e76 call 4aa7980 852->1020 1022 4aa9e7b-4aa9eec call 4aa7990 1020->1022 1032 4aa9ef4-4aa9f3b call 4aa77f8 1022->1032 1034 4aa9f40-4aaa120 call 4aa7808 call 4aa7818 call 4aa7828 call 4aa79a0 call 4aa79b0 call 4aa79c0 call 4aa79d0 call 4aa79e0 call 4aa79f0 1032->1034 1060 4aaa125-4aaa135 1034->1060 1061 4aaa13b-4aaa15a call 4aa79f0 * 2 1060->1061 1066 4aaa15f-4aaa16f 1061->1066 1067 4aaa175-4aaa225 call 4aa79f0 * 7 1066->1067 1087 4aaa22a-4aaa23a 1067->1087 1088 4aaa240-4aaa322 call 4aa79f0 * 8 1087->1088 1112 4aaa328-4aaa32f call 4aa7a00 1088->1112 1114 4aaa334-4aaa446 call 4aa7a10 call 4aa7a20 call 4aa7a30 call 4aa7a40 call 4aa7808 call 4aa5e5c 1112->1114 1136 4aaa44d-4aaa456 1114->1136 1138 4aaa45d-4aaa464 1136->1138 1139 4aaa458 call 4aa7a50 1136->1139 1139->1138
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2346220557.0000000004AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_4aa0000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: $ $ $ $ $ $ $ 'q$$$$$$$&$&$&$&$'$($($($($($($($2$7$7$7$L$O$]$]$]$i$i$$q
                                                                                                                                                              • API String ID: 0-786060770
                                                                                                                                                              • Opcode ID: 9d681229821c35fbb96b0bbd0aae79cf42d5777845df8e6c851e69c6b6e059a7
                                                                                                                                                              • Instruction ID: b2c80551b2f665352f2bf861bc14f4178ee51ce7c19d13127e30f774855642a1
                                                                                                                                                              • Opcode Fuzzy Hash: 9d681229821c35fbb96b0bbd0aae79cf42d5777845df8e6c851e69c6b6e059a7
                                                                                                                                                              • Instruction Fuzzy Hash: C1332634A107198FDB55EF38C884799B7B2FF89304F5086E9D809AB351EB31AA85CF51
                                                                                                                                                              Function 00D0DB58 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 1140 d0db58-d0dbe7 GetCurrentProcess 1144 d0dbf0-d0dc24 GetCurrentThread 1140->1144 1145 d0dbe9-d0dbef 1140->1145 1146 d0dc26-d0dc2c 1144->1146 1147 d0dc2d-d0dc61 GetCurrentProcess 1144->1147 1145->1144 1146->1147 1149 d0dc63-d0dc69 1147->1149 1150 d0dc6a-d0dc82 1147->1150 1149->1150 1153 d0dc8b-d0dcba GetCurrentThreadId 1150->1153 1154 d0dcc3-d0dd25 1153->1154 1155 d0dcbc-d0dcc2 1153->1155 1155->1154
                                                                                                                                                              APIs
                                                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 00D0DBD6
                                                                                                                                                              • GetCurrentThread.KERNEL32 ref: 00D0DC13
                                                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 00D0DC50
                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00D0DCA9
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2343402323.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_d00000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: Current$ProcessThread
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 2063062207-0
                                                                                                                                                              • Opcode ID: 5b99d0a9a46c62132534be9f0b8951eb2da55f124ae9f7fbbd65892c5029a080
                                                                                                                                                              • Instruction ID: f8e138c0ff1b681dbcb369561cfc34dff732f448a0621dab76e0378058ba3727
                                                                                                                                                              • Opcode Fuzzy Hash: 5b99d0a9a46c62132534be9f0b8951eb2da55f124ae9f7fbbd65892c5029a080
                                                                                                                                                              • Instruction Fuzzy Hash: 8F515AB0900249CFEB54CFA9D548BDEBBF1EF88304F24845AE019A73A0D7749944CF65
                                                                                                                                                              Function 06A84AC8 Relevance: 2.5, Strings: 2, Instructions: 47COMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 1179 6a84ac8-6a84b01 1181 6a84aac-6a84ab4 1179->1181 1182 6a84b03-6a85a46 call 6a84b44 1179->1182
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: Sl^$Sl^
                                                                                                                                                              • API String ID: 0-1937072647
                                                                                                                                                              • Opcode ID: 1a8084ee820249013ee166576e0cda13445aea12e00c1b865818965851d65a2c
                                                                                                                                                              • Instruction ID: caa30bbdb04dc118533381e54316cf2d9518b9296c862f47c1e36b6089028b30
                                                                                                                                                              • Opcode Fuzzy Hash: 1a8084ee820249013ee166576e0cda13445aea12e00c1b865818965851d65a2c
                                                                                                                                                              • Instruction Fuzzy Hash: D301719680E3C25FF302A6294CE87866F61EF76384F1B4097C9C84A153E914895B8667
                                                                                                                                                              Function 04AA23C4 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 1188 4aa23c4-4aa2436 1189 4aa2438-4aa243e 1188->1189 1190 4aa2441-4aa2448 1188->1190 1189->1190 1191 4aa244a-4aa2450 1190->1191 1192 4aa2453-4aa248b 1190->1192 1191->1192 1193 4aa2493-4aa24f2 CreateWindowExW 1192->1193 1194 4aa24fb-4aa2533 1193->1194 1195 4aa24f4-4aa24fa 1193->1195 1199 4aa2540 1194->1199 1200 4aa2535-4aa2538 1194->1200 1195->1194 1201 4aa2541 1199->1201 1200->1199 1201->1201
                                                                                                                                                              APIs
                                                                                                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04AA24E2
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2346220557.0000000004AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_4aa0000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: CreateWindow
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 716092398-0
                                                                                                                                                              • Opcode ID: 132a86544fe11e7228bc8d575d6b5bf72482b2eb5bc8939dd1ce0137f4c72dba
                                                                                                                                                              • Instruction ID: c1994ac578655211850b96a027c9dc800108f3dea6e1a7f1b9d18ecf37cff823
                                                                                                                                                              • Opcode Fuzzy Hash: 132a86544fe11e7228bc8d575d6b5bf72482b2eb5bc8939dd1ce0137f4c72dba
                                                                                                                                                              • Instruction Fuzzy Hash: A851BEB1D103499FDB14CFA9C884ADEBFB1BF88314F24816AE819AB350D775A855CF90
                                                                                                                                                              Function 04AA23D0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 1202 4aa23d0-4aa2436 1203 4aa2438-4aa243e 1202->1203 1204 4aa2441-4aa2448 1202->1204 1203->1204 1205 4aa244a-4aa2450 1204->1205 1206 4aa2453-4aa24f2 CreateWindowExW 1204->1206 1205->1206 1208 4aa24fb-4aa2533 1206->1208 1209 4aa24f4-4aa24fa 1206->1209 1213 4aa2540 1208->1213 1214 4aa2535-4aa2538 1208->1214 1209->1208 1215 4aa2541 1213->1215 1214->1213 1215->1215
                                                                                                                                                              APIs
                                                                                                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04AA24E2
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2346220557.0000000004AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_4aa0000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: CreateWindow
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 716092398-0
                                                                                                                                                              • Opcode ID: 96cb5bc3c4a181dadd2cbff96f3013cfa11592d4c2d9713149b5dfde541c130d
                                                                                                                                                              • Instruction ID: 5ff4ee1de636cc66cbdc503d5b94769493d01776d31d60576dc479fec3d69a32
                                                                                                                                                              • Opcode Fuzzy Hash: 96cb5bc3c4a181dadd2cbff96f3013cfa11592d4c2d9713149b5dfde541c130d
                                                                                                                                                              • Instruction Fuzzy Hash: DC41BEB1D003499FDB14CF99C884ADEFBB5BF88310F24812AE819AB350D775A855CF90
                                                                                                                                                              Function 00D058EC Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 1216 d058ec-d059b9 CreateActCtxA 1218 d059c2-d05a1c 1216->1218 1219 d059bb-d059c1 1216->1219 1226 d05a2b-d05a2f 1218->1226 1227 d05a1e-d05a21 1218->1227 1219->1218 1228 d05a40 1226->1228 1229 d05a31-d05a3d 1226->1229 1227->1226 1231 d05a41 1228->1231 1229->1228 1231->1231
                                                                                                                                                              APIs
                                                                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 00D059A9
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2343402323.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_d00000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: Create
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 2289755597-0
                                                                                                                                                              • Opcode ID: 7f0807f8620802d27fc60e41f530ed431bb48d49afc8d9c22e595e430aefd34f
                                                                                                                                                              • Instruction ID: baf4a419750d8ed008135da774203dd622fdb96685df2851ef4b77dd78c14da6
                                                                                                                                                              • Opcode Fuzzy Hash: 7f0807f8620802d27fc60e41f530ed431bb48d49afc8d9c22e595e430aefd34f
                                                                                                                                                              • Instruction Fuzzy Hash: 2341E270C00719CFDB24CFA9C8847CEBBB1BF88704F24815AD409AB295DB75694ACF50
                                                                                                                                                              Function 04AA12CC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 1232 4aa12cc-4aa49dc 1235 4aa4a8c-4aa4aac call 4aa11a4 1232->1235 1236 4aa49e2-4aa49e7 1232->1236 1243 4aa4aaf-4aa4abc 1235->1243 1238 4aa4a3a-4aa4a72 CallWindowProcW 1236->1238 1239 4aa49e9-4aa4a20 1236->1239 1241 4aa4a7b-4aa4a8a 1238->1241 1242 4aa4a74-4aa4a7a 1238->1242 1245 4aa4a29-4aa4a38 1239->1245 1246 4aa4a22-4aa4a28 1239->1246 1241->1243 1242->1241 1245->1243 1246->1245
                                                                                                                                                              APIs
                                                                                                                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 04AA4A61
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2346220557.0000000004AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_4aa0000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: CallProcWindow
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 2714655100-0
                                                                                                                                                              • Opcode ID: 3414ac06823a81a2a8265bba29fbc84b673928a5d3edcb25ce1510bcc15f4f47
                                                                                                                                                              • Instruction ID: e0cd61e45a7c4ce4e9d103316ed956b6cc3fdaef280e6dfee939e4ad517ddfa0
                                                                                                                                                              • Opcode Fuzzy Hash: 3414ac06823a81a2a8265bba29fbc84b673928a5d3edcb25ce1510bcc15f4f47
                                                                                                                                                              • Instruction Fuzzy Hash: D74103B5A00209DFDB14CF99C488AAAFBF5FB88314F24C459E519AB321D774A851CFA4
                                                                                                                                                              Function 00D044C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 1249 d044c4-d059b9 CreateActCtxA 1252 d059c2-d05a1c 1249->1252 1253 d059bb-d059c1 1249->1253 1260 d05a2b-d05a2f 1252->1260 1261 d05a1e-d05a21 1252->1261 1253->1252 1262 d05a40 1260->1262 1263 d05a31-d05a3d 1260->1263 1261->1260 1265 d05a41 1262->1265 1263->1262 1265->1265
                                                                                                                                                              APIs
                                                                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 00D059A9
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2343402323.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_d00000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: Create
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 2289755597-0
                                                                                                                                                              • Opcode ID: 3da1f258af8066ae9f175a9eb4ddc0a6133b6c28f6aef9c928d1670e544f3f7f
                                                                                                                                                              • Instruction ID: ef6b109052a60c98940ce5591bc1dacee820843378b39050ef81cb8faf172c8e
                                                                                                                                                              • Opcode Fuzzy Hash: 3da1f258af8066ae9f175a9eb4ddc0a6133b6c28f6aef9c928d1670e544f3f7f
                                                                                                                                                              • Instruction Fuzzy Hash: BA41C170D0071DCBDB24DFAAC84478EBBB5BF88704F24816AD409AB295DB756945CFA0
                                                                                                                                                              Function 00D0DDA0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 1266 d0dda0-d0de34 DuplicateHandle 1267 d0de36-d0de3c 1266->1267 1268 d0de3d-d0de5a 1266->1268 1267->1268
                                                                                                                                                              APIs
                                                                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D0DE27
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2343402323.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_d00000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: DuplicateHandle
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 3793708945-0
                                                                                                                                                              • Opcode ID: 9d2d6ccb8776f6b65112c7640d1c750d063e52642e64649d603f14935a06ca30
                                                                                                                                                              • Instruction ID: 09bf6d9c5259f453afb82a28b21952d458c136b4a66b1868c305d90421b041fc
                                                                                                                                                              • Opcode Fuzzy Hash: 9d2d6ccb8776f6b65112c7640d1c750d063e52642e64649d603f14935a06ca30
                                                                                                                                                              • Instruction Fuzzy Hash: 7A21F5B5900209DFDB10CF9AD884ADEFBF5FB48310F14841AE958A7350C378A950CFA4
                                                                                                                                                              Function 00D0BAC0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 1271 d0bac0-d0bb00 1272 d0bb02-d0bb05 1271->1272 1273 d0bb08-d0bb33 GetModuleHandleW 1271->1273 1272->1273 1274 d0bb35-d0bb3b 1273->1274 1275 d0bb3c-d0bb50 1273->1275 1274->1275
                                                                                                                                                              APIs
                                                                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00D0BB26
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2343402323.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_d00000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: HandleModule
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 4139908857-0
                                                                                                                                                              • Opcode ID: 2a9aec05a5495d8e63b6d415b967a36001cc2b6912047407a70d670f5f4db343
                                                                                                                                                              • Instruction ID: 00142ec65551e00162fc40699e60259d650d9b7b58fc2d5eca8aa624a9a0a488
                                                                                                                                                              • Opcode Fuzzy Hash: 2a9aec05a5495d8e63b6d415b967a36001cc2b6912047407a70d670f5f4db343
                                                                                                                                                              • Instruction Fuzzy Hash: 5F110FB6C002498FDB10CF9AC844BDEFBF4AB88324F14841AD429B7250C379A545CFA5
                                                                                                                                                              Function 06A82CAB Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 1277 6a82cab-6a82cb0 1278 6a82d1f-6a82d21 1277->1278 1279 6a82cb2-6a82d16 1277->1279 1281 6a82d29-6a82d2f 1278->1281 1279->1278 1312 6a82d32 call 6a82f28 1281->1312 1313 6a82d32 call 6a830e9 1281->1313 1314 6a82d32 call 6a84739 1281->1314 1315 6a82d32 call 6a8327b 1281->1315 1316 6a82d32 call 6a82eee 1281->1316 1317 6a82d32 call 6a86d60 1281->1317 1283 6a82d38-6a82d60 call 6a8208c 1292 6a82d62 1283->1292 1293 6a82d64-6a82d70 1283->1293 1294 6a82d72-6a82ee0 1292->1294 1293->1294 1312->1283 1313->1283 1314->1283 1315->1283 1316->1283 1317->1283
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: 0,q
                                                                                                                                                              • API String ID: 0-385376986
                                                                                                                                                              • Opcode ID: c09459d191c7ca6248eb37018774b773adf796b2c1ce4c952e6acd31201b1bf8
                                                                                                                                                              • Instruction ID: 4318c32f56e0745f17fdb6ba384b01800c92fb6fbdf9230a8869f1af4629f227
                                                                                                                                                              • Opcode Fuzzy Hash: c09459d191c7ca6248eb37018774b773adf796b2c1ce4c952e6acd31201b1bf8
                                                                                                                                                              • Instruction Fuzzy Hash: 4751D231B00118AFD704BB78E4597ADBBB2FF88300F1484A9D981AB395DF75AE45C791
                                                                                                                                                              Function 06A82CB8 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 1318 6a82cb8-6a82d2f 1351 6a82d32 call 6a82f28 1318->1351 1352 6a82d32 call 6a830e9 1318->1352 1353 6a82d32 call 6a84739 1318->1353 1354 6a82d32 call 6a8327b 1318->1354 1355 6a82d32 call 6a82eee 1318->1355 1356 6a82d32 call 6a86d60 1318->1356 1325 6a82d38-6a82d60 call 6a8208c 1331 6a82d62 1325->1331 1332 6a82d64-6a82d70 1325->1332 1333 6a82d72-6a82ee0 1331->1333 1332->1333 1351->1325 1352->1325 1353->1325 1354->1325 1355->1325 1356->1325
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: 0,q
                                                                                                                                                              • API String ID: 0-385376986
                                                                                                                                                              • Opcode ID: d5206c9a0e077a4dca3317b8e276a7543445b4c7307229cd4391dc2ad4718bf3
                                                                                                                                                              • Instruction ID: 62239a1076b277295d438600a2b59fd86a1308ce9136ab928e02e9ebd1d9363a
                                                                                                                                                              • Opcode Fuzzy Hash: d5206c9a0e077a4dca3317b8e276a7543445b4c7307229cd4391dc2ad4718bf3
                                                                                                                                                              • Instruction Fuzzy Hash: 7951D031B001189FD704BB78E4597AE7BB2FF88300F1484A9D982AB396DF71AE45C791
                                                                                                                                                              Function 06A84B70 Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: "
                                                                                                                                                              • API String ID: 0-123907689
                                                                                                                                                              • Opcode ID: 9fd89ea5cc894ee7b72a1cdbdf75eda8a3ff65dc9b4810c0583cbbc09539d873
                                                                                                                                                              • Instruction ID: 5d628a7a502e9bfcc983cecb3c70b8f0d664d32216b678e52f922b32271f4d44
                                                                                                                                                              • Opcode Fuzzy Hash: 9fd89ea5cc894ee7b72a1cdbdf75eda8a3ff65dc9b4810c0583cbbc09539d873
                                                                                                                                                              • Instruction Fuzzy Hash: FD31D2B1F002069FE794BB69D80476A7BF6EB89304F2480AAD155DF292EB35DC06C761
                                                                                                                                                              Function 06A8D808 Relevance: 1.3, Strings: 1, Instructions: 36COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: $%"
                                                                                                                                                              • API String ID: 0-3771416485
                                                                                                                                                              • Opcode ID: 7bf01e78a406af86795d398e6336f9a0af7beae77a341bcb068b2657c860450f
                                                                                                                                                              • Instruction ID: ecf2d603e67090972823f924d3dcbd91efa5deb577604a0a1ff3aaf5a2d77d7d
                                                                                                                                                              • Opcode Fuzzy Hash: 7bf01e78a406af86795d398e6336f9a0af7beae77a341bcb068b2657c860450f
                                                                                                                                                              • Instruction Fuzzy Hash: 45F04430904105CFEB94FB99D4147ADBABDEF49301F049525C105A6395DE70594ACBA1
                                                                                                                                                              Function 06A87598 Relevance: 1.3, Strings: 1, Instructions: 14COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Strings
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID: }a
                                                                                                                                                              • API String ID: 0-3969956379
                                                                                                                                                              • Opcode ID: a16448eb06523b0b12f52ea613d35349e9eb9d53dc8334765e8bf5f7087f10cd
                                                                                                                                                              • Instruction ID: 563d21b0750bef651ab91263586bb6661028a1fc2c5bf9508f9e196fa8d3cc4b
                                                                                                                                                              • Opcode Fuzzy Hash: a16448eb06523b0b12f52ea613d35349e9eb9d53dc8334765e8bf5f7087f10cd
                                                                                                                                                              • Instruction Fuzzy Hash: F8D012365502085E8BC0FFD5E844C56BBDCBB547407008432E544CB021E721F534E751
                                                                                                                                                              Function 06A8EE20 Relevance: .4, Instructions: 365COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: e75275cac3f0a65b0187e1a78f6aae160e03c614924ad4254eefca2c7ad9a660
                                                                                                                                                              • Instruction ID: 861329068cf7555f537128a43e6fe0896c0c15e7fa10278882f763abf81e623f
                                                                                                                                                              • Opcode Fuzzy Hash: e75275cac3f0a65b0187e1a78f6aae160e03c614924ad4254eefca2c7ad9a660
                                                                                                                                                              • Instruction Fuzzy Hash: 32E18234A0020ADFEF05FFA8D554AAEBBB6FF88300F108059E505AB365DB359D46DB91
                                                                                                                                                              Function 06A80EA8 Relevance: .2, Instructions: 224COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: b4498852f2057f89115316b07d55b283d68085de94a80e5ae39f9a30568cf482
                                                                                                                                                              • Instruction ID: a79351ad635ef53dab61228a660ffd9a5a3630fb5bc01073a258afff77b7c6b1
                                                                                                                                                              • Opcode Fuzzy Hash: b4498852f2057f89115316b07d55b283d68085de94a80e5ae39f9a30568cf482
                                                                                                                                                              • Instruction Fuzzy Hash: A6A1D375910619CFDB10EF68C840A9CFBB1FF59314F05C699E949BB215EB30AA89CF90
                                                                                                                                                              Function 06A8F770 Relevance: .2, Instructions: 187COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 9e612be0334780b77a580eab8ce3c56dc8627e3c963668e081ce51691fd7d70e
                                                                                                                                                              • Instruction ID: 88b2c160430a8f74bfe7002b3ce1750791242dbd4dc535a6fc756197c59e6bc5
                                                                                                                                                              • Opcode Fuzzy Hash: 9e612be0334780b77a580eab8ce3c56dc8627e3c963668e081ce51691fd7d70e
                                                                                                                                                              • Instruction Fuzzy Hash: EC51C332F0031ACFDF54BFB989542AEBBB2EF85240B100569C412AB391DB349D01CBE1
                                                                                                                                                              Function 06A8659C Relevance: .2, Instructions: 171COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: ecfb467e5d7ec70e68c703fbfabe597be0558ff5cbdf816b5ef81473588d3095
                                                                                                                                                              • Instruction ID: 0f61ee3e0fda50b12c0edf6286bbfb13017d8c2da73402e0d5b11ec1f0500070
                                                                                                                                                              • Opcode Fuzzy Hash: ecfb467e5d7ec70e68c703fbfabe597be0558ff5cbdf816b5ef81473588d3095
                                                                                                                                                              • Instruction Fuzzy Hash: 3B519370E00218DFFB54BFA8D951BBEBAB2BF44700F109026E551AB39AD7349942CB91
                                                                                                                                                              Function 06A80E9B Relevance: .2, Instructions: 164COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 71ec99e435bd27478c54aff999faf8122a878c4a442dab07bd2a0646ca48336c
                                                                                                                                                              • Instruction ID: 03e938a11e6b784e41be967cfcfa64233d5a55f1200c322ea1d83ced50838a42
                                                                                                                                                              • Opcode Fuzzy Hash: 71ec99e435bd27478c54aff999faf8122a878c4a442dab07bd2a0646ca48336c
                                                                                                                                                              • Instruction Fuzzy Hash: 99710875910619CFDB54EF68C840A99FBB1FF49304F05C299E849BB315EB30AA89CF90
                                                                                                                                                              Function 06A83BF7 Relevance: .1, Instructions: 121COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: ce537214cfc42e8857285a70538a129dc9b071f29863efb422f1a319bd9d899c
                                                                                                                                                              • Instruction ID: 778de992a891a1483368d9d57212be5d2eeca7a09cf055a89db43b928694a3b5
                                                                                                                                                              • Opcode Fuzzy Hash: ce537214cfc42e8857285a70538a129dc9b071f29863efb422f1a319bd9d899c
                                                                                                                                                              • Instruction Fuzzy Hash: 5B41D170B00209DFEF94BF98D44977EB7F1FB44B10F10846AE502AB282D6B5D842CB94
                                                                                                                                                              Function 06A83CD3 Relevance: .1, Instructions: 107COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: c2e492c9eb8601ffd0c27f68c5922a673733693e034073d432cb2ee9be991e78
                                                                                                                                                              • Instruction ID: 287ce370e67b917cdbb9a7dd29b5d452256bc82a8e195ffafaa8d5e21b6527fe
                                                                                                                                                              • Opcode Fuzzy Hash: c2e492c9eb8601ffd0c27f68c5922a673733693e034073d432cb2ee9be991e78
                                                                                                                                                              • Instruction Fuzzy Hash: 0531ACB0B006149FEF907BD8D809B7EB3F2FB44F11F10446AE602AB2D2D6B59941CB94
                                                                                                                                                              Function 06A85358 Relevance: .1, Instructions: 100COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: f3a9017d90acab7c8bdf3b244155f556e5ac129eaf17ac9d049cddc4946a1a2d
                                                                                                                                                              • Instruction ID: 36b16acacb5ffdd1a7df31faadc9019af98a7c0e6c39b7fe13fd10b99b7cb20f
                                                                                                                                                              • Opcode Fuzzy Hash: f3a9017d90acab7c8bdf3b244155f556e5ac129eaf17ac9d049cddc4946a1a2d
                                                                                                                                                              • Instruction Fuzzy Hash: 9D31E134D04655CFD7D4BBA9C8113BEF6B2EB84201F008567E8B6DA282E378D851CB92
                                                                                                                                                              Function 06A84B50 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: e79eb2dfe4d1f18d66ad35a24a1399e3f7380490b204bd7864b0d23e78fe9390
                                                                                                                                                              • Instruction ID: b8609039b5b6c2ac76d9923ad3806f66cd64a4d83e157f076973e1beb2936bf4
                                                                                                                                                              • Opcode Fuzzy Hash: e79eb2dfe4d1f18d66ad35a24a1399e3f7380490b204bd7864b0d23e78fe9390
                                                                                                                                                              • Instruction Fuzzy Hash: CE31C4B1F00205DFE794AB69D8047697BF6FB89304F24806AD155CF292E775DC06C761
                                                                                                                                                              Function 06A87680 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 60d4e20f4fecd42230622ba44aa707efe6b9192e7904de1afb8783f4e002cddd
                                                                                                                                                              • Instruction ID: 86ed1d5c21c725f7c3a6a05c209b6dfe16e3a779f5c804253be6c639e8b06c2c
                                                                                                                                                              • Opcode Fuzzy Hash: 60d4e20f4fecd42230622ba44aa707efe6b9192e7904de1afb8783f4e002cddd
                                                                                                                                                              • Instruction Fuzzy Hash: 4931A531A08115CFE790BB6DC840BBEF7B6EB85310F254537E525DB2A1D678C841C7A2
                                                                                                                                                              Function 06A82EEE Relevance: .1, Instructions: 95COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 3e2477912da4542b867a0bf070aa86e2efc553c4cd461b589ffe016cebfe84c9
                                                                                                                                                              • Instruction ID: ea3f5ea09f770123ec699af92a55ba8c556ff411af3ba3962b2be6b1eddf2fe1
                                                                                                                                                              • Opcode Fuzzy Hash: 3e2477912da4542b867a0bf070aa86e2efc553c4cd461b589ffe016cebfe84c9
                                                                                                                                                              • Instruction Fuzzy Hash: 9531B471A08391CFC7266B74E85822D7FB5EF49211B0484ABE542CB397DA78CC45C771
                                                                                                                                                              Function 06A85E60 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: c36b5d762201811a3a207abf4ed966d6c50b3e4136965165542b4d32af5c2c7d
                                                                                                                                                              • Instruction ID: 5504676f873143c92d448059d3947d2ad04aa9958fab991ed4f889b889467a4d
                                                                                                                                                              • Opcode Fuzzy Hash: c36b5d762201811a3a207abf4ed966d6c50b3e4136965165542b4d32af5c2c7d
                                                                                                                                                              • Instruction Fuzzy Hash: D0313871900208AFDB54EFA9D884ADEBFF5FB48310F10842AE919E7210D775A940CFA4
                                                                                                                                                              Function 06A87670 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 4e29f1ca14ec8680798caabf84f913bea41db4a3fecf885aeb6d4e87bcd4c175
                                                                                                                                                              • Instruction ID: 1dd566808d876c66c1db8a7152fc7060878dc48be62f721e6ca040ff8c70fdec
                                                                                                                                                              • Opcode Fuzzy Hash: 4e29f1ca14ec8680798caabf84f913bea41db4a3fecf885aeb6d4e87bcd4c175
                                                                                                                                                              • Instruction Fuzzy Hash: CC21A171A08115CFE750BF6DC940ABEF7B6EB85310F244537A425DB295D338C441C791
                                                                                                                                                              Function 06A82F28 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 37303f0dc477f98690ca35da2b9871f71f66422eef0dfee519cf6a85001c3812
                                                                                                                                                              • Instruction ID: 22867a850df6a006397c4e72fe149ed2d070e8f7fe30299953a049a91c21d5ee
                                                                                                                                                              • Opcode Fuzzy Hash: 37303f0dc477f98690ca35da2b9871f71f66422eef0dfee519cf6a85001c3812
                                                                                                                                                              • Instruction Fuzzy Hash: EE218031A04255DFCB656B78E84C62E7FB6FF88201714846BE912CB395DB78CC41CBA5
                                                                                                                                                              Function 06A8F9E0 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: c3425f8e2c19de020c4501ade7dd629fb1e3a38b4d34959e5401f5b197bda17a
                                                                                                                                                              • Instruction ID: b2bb52fe8fd7226620ad1e48e9c50c89b2b52ed4d7b68d918f1f702d582fee03
                                                                                                                                                              • Opcode Fuzzy Hash: c3425f8e2c19de020c4501ade7dd629fb1e3a38b4d34959e5401f5b197bda17a
                                                                                                                                                              • Instruction Fuzzy Hash: B0213930E10209DFEB54BBA4E8546EEBBB6FF88360F544129D402A7384DB349D45CB65
                                                                                                                                                              Function 00A0D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2343134027.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_a0d000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: eee6d7782e31574ac2543d7e2c461c8b8352854695e7a63241e90ab689dd054d
                                                                                                                                                              • Instruction ID: c6cb61b217bb9cfbb12ff937032a7b17bb50d35d8d09b5ed5a7c76c5812b1ec8
                                                                                                                                                              • Opcode Fuzzy Hash: eee6d7782e31574ac2543d7e2c461c8b8352854695e7a63241e90ab689dd054d
                                                                                                                                                              • Instruction Fuzzy Hash: A821F272504248EFDB05DF54E9C0B26BF65FB88318F24C56DED090B296C336E856DBA2
                                                                                                                                                              Function 00A0D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2343134027.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_a0d000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 67a438d28e2c50e39adc321b89bb8c9624883fa27b15724e70a637e1d694b89e
                                                                                                                                                              • Instruction ID: a85e8fac7346b9800cf51ba2132cc8e5747c28cdad9c4fd8f6bc25e5332b020a
                                                                                                                                                              • Opcode Fuzzy Hash: 67a438d28e2c50e39adc321b89bb8c9624883fa27b15724e70a637e1d694b89e
                                                                                                                                                              • Instruction Fuzzy Hash: 69210372500208EFDB04DF54E9C0B26BB65FB98324F20C56DE9090B296C337E856CAA2
                                                                                                                                                              Function 06A8B0AE Relevance: .1, Instructions: 74COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 075aff763ad86dbd4ce2a318daa847a9a8e8a18fe0fceb604962fd6113036c91
                                                                                                                                                              • Instruction ID: b82adc94c20135984a48327fb8818bcecd8e007af8b18a242c29b80d6e5c9556
                                                                                                                                                              • Opcode Fuzzy Hash: 075aff763ad86dbd4ce2a318daa847a9a8e8a18fe0fceb604962fd6113036c91
                                                                                                                                                              • Instruction Fuzzy Hash: 7F31F874A04258CFDB60EF64C584AADBBB6FF49301F519599D40AAB316C734ED81CF60
                                                                                                                                                              Function 00A1D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2343177916.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_a1d000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 8af1d58319c399aff1768671d1fadd82289beb31ed11aa1a97481b1a6f10e879
                                                                                                                                                              • Instruction ID: 963cd59006ecb19e937a937b2107ca901cd81ec5f3aac3aec80ef9ae8b5a1395
                                                                                                                                                              • Opcode Fuzzy Hash: 8af1d58319c399aff1768671d1fadd82289beb31ed11aa1a97481b1a6f10e879
                                                                                                                                                              • Instruction Fuzzy Hash: 62210471504204EFDB05DF14D9C0BA6BBA5FB84314F34CA6DE9094B292C33AD886CA61
                                                                                                                                                              Function 00A1D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2343177916.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_a1d000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 63caffd94632106c813bd71c064e2108d361584e65402824da0587d8dbd92e52
                                                                                                                                                              • Instruction ID: 225d6a2b60208cd5020c88e4eba99d3489bb4a3ad0ac49321a62d6a5f02e9dd8
                                                                                                                                                              • Opcode Fuzzy Hash: 63caffd94632106c813bd71c064e2108d361584e65402824da0587d8dbd92e52
                                                                                                                                                              • Instruction Fuzzy Hash: 5C210475604204EFDB14DF14D9C4B56BB65FB88314F34C56DD90A4B296C33BD887CA61
                                                                                                                                                              Function 06A877E8 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 5a6c2eb4c7230f412653a9187f769b09e230644fbc8a24aaa8b233b4e1cf8284
                                                                                                                                                              • Instruction ID: f456b67a0523d39979535c89a3ca63d9346978a76981a694bd06ccb370894b80
                                                                                                                                                              • Opcode Fuzzy Hash: 5a6c2eb4c7230f412653a9187f769b09e230644fbc8a24aaa8b233b4e1cf8284
                                                                                                                                                              • Instruction Fuzzy Hash: BD21C030F502059FE7A8BB298805B7E76A2EB81B01F708066E1169F395DA30DC81C7A1
                                                                                                                                                              Function 06A8A101 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: f6f7f1ea5b2466f29d8a506e2a0c1092b153c2b5bcb0a9e9760e659dafbe9e21
                                                                                                                                                              • Instruction ID: bed980ccfbb1507065cea8405a2256a8e45adb2b5dbcfb4dfca560e62d91d4ab
                                                                                                                                                              • Opcode Fuzzy Hash: f6f7f1ea5b2466f29d8a506e2a0c1092b153c2b5bcb0a9e9760e659dafbe9e21
                                                                                                                                                              • Instruction Fuzzy Hash: 332139B0E0424C8FDB54EFE6C5142AEFBF6BF89300F10816AC519AB359EB751946CB90
                                                                                                                                                              Function 06A877D8 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: cc8abcf671799610800162951b52e67707770791a862b3cbe1a91288b5c2a0d5
                                                                                                                                                              • Instruction ID: b4a4a5442cbeea5aa1da8ebbf576485e7bcf8ffcbf8725e75c9e75c634c341d8
                                                                                                                                                              • Opcode Fuzzy Hash: cc8abcf671799610800162951b52e67707770791a862b3cbe1a91288b5c2a0d5
                                                                                                                                                              • Instruction Fuzzy Hash: E3118E30B542009FE7A8BB15C841B6D73A2FB81B12FB4806AE1169F295DB71DCC1C7A5
                                                                                                                                                              Function 06A831AE Relevance: .1, Instructions: 62COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 9be3036ee16f10ab1c6dcfae50f31df8626fac38b0c716e561d445112f1119cb
                                                                                                                                                              • Instruction ID: 95aff83f7527eeed2c48c2377e02c26b8f2452154bf0f597c9b4c99b38fb6fc3
                                                                                                                                                              • Opcode Fuzzy Hash: 9be3036ee16f10ab1c6dcfae50f31df8626fac38b0c716e561d445112f1119cb
                                                                                                                                                              • Instruction Fuzzy Hash: 3221C0B2D05515CFEF60BBE9C8002BEB3B1FF10F05F048956E15599290E738D551C6A9
                                                                                                                                                              Function 06A83224 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 47a7e524aa613a4e7ea0dc1fd136b1731fb952e67cf854052376b519d62ab72c
                                                                                                                                                              • Instruction ID: 3617b9d8169be0f50f986b69c7d68d73aa2a4d58582305433b69555f53e30ba4
                                                                                                                                                              • Opcode Fuzzy Hash: 47a7e524aa613a4e7ea0dc1fd136b1731fb952e67cf854052376b519d62ab72c
                                                                                                                                                              • Instruction Fuzzy Hash: 9C219D71804515CEEFA0BBE9C9002BEF3B1FF10F05F048A56E5A699290E738D595C6AA
                                                                                                                                                              Function 06A8A110 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: c2998770ded7b753405c5a0faa08a18339c89a8c1b12acdd972756c3e763dc85
                                                                                                                                                              • Instruction ID: 932e1cae3c5c26375fe542919fc467fc9c2998d2b6d1501ef80595c930c66123
                                                                                                                                                              • Opcode Fuzzy Hash: c2998770ded7b753405c5a0faa08a18339c89a8c1b12acdd972756c3e763dc85
                                                                                                                                                              • Instruction Fuzzy Hash: 2C21C970D0464C8FDB54EFEAD5446AEFBFABF89300F10812AC519AB359EB751906CB90
                                                                                                                                                              Function 06A8ED68 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: a396e9386f3bda7bef788a1ba14f03ef29430b7a6d9316a36d7a3fe97f992b80
                                                                                                                                                              • Instruction ID: f555181e4ad6a4793dff790a4ab92cdee81673cde074afc82778484641fb0c1e
                                                                                                                                                              • Opcode Fuzzy Hash: a396e9386f3bda7bef788a1ba14f03ef29430b7a6d9316a36d7a3fe97f992b80
                                                                                                                                                              • Instruction Fuzzy Hash: 37119130F00215DFEBA8BF7998147BB76EABBC4750F048529E9169B384EA308D05C7D0
                                                                                                                                                              Function 00A1D006 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2343177916.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_a1d000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 42faaeb3599f4cfd183338ecfd13e9148ae7e0dbc3e28a3ad3a2129bfede8414
                                                                                                                                                              • Instruction ID: be1e84c1e2b74b447aee0a39a066d7ed66f744ed763432b03518508f6687e2b5
                                                                                                                                                              • Opcode Fuzzy Hash: 42faaeb3599f4cfd183338ecfd13e9148ae7e0dbc3e28a3ad3a2129bfede8414
                                                                                                                                                              • Instruction Fuzzy Hash: D9219F755093808FCB02CF24D990B15BF71EB49314F28C5DAD8498B2A7C33A984ACB62
                                                                                                                                                              Function 00A0D4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2343134027.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_a0d000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
                                                                                                                                                              • Instruction ID: 9e67a373f6f5f733b8e5eb9270ba23ee18b4a7cdf56ed4af48bd025ef23289ec
                                                                                                                                                              • Opcode Fuzzy Hash: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
                                                                                                                                                              • Instruction Fuzzy Hash: 9811D376504284CFCB15CF54E9C4B16BF71FB98318F24C6A9DC490B696C33AE85ACBA1
                                                                                                                                                              Function 00A0D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2343134027.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_a0d000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
                                                                                                                                                              • Instruction ID: c9d9168f33193b00ee65e1d505b0c985daae8bbf65770576ada7a12f53d17737
                                                                                                                                                              • Opcode Fuzzy Hash: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
                                                                                                                                                              • Instruction Fuzzy Hash: FB11D376504244DFCB15CF54D5C4B16BF71FB94324F24C6A9D8090B656C33AE856CBA1
                                                                                                                                                              Function 06A820AC Relevance: .1, Instructions: 56COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 054787e50597e856b4f909d68dcdb4110cbd6063816979dd16c2ccf565316816
                                                                                                                                                              • Instruction ID: bb8d37ce63f1cfb59954079a0bcd36fbb5c9bf4d0af30ca8265f72966c40702b
                                                                                                                                                              • Opcode Fuzzy Hash: 054787e50597e856b4f909d68dcdb4110cbd6063816979dd16c2ccf565316816
                                                                                                                                                              • Instruction Fuzzy Hash: 6821FFB6C042499FDB50DF9AC884ADEBBF4FB49320F10841AE919A7310C379A954CFA5
                                                                                                                                                              Function 06A8AFB8 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 4f992cadb567f23e06e516f16162380d38bacddf2e2dba23e53d3261224a6539
                                                                                                                                                              • Instruction ID: 91d8d7c6ff341f108e01a551a4830ac1ce10f06ae240184070738a138ab2a3ef
                                                                                                                                                              • Opcode Fuzzy Hash: 4f992cadb567f23e06e516f16162380d38bacddf2e2dba23e53d3261224a6539
                                                                                                                                                              • Instruction Fuzzy Hash: 4B1126B0D006488FEB18DF66C9443DEBFF3AF89300F14C1AAD509BA294DB7509468F90
                                                                                                                                                              Function 00A1D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2343177916.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_a1d000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
                                                                                                                                                              • Instruction ID: 816c439edfb03aa0d6e17330419ffe32d8c1dbde5b2b93dd73469bd425be73d4
                                                                                                                                                              • Opcode Fuzzy Hash: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
                                                                                                                                                              • Instruction Fuzzy Hash: 93119D75504284DFCB15CF14D5C4B95FBB1FB84314F28C6ADD8494B696C33AD84ACB61
                                                                                                                                                              Function 06A8AFC8 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: d7d1e8da3cec65acbe7819634b369a78ce7c3dfe09ef0081659fca099197f41b
                                                                                                                                                              • Instruction ID: 0e01bc43063fb070d9f9605e5203efb667f4832ca7a01e8e66e3b2c0ee9e1ae0
                                                                                                                                                              • Opcode Fuzzy Hash: d7d1e8da3cec65acbe7819634b369a78ce7c3dfe09ef0081659fca099197f41b
                                                                                                                                                              • Instruction Fuzzy Hash: 9E11B3B1D006188BEB18DFABC9443DEFAF7AFC9300F14C06AD50976254DB7509468FA0
                                                                                                                                                              Function 06A89990 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: b89bd6113508b905ac0add573aad0a975fe45d8bf76249d57a88a8a6e73bf713
                                                                                                                                                              • Instruction ID: be72b32c0089612b376c89feb7a6f19e6b843660b76e543de1006a76a75a51ec
                                                                                                                                                              • Opcode Fuzzy Hash: b89bd6113508b905ac0add573aad0a975fe45d8bf76249d57a88a8a6e73bf713
                                                                                                                                                              • Instruction Fuzzy Hash: E811B074D04219DFDB60EBA8C481BAEFBB5BB09305F149185D94DA7202C730A982CFA1
                                                                                                                                                              Function 00A0D745 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2343134027.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_a0d000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: a0ab06137a8fd3f840ce1edcb79aa46634e31de93658d8b848f29175b1125bb8
                                                                                                                                                              • Instruction ID: 4618982bb39897fd2b8f1bd62cd18dfc7b872d28ed8c3dda7131936c6975612a
                                                                                                                                                              • Opcode Fuzzy Hash: a0ab06137a8fd3f840ce1edcb79aa46634e31de93658d8b848f29175b1125bb8
                                                                                                                                                              • Instruction Fuzzy Hash: F701A7724043489AE7105BA9DD84B67FB98DF81324F18855AED094E2C2D2799845CAB1
                                                                                                                                                              Function 06A8A218 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 212d4c7c99965ac10a8442f54ca335bbed756082f576e608cd09aea8c18d57aa
                                                                                                                                                              • Instruction ID: bca1fbf45379acaeedb336c1cf46414f8f1e9aaad7bd6aef89c67ca28fe7bb0f
                                                                                                                                                              • Opcode Fuzzy Hash: 212d4c7c99965ac10a8442f54ca335bbed756082f576e608cd09aea8c18d57aa
                                                                                                                                                              • Instruction Fuzzy Hash: 08118375E002099FCF04DFE9D4809ADFBB2FF88310F20816AEA19AB365D6355946CF50
                                                                                                                                                              Function 06A8B10F Relevance: .0, Instructions: 45COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 590e1598505d900647d1469832e7b8b48f189ba8c6bb5cdb1d166c8f9d97f5af
                                                                                                                                                              • Instruction ID: 192d5fde07652453d74d36040b82c979862b9f802d86aa5ff27403931ca462bd
                                                                                                                                                              • Opcode Fuzzy Hash: 590e1598505d900647d1469832e7b8b48f189ba8c6bb5cdb1d166c8f9d97f5af
                                                                                                                                                              • Instruction Fuzzy Hash: E8115734A04218CFDBA0FF18C581AACB7B6FF49340F209984D01A6B226C730EC80CF64
                                                                                                                                                              Function 06A875D0 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: a7df41675814182ad1737374b899bbc26136d101bfbc2330bf3ed056538c5ddf
                                                                                                                                                              • Instruction ID: e413f97db226137c3180cd96638996bbbd801f278db630a8e430331cd18d0803
                                                                                                                                                              • Opcode Fuzzy Hash: a7df41675814182ad1737374b899bbc26136d101bfbc2330bf3ed056538c5ddf
                                                                                                                                                              • Instruction Fuzzy Hash: 0801D430B01219DFD3547B69940836A77A5EB4570AF7880BBD008CF246EA7BCC43CB65
                                                                                                                                                              Function 06A8BDD0 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 755b954795b3e4840ab38d77a8817f9f0301f5bca701a8d1b3c9acab77279834
                                                                                                                                                              • Instruction ID: 30bfbbdce4a836b31beec5f062c036554c2a811d61ceb880e581c0b374e7b27f
                                                                                                                                                              • Opcode Fuzzy Hash: 755b954795b3e4840ab38d77a8817f9f0301f5bca701a8d1b3c9acab77279834
                                                                                                                                                              • Instruction Fuzzy Hash: C4F08C7090C108EFE744FF56C440AB8BBF9EB4A301F14A1E491095B252C7709A42DBE0
                                                                                                                                                              Function 00A0D744 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2343134027.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_a0d000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 4465f27153327ad18fa9969d09aee7a746b1408a488984d79c7e09dacc3322df
                                                                                                                                                              • Instruction ID: 29f1fa40bc340a984b292456c321bfa2ce0f4f90d4551ec815447ea327429b4c
                                                                                                                                                              • Opcode Fuzzy Hash: 4465f27153327ad18fa9969d09aee7a746b1408a488984d79c7e09dacc3322df
                                                                                                                                                              • Instruction Fuzzy Hash: BBF06D72405348AAE7108F5AD888B62FF98EB91734F18C45AED094E2D6C2799844CAB1
                                                                                                                                                              Function 06A8B35A Relevance: .0, Instructions: 36COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 6c242196692e859de79ea6e0c5296656ccbde501906a5b50ed6ddc6113e2a478
                                                                                                                                                              • Instruction ID: f785aaf5df3b0db856c61f0a2ab799dc34ce47dfa6f78fa5d1f7198cd8f9df49
                                                                                                                                                              • Opcode Fuzzy Hash: 6c242196692e859de79ea6e0c5296656ccbde501906a5b50ed6ddc6113e2a478
                                                                                                                                                              • Instruction Fuzzy Hash: 7301C474A04218CFDB54EF64C684AECB7B6FB4E311F6015A8D50AA7351C735AE86CF60
                                                                                                                                                              Function 06A874E8 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: abec61ae10b16e3aff55892cbe595dbe005ba366ef9b9fc29c1c34b102a16a4f
                                                                                                                                                              • Instruction ID: d43479afd4334c74ba4ce382e77a9cf96c147a7d72f0f67d05db8114e4e61668
                                                                                                                                                              • Opcode Fuzzy Hash: abec61ae10b16e3aff55892cbe595dbe005ba366ef9b9fc29c1c34b102a16a4f
                                                                                                                                                              • Instruction Fuzzy Hash: 2BF0F4B0D0430A9FEB88EFA8D452AAEBFF4BB48200F108569E514E7241E774C606CF90
                                                                                                                                                              Function 06A874F8 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 640c2a15bf2c29885738fad6150953326dc98ad3ac90f9788fa2cb531cd07d21
                                                                                                                                                              • Instruction ID: bb97b1027c31548d37d3b83905ab9ee36e517a8967614f27b511cbda3c73d988
                                                                                                                                                              • Opcode Fuzzy Hash: 640c2a15bf2c29885738fad6150953326dc98ad3ac90f9788fa2cb531cd07d21
                                                                                                                                                              • Instruction Fuzzy Hash: B5F0B7B0D0430A9FDB84EFA9C841AAEBBF4BB48200F1085A9D918E7340D774D600CF90
                                                                                                                                                              Function 06A8ECA8 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: e32eead4e83c6018eb17ea5479537b7b5d8cb8c504c5b440236c1638aea7cdf0
                                                                                                                                                              • Instruction ID: 38b85f1392b5fea079943d49829351e4fb4a77b885bfa8ba235789e5454ece30
                                                                                                                                                              • Opcode Fuzzy Hash: e32eead4e83c6018eb17ea5479537b7b5d8cb8c504c5b440236c1638aea7cdf0
                                                                                                                                                              • Instruction Fuzzy Hash: C6F01574E0020CEBCF50EFA8D50569DBBB5FB48301F1080A9E914A6350DA319A51DBA1
                                                                                                                                                              Function 06A87491 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: f00e909e241bbc19371039559ba6697cf1231892ba8af8b6b90f5ee32405ed2c
                                                                                                                                                              • Instruction ID: 7d4a5a15ac9bab69d3372def5be151c9943422a3533a2a541527c133239d01dd
                                                                                                                                                              • Opcode Fuzzy Hash: f00e909e241bbc19371039559ba6697cf1231892ba8af8b6b90f5ee32405ed2c
                                                                                                                                                              • Instruction Fuzzy Hash: CFE0ED71D4420ADFD780EFB9D50669EBFF1BB48200F11C569D059D7211E7749606CF80
                                                                                                                                                              Function 06A874A0 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 5eb535d55e13237fb01ecfe69a9ccd48dab17a3a82cdbbac0c8ef546a82a1c1f
                                                                                                                                                              • Instruction ID: 617b87b4536d032fcb3e96473994cbdd31848d9cfac330fb956fbbeaa8eb4658
                                                                                                                                                              • Opcode Fuzzy Hash: 5eb535d55e13237fb01ecfe69a9ccd48dab17a3a82cdbbac0c8ef546a82a1c1f
                                                                                                                                                              • Instruction Fuzzy Hash: B5E092B0D40209EFD780EFA9C905A5EBFF1BB48200F2185A9D019E7211E7B49A058F91
                                                                                                                                                              Function 06A898F0 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: cdd862c620f76c43f763335c53527f074d25bd990c6a0e3bcae214ce3c1b9472
                                                                                                                                                              • Instruction ID: 7736fd7fa1e8aa184eec27464d1115c890c6b6f96cbd4a695d1f6174fe8a9175
                                                                                                                                                              • Opcode Fuzzy Hash: cdd862c620f76c43f763335c53527f074d25bd990c6a0e3bcae214ce3c1b9472
                                                                                                                                                              • Instruction Fuzzy Hash: 7CD05E34A06109CFDB10EB28ED54AE8B735FF85214F0006D1D20C97210C6301E458F40
                                                                                                                                                              Function 06A8327B Relevance: .0, Instructions: 13COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 0dd3f474b973759ffa418fd1d24d966db69992d52c18eb50262b6de54b97ec92
                                                                                                                                                              • Instruction ID: b9722134e57bbd99ac25cd039a86b6a7f46b378679e58f0a616df4a3976948a4
                                                                                                                                                              • Opcode Fuzzy Hash: 0dd3f474b973759ffa418fd1d24d966db69992d52c18eb50262b6de54b97ec92
                                                                                                                                                              • Instruction Fuzzy Hash: 49D0C711610105DFFF6437B5E90C315BB65ABA1D00B5441DB440299246F55DC400C366
                                                                                                                                                              Function 06A85510 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 17293e1e5006b1e6c278f807020074410ad700a221e9f2f6fb877b8b05a38848
                                                                                                                                                              • Instruction ID: 0ecb64cbd1317659c663c498f8ce29e2eac7e2259e96a7c622cc740990b0675f
                                                                                                                                                              • Opcode Fuzzy Hash: 17293e1e5006b1e6c278f807020074410ad700a221e9f2f6fb877b8b05a38848
                                                                                                                                                              • Instruction Fuzzy Hash: B7C08C2430024887C60423F5B80871A3BDAE784620F204829E60ACB3C9EC2B8C01C229
                                                                                                                                                              Function 06A89718 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: e0bf38da3c81490eda30114bceadf8df14c0cd16fe241268c6ec59b51fa25c2a
                                                                                                                                                              • Instruction ID: a422f20d30bba9436883494d8169748665fe924300849b839703c1c63f82ac40
                                                                                                                                                              • Opcode Fuzzy Hash: e0bf38da3c81490eda30114bceadf8df14c0cd16fe241268c6ec59b51fa25c2a
                                                                                                                                                              • Instruction Fuzzy Hash: 92C08C304002048BC3143BE4B50C339B7A9EB05206F080850E20E416508E744C42C632
                                                                                                                                                              Function 06A86D60 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: f511ef50ba88253ed8445e80ac193df6fdc1f19f84155ca772411b40f1ea8677
                                                                                                                                                              • Instruction ID: 9a66a780a12b3654dbfd11cc85579d53e5ba1033dc623644cfeaeedfbd61b5ce
                                                                                                                                                              • Opcode Fuzzy Hash: f511ef50ba88253ed8445e80ac193df6fdc1f19f84155ca772411b40f1ea8677
                                                                                                                                                              • Instruction Fuzzy Hash: B2C02B27900140C7D344377454053043F82F7C0100FB04849C002C3358EA28C440C610
                                                                                                                                                              Function 06A84739 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: e63190b9abf658a7cc0fb4e82f57e7f5f900a47080b1c03c191e11269c1da4f8
                                                                                                                                                              • Instruction ID: f56763a37bc8258f28046387395ca831a45510323087222a3e0752c7f6833ebe
                                                                                                                                                              • Opcode Fuzzy Hash: e63190b9abf658a7cc0fb4e82f57e7f5f900a47080b1c03c191e11269c1da4f8
                                                                                                                                                              • Instruction Fuzzy Hash: D7C04C34E403519FE78A9B7494553093AD1FB94200F90417F8506C7159EB3CC849C620
                                                                                                                                                              Function 06A830E9 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 14a82d0e382265dc9887f02af359cd7cd3f6919d4a867462188eba172ca26a36
                                                                                                                                                              • Instruction ID: 192adb9b30eb2f780511de0914362ab8efba94ae51c78f5a550cff11b2711deb
                                                                                                                                                              • Opcode Fuzzy Hash: 14a82d0e382265dc9887f02af359cd7cd3f6919d4a867462188eba172ca26a36
                                                                                                                                                              • Instruction Fuzzy Hash: 98C08C21604940ABFF0A6730D52A3093E1AE380308F00806DA1128A6C2E378A511C711
                                                                                                                                                              Function 06A85A28 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: bc83432f300a2ecdeb1404adc809c419bbd0d43c5641079763e0efb37ea68f6b
                                                                                                                                                              • Instruction ID: 1070f663d975266e095b7dd5d0daca7dd84a1ed804425267832c8ddd1b52e70d
                                                                                                                                                              • Opcode Fuzzy Hash: bc83432f300a2ecdeb1404adc809c419bbd0d43c5641079763e0efb37ea68f6b
                                                                                                                                                              • Instruction Fuzzy Hash: 52C09BB7550201D6E744A750DD01F467AD0F774715F055119A57590051D7608531D966
                                                                                                                                                              Function 06A84B34 Relevance: .0, Instructions: 8COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 313a8c2ef5dc1fd7e67108538a7a88f5f7aff800325d7f87695db07cdd94890b
                                                                                                                                                              • Instruction ID: 865df976b5651713c73a80c8d79df31d5e67794af9b6f362cb5f04933bfc02c7
                                                                                                                                                              • Opcode Fuzzy Hash: 313a8c2ef5dc1fd7e67108538a7a88f5f7aff800325d7f87695db07cdd94890b
                                                                                                                                                              • Instruction Fuzzy Hash: 73B01236A96107EDF2C476688DC8D7FE450FBB5704B409C09771550041C820C875D66B

                                                                                                                                                              Non-executed Functions

                                                                                                                                                              Function 04AA0710 Relevance: .3, Instructions: 315COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2346220557.0000000004AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_4aa0000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: a9529b946e0c4d30a00aecf3bfef087b3796ea20a5e3992591069cfe563d8574
                                                                                                                                                              • Instruction ID: b30b7110cd3e688dfb7ac9ef1ed7cb2d81f287a9b9e62de28e0f8700e8ec7594
                                                                                                                                                              • Opcode Fuzzy Hash: a9529b946e0c4d30a00aecf3bfef087b3796ea20a5e3992591069cfe563d8574
                                                                                                                                                              • Instruction Fuzzy Hash: 041285F1C817458AD310CF65E84C1897BB9BB51319FF08A0AD2617B2E5DBB835AACF44
                                                                                                                                                              Function 06A8E438 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 683aa249e970d6a2828b4a153346b8f23c682884e9831a10bfd132488da5c81b
                                                                                                                                                              • Instruction ID: 9e62443fd38f549df870e39387aaa6555883700fb99a5164241f719fec40fd48
                                                                                                                                                              • Opcode Fuzzy Hash: 683aa249e970d6a2828b4a153346b8f23c682884e9831a10bfd132488da5c81b
                                                                                                                                                              • Instruction Fuzzy Hash: E9E1EB74E10219CFDB54EFA9C5809AEFBF2BF49305F248169D418AB356D730A942CFA0
                                                                                                                                                              Function 06A8E000 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 1553fc8d086778781258903a54b6f6658e67eb49559bb84aee55c2cedda1e73f
                                                                                                                                                              • Instruction ID: 78052c0ec7c8676d45d78a618384004ee77f09d3da7d218f9456905af590c3e4
                                                                                                                                                              • Opcode Fuzzy Hash: 1553fc8d086778781258903a54b6f6658e67eb49559bb84aee55c2cedda1e73f
                                                                                                                                                              • Instruction Fuzzy Hash: 02E1E974E10219CFDB54EFA9C5809AEFBF2BF89305F248169D418AB355D731A942CFA0
                                                                                                                                                              Function 06A8E870 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 148255ff0e169db534d55f4c40cf218d641ecaf50e13432e6c43c01abcd6c746
                                                                                                                                                              • Instruction ID: ae3c13bb79eb0d42ea5bb78e1117c7ffe1b293c8f671bfb7127257cd98849c27
                                                                                                                                                              • Opcode Fuzzy Hash: 148255ff0e169db534d55f4c40cf218d641ecaf50e13432e6c43c01abcd6c746
                                                                                                                                                              • Instruction Fuzzy Hash: 25E1FA74E00259CFDB54EFA9C5809AEFBF2BF49305F248169D419AB356D730A942CFA0
                                                                                                                                                              Function 00D0E714 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2343402323.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_d00000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 80fa33cff51e007eabdfbd60c35049ff2d33e909cb5f3d6e4b1555f7072dd1b0
                                                                                                                                                              • Instruction ID: a34bd800dd8ee7ae70c26b03281666f27d83d05657336274d2ac105712601758
                                                                                                                                                              • Opcode Fuzzy Hash: 80fa33cff51e007eabdfbd60c35049ff2d33e909cb5f3d6e4b1555f7072dd1b0
                                                                                                                                                              • Instruction Fuzzy Hash: 70A18136E00205CFCF15DFB5C84069EB7B2FF85300B25497AE809AB2A5DB71E955CBA0
                                                                                                                                                              Function 04AA0703 Relevance: .2, Instructions: 221COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2346220557.0000000004AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_4aa0000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: dbd3bd7205fdb10d20f7eabeef7a22aa9303d04b7facdd74e0f46cdad04d2661
                                                                                                                                                              • Instruction ID: d025056d8a73514d50c682b055552191d1a121cd0de98f12c566db4f74d84f77
                                                                                                                                                              • Opcode Fuzzy Hash: dbd3bd7205fdb10d20f7eabeef7a22aa9303d04b7facdd74e0f46cdad04d2661
                                                                                                                                                              • Instruction Fuzzy Hash: 04C1F6F1C817458AD714CF25E84C1897BB9BB95324FB18B1AD1617B2E0DBB834AACF44
                                                                                                                                                              Function 06A8A8B8 Relevance: .1, Instructions: 116COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000000.00000002.2347671843.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_0_2_6a80000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: ae8966c2532d537628ab03a959da6646ef9a8f5099f5c6382f796a8366ca2c6f
                                                                                                                                                              • Instruction ID: 611e07659d9bde0fc6bd897da683bdd2f4d1efdfaaab01644b46551e3f4cae28
                                                                                                                                                              • Opcode Fuzzy Hash: ae8966c2532d537628ab03a959da6646ef9a8f5099f5c6382f796a8366ca2c6f
                                                                                                                                                              • Instruction Fuzzy Hash: 084168B0D08208CFDB48EFAAC4042EEBBF2AF8D300F15D0AAD659A7251D7354942CF54

                                                                                                                                                              Execution Graph

                                                                                                                                                              Execution Coverage:9.8%
                                                                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                              Signature Coverage:0%
                                                                                                                                                              Total number of Nodes:149
                                                                                                                                                              Total number of Limit Nodes:8
                                                                                                                                                              execution_graph 27447 11dd01c 27448 11dd034 27447->27448 27449 11dd08e 27448->27449 27455 53c1ea8 27448->27455 27459 53c1ef7 27448->27459 27464 53c0ad4 27448->27464 27473 53c2c08 27448->27473 27482 53c1e98 27448->27482 27456 53c1ece 27455->27456 27457 53c0ad4 CallWindowProcW 27456->27457 27458 53c1eef 27457->27458 27458->27449 27460 53c1ee7 27459->27460 27463 53c1f02 27459->27463 27461 53c1eef 27460->27461 27462 53c0ad4 CallWindowProcW 27460->27462 27461->27449 27462->27461 27463->27449 27465 53c0adf 27464->27465 27466 53c2c79 27465->27466 27468 53c2c69 27465->27468 27502 53c0bfc 27466->27502 27486 53c2d90 27468->27486 27491 53c2da0 27468->27491 27496 53c2e6c 27468->27496 27469 53c2c77 27475 53c2c18 27473->27475 27474 53c2c79 27476 53c0bfc CallWindowProcW 27474->27476 27475->27474 27477 53c2c69 27475->27477 27478 53c2c77 27476->27478 27479 53c2e6c CallWindowProcW 27477->27479 27480 53c2da0 CallWindowProcW 27477->27480 27481 53c2d90 CallWindowProcW 27477->27481 27479->27478 27480->27478 27481->27478 27483 53c1ea8 27482->27483 27484 53c0ad4 CallWindowProcW 27483->27484 27485 53c1eef 27484->27485 27485->27449 27487 53c2da0 27486->27487 27506 53c2e58 27487->27506 27509 53c2e48 27487->27509 27488 53c2e40 27488->27469 27493 53c2db4 27491->27493 27492 53c2e40 27492->27469 27494 53c2e58 CallWindowProcW 27493->27494 27495 53c2e48 CallWindowProcW 27493->27495 27494->27492 27495->27492 27497 53c2e2a 27496->27497 27498 53c2e7a 27496->27498 27500 53c2e58 CallWindowProcW 27497->27500 27501 53c2e48 CallWindowProcW 27497->27501 27499 53c2e40 27499->27469 27500->27499 27501->27499 27503 53c0c07 27502->27503 27504 53c435a CallWindowProcW 27503->27504 27505 53c4309 27503->27505 27504->27505 27505->27469 27507 53c2e69 27506->27507 27513 53c4292 27506->27513 27507->27488 27510 53c2e58 27509->27510 27511 53c2e69 27510->27511 27512 53c4292 CallWindowProcW 27510->27512 27511->27488 27512->27511 27514 53c0bfc CallWindowProcW 27513->27514 27515 53c42aa 27514->27515 27515->27507 27516 1224668 27517 1224684 27516->27517 27518 1224696 27517->27518 27522 12247a0 27517->27522 27527 1223e10 27518->27527 27520 12246b5 27523 12247c5 27522->27523 27531 12248b0 27523->27531 27535 12248a1 27523->27535 27528 1223e1b 27527->27528 27543 1225c54 27528->27543 27530 1226ff0 27530->27520 27532 12248d7 27531->27532 27534 12249b4 27532->27534 27539 1224248 27532->27539 27536 12248b0 27535->27536 27537 12249b4 27536->27537 27538 1224248 CreateActCtxA 27536->27538 27538->27537 27540 1225940 CreateActCtxA 27539->27540 27542 1225a03 27540->27542 27544 1225c5f 27543->27544 27547 1225c64 27544->27547 27546 122709d 27546->27530 27548 1225c6f 27547->27548 27551 1225c94 27548->27551 27550 122717a 27550->27546 27552 1225c9f 27551->27552 27555 1225cc4 27552->27555 27554 122726d 27554->27550 27556 1225ccf 27555->27556 27558 1228653 27556->27558 27563 122a9f8 27556->27563 27567 122aa08 27556->27567 27557 1228691 27557->27554 27558->27557 27571 122cde0 27558->27571 27576 122cdf0 27558->27576 27564 122aa08 27563->27564 27566 122aa3b 27564->27566 27581 122835f CreateWindowExW 27564->27581 27566->27558 27568 122aa23 27567->27568 27570 122aa3b 27568->27570 27582 122835f CreateWindowExW 27568->27582 27570->27558 27573 122ce11 27571->27573 27572 122ce35 27572->27557 27573->27572 27583 122cfa0 27573->27583 27587 122cf90 27573->27587 27577 122ce11 27576->27577 27578 122ce35 27577->27578 27579 122cfa0 CreateWindowExW 27577->27579 27580 122cf90 CreateWindowExW 27577->27580 27578->27557 27579->27578 27580->27578 27581->27566 27582->27570 27584 122cfad 27583->27584 27585 122cfe7 27584->27585 27591 122c8d8 27584->27591 27585->27572 27588 122cfa0 27587->27588 27589 122cfe7 27588->27589 27590 122c8d8 CreateWindowExW 27588->27590 27589->27572 27590->27589 27592 122c8dd 27591->27592 27594 122d8f8 27592->27594 27595 122ca04 27592->27595 27594->27594 27596 122ca0f 27595->27596 27597 1225cc4 CreateWindowExW 27596->27597 27598 122d967 27597->27598 27602 122f6e0 27598->27602 27608 122f6c8 27598->27608 27599 122d9a1 27599->27594 27604 122f711 27602->27604 27605 122f811 27602->27605 27603 122f71d 27603->27599 27604->27603 27606 53c0db8 CreateWindowExW 27604->27606 27607 53c0dc8 CreateWindowExW 27604->27607 27605->27599 27606->27605 27607->27605 27609 122f6e0 27608->27609 27610 122f71d 27609->27610 27611 53c0db8 CreateWindowExW 27609->27611 27612 53c0dc8 CreateWindowExW 27609->27612 27610->27599 27611->27610 27612->27610 27613 122ad38 27614 122ad47 27613->27614 27616 122ae30 27613->27616 27617 122ae64 27616->27617 27618 122ae41 27616->27618 27617->27614 27618->27617 27619 122b068 GetModuleHandleW 27618->27619 27620 122b095 27619->27620 27620->27614 27621 122d0b8 27622 122d0fe 27621->27622 27626 122d298 27622->27626 27629 122d289 27622->27629 27623 122d1eb 27627 122d2c6 27626->27627 27632 122c9a0 27626->27632 27627->27623 27630 122c9a0 DuplicateHandle 27629->27630 27631 122d2c6 27630->27631 27631->27623 27633 122d300 DuplicateHandle 27632->27633 27634 122d396 27633->27634 27634->27627

                                                                                                                                                              Executed Functions

                                                                                                                                                              Function 0122AE30 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 18 122ae30-122ae3f 19 122ae41-122ae4e call 1229838 18->19 20 122ae6b-122ae6f 18->20 25 122ae50 19->25 26 122ae64 19->26 21 122ae83-122aec4 20->21 22 122ae71-122ae7b 20->22 29 122aed1-122aedf 21->29 30 122aec6-122aece 21->30 22->21 76 122ae56 call 122b0b8 25->76 77 122ae56 call 122b0c8 25->77 26->20 32 122af03-122af05 29->32 33 122aee1-122aee6 29->33 30->29 31 122ae5c-122ae5e 31->26 34 122afa0-122afb7 31->34 35 122af08-122af0f 32->35 36 122aef1 33->36 37 122aee8-122aeef call 122a814 33->37 51 122afb9-122b018 34->51 40 122af11-122af19 35->40 41 122af1c-122af23 35->41 39 122aef3-122af01 36->39 37->39 39->35 40->41 43 122af30-122af39 call 122a824 41->43 44 122af25-122af2d 41->44 49 122af46-122af4b 43->49 50 122af3b-122af43 43->50 44->43 52 122af69-122af76 49->52 53 122af4d-122af54 49->53 50->49 69 122b01a-122b060 51->69 60 122af78-122af96 52->60 61 122af99-122af9f 52->61 53->52 55 122af56-122af66 call 122a834 call 122a844 53->55 55->52 60->61 71 122b062-122b065 69->71 72 122b068-122b093 GetModuleHandleW 69->72 71->72 73 122b095-122b09b 72->73 74 122b09c-122b0b0 72->74 73->74 76->31 77->31
                                                                                                                                                              APIs
                                                                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0122B086
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000004.00000002.4029805509.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_4_2_1220000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: HandleModule
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 4139908857-0
                                                                                                                                                              • Opcode ID: ef01ea08edd7fd74ff8567dabd273b9f75c608cea4cbe644a219f14b2c3057a5
                                                                                                                                                              • Instruction ID: 74685f6604175d350892c4a680eb8223c16c402d96917f3fb5ed157122b1aee7
                                                                                                                                                              • Opcode Fuzzy Hash: ef01ea08edd7fd74ff8567dabd273b9f75c608cea4cbe644a219f14b2c3057a5
                                                                                                                                                              • Instruction Fuzzy Hash: 2F715770A10B169FE724DF29D04075ABBF1FF88704F00892DE55AD7A50DB79E845CB91
                                                                                                                                                              Function 053C0AA8 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 78 53c0aa8-53c1d56 80 53c1d58-53c1d5e 78->80 81 53c1d61-53c1d68 78->81 80->81 82 53c1d6a-53c1d70 81->82 83 53c1d73-53c1e12 CreateWindowExW 81->83 82->83 85 53c1e1b-53c1e53 83->85 86 53c1e14-53c1e1a 83->86 90 53c1e55-53c1e58 85->90 91 53c1e60 85->91 86->85 90->91 92 53c1e61 91->92 92->92
                                                                                                                                                              APIs
                                                                                                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 053C1E02
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000004.00000002.4031547197.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_4_2_53c0000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: CreateWindow
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 716092398-0
                                                                                                                                                              • Opcode ID: 940c1119a588106b18318048a1eca956386cb1b035af2f4e447f7dc7cb184a08
                                                                                                                                                              • Instruction ID: 0d2ee89adbbedfe7d7166044f65e79ebd420b8525bf0cf913e4c1d633edb784b
                                                                                                                                                              • Opcode Fuzzy Hash: 940c1119a588106b18318048a1eca956386cb1b035af2f4e447f7dc7cb184a08
                                                                                                                                                              • Instruction Fuzzy Hash: A151CEB1D003099FDB14CFA9C884ADEBFB6BF49310F24816EE819AB211D7709845CF90
                                                                                                                                                              Function 053C1CE4 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 93 53c1ce4-53c1d56 96 53c1d58-53c1d5e 93->96 97 53c1d61-53c1d68 93->97 96->97 98 53c1d6a-53c1d70 97->98 99 53c1d73-53c1dab 97->99 98->99 100 53c1db3-53c1e12 CreateWindowExW 99->100 101 53c1e1b-53c1e53 100->101 102 53c1e14-53c1e1a 100->102 106 53c1e55-53c1e58 101->106 107 53c1e60 101->107 102->101 106->107 108 53c1e61 107->108 108->108
                                                                                                                                                              APIs
                                                                                                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 053C1E02
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000004.00000002.4031547197.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_4_2_53c0000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: CreateWindow
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 716092398-0
                                                                                                                                                              • Opcode ID: a01ed63b3885d8abc4d5c311b9b33e610250a647dc9afeabd21dbc8ace6a8afc
                                                                                                                                                              • Instruction ID: e2ea09afd733da2b07b224c50b8999ee151414f7bdc099bcba4f86d9ed191332
                                                                                                                                                              • Opcode Fuzzy Hash: a01ed63b3885d8abc4d5c311b9b33e610250a647dc9afeabd21dbc8ace6a8afc
                                                                                                                                                              • Instruction Fuzzy Hash: F251BEB1D103499FDB14CFA9C884ADEBFB5BF49310F24826AE819AB211D7719845CF90
                                                                                                                                                              Function 053C0BFC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 109 53c0bfc-53c42fc 112 53c43ac-53c43cc call 53c0ad4 109->112 113 53c4302-53c4307 109->113 121 53c43cf-53c43dc 112->121 114 53c4309-53c4340 113->114 115 53c435a-53c4392 CallWindowProcW 113->115 122 53c4349-53c4358 114->122 123 53c4342-53c4348 114->123 117 53c439b-53c43aa 115->117 118 53c4394-53c439a 115->118 117->121 118->117 122->121 123->122
                                                                                                                                                              APIs
                                                                                                                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 053C4381
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000004.00000002.4031547197.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_4_2_53c0000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: CallProcWindow
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 2714655100-0
                                                                                                                                                              • Opcode ID: 81e71c2a9019563045caf200df46e118739a2ccb2bf94143b58c04452f674b7b
                                                                                                                                                              • Instruction ID: fbb5d02e0d429a577fe556c9190994beef6981c3c657936ab2031b5233d4dd1d
                                                                                                                                                              • Opcode Fuzzy Hash: 81e71c2a9019563045caf200df46e118739a2ccb2bf94143b58c04452f674b7b
                                                                                                                                                              • Instruction Fuzzy Hash: 3E4129B8900305CFDB14CF99C448AAABBF5FF88315F24C59DD519AB321D774A941CBA0
                                                                                                                                                              Function 01224248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 126 1224248-1225a01 CreateActCtxA 129 1225a03-1225a09 126->129 130 1225a0a-1225a64 126->130 129->130 137 1225a73-1225a77 130->137 138 1225a66-1225a69 130->138 139 1225a88 137->139 140 1225a79-1225a85 137->140 138->137 142 1225a89 139->142 140->139 142->142
                                                                                                                                                              APIs
                                                                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 012259F1
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000004.00000002.4029805509.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_4_2_1220000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: Create
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 2289755597-0
                                                                                                                                                              • Opcode ID: 5c422ff9a6cd0972df07698cddad5cff20d5a6bc07306a2aab5ca62bbda92920
                                                                                                                                                              • Instruction ID: a5784dd778e1160332112185ff3a4a0924766f4ac7fd51809cfbc333ae6a6b1f
                                                                                                                                                              • Opcode Fuzzy Hash: 5c422ff9a6cd0972df07698cddad5cff20d5a6bc07306a2aab5ca62bbda92920
                                                                                                                                                              • Instruction Fuzzy Hash: 1941FDB0C10729DBDB24CFAAC885BDEBBB5FF48314F20806AD508AB251DB756945CF90
                                                                                                                                                              Function 01225935 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 143 1225935-122593c 144 1225944-1225a01 CreateActCtxA 143->144 146 1225a03-1225a09 144->146 147 1225a0a-1225a64 144->147 146->147 154 1225a73-1225a77 147->154 155 1225a66-1225a69 147->155 156 1225a88 154->156 157 1225a79-1225a85 154->157 155->154 159 1225a89 156->159 157->156 159->159
                                                                                                                                                              APIs
                                                                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 012259F1
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000004.00000002.4029805509.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_4_2_1220000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: Create
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 2289755597-0
                                                                                                                                                              • Opcode ID: 60c5bdd527ebaf05be2c9f2c2bd853f6dc3724b510d26df35f38022b16bff0db
                                                                                                                                                              • Instruction ID: c87b46cb3c2646229f99d7aab77860e4273345d327b0cd92a7eec5446dcc5618
                                                                                                                                                              • Opcode Fuzzy Hash: 60c5bdd527ebaf05be2c9f2c2bd853f6dc3724b510d26df35f38022b16bff0db
                                                                                                                                                              • Instruction Fuzzy Hash: 2B41CEB0C10729DEDB24DFAAC885BDDBBB5FF88304F20816AD508AB251DB756945CF90
                                                                                                                                                              Function 0122C9A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 160 122c9a0-122d394 DuplicateHandle 162 122d396-122d39c 160->162 163 122d39d-122d3ba 160->163 162->163
                                                                                                                                                              APIs
                                                                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0122D2C6,?,?,?,?,?), ref: 0122D387
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000004.00000002.4029805509.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_4_2_1220000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: DuplicateHandle
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 3793708945-0
                                                                                                                                                              • Opcode ID: 05a5bd017c20936ee006f188324e395bee304615ca7894c34be060fa7b33ba30
                                                                                                                                                              • Instruction ID: fc80f6b52a1e7bbe8e7a92b2269afc4881064bbba8acabead908aa8f13905f74
                                                                                                                                                              • Opcode Fuzzy Hash: 05a5bd017c20936ee006f188324e395bee304615ca7894c34be060fa7b33ba30
                                                                                                                                                              • Instruction Fuzzy Hash: 4E21E4B5D0021DEFDB10CF9AD984AEEBBF4EB48310F14841AE918A7310D378A950CFA5
                                                                                                                                                              Function 0122D2F9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 166 122d2f9-122d2fe 167 122d300-122d394 DuplicateHandle 166->167 168 122d396-122d39c 167->168 169 122d39d-122d3ba 167->169 168->169
                                                                                                                                                              APIs
                                                                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0122D2C6,?,?,?,?,?), ref: 0122D387
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000004.00000002.4029805509.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_4_2_1220000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: DuplicateHandle
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 3793708945-0
                                                                                                                                                              • Opcode ID: 90fcd537376b931980d13d56e0ec4462c6ee93274cb4ecf1aa4b4d06ca376228
                                                                                                                                                              • Instruction ID: 7a6fbbb6a469c12753ef6a885bacee95a543cb60a7ff8e86b7acc91275e7edfd
                                                                                                                                                              • Opcode Fuzzy Hash: 90fcd537376b931980d13d56e0ec4462c6ee93274cb4ecf1aa4b4d06ca376228
                                                                                                                                                              • Instruction Fuzzy Hash: 7221E4B5D00219EFDB10CFAAD884ADEBBF4EB48310F14801AE918A3310D374A950CFA5
                                                                                                                                                              Function 0122B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                              Download Yara Rule

                                                                                                                                                              Control-flow Graph

                                                                                                                                                              • Executed
                                                                                                                                                              • Not Executed
                                                                                                                                                              control_flow_graph 172 122b020-122b060 173 122b062-122b065 172->173 174 122b068-122b093 GetModuleHandleW 172->174 173->174 175 122b095-122b09b 174->175 176 122b09c-122b0b0 174->176 175->176
                                                                                                                                                              APIs
                                                                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0122B086
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000004.00000002.4029805509.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_4_2_1220000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID: HandleModule
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID: 4139908857-0
                                                                                                                                                              • Opcode ID: 085f22d16cfe65bb9c3dc06fbe217b215d321a296edca67911761f4aa193a94d
                                                                                                                                                              • Instruction ID: d9e6a394e45fcbb080e16e7d8e2c34fd5735b325192624f00dfe090b4016cc34
                                                                                                                                                              • Opcode Fuzzy Hash: 085f22d16cfe65bb9c3dc06fbe217b215d321a296edca67911761f4aa193a94d
                                                                                                                                                              • Instruction Fuzzy Hash: 13110FB5C007598FDB20CF9AC444ADEFBF4AB88720F10841AD928A7210C379A645CFA5
                                                                                                                                                              Function 011CD3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000004.00000002.4029559945.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_4_2_11cd000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 850bca346e415a73556c96ad5258c790e16dffd88ba90f060950899a11fbd5be
                                                                                                                                                              • Instruction ID: 888344e188f4f8403aeb08ac3132e1d4b5e63e814e34128d83d2d0b05d1ef05e
                                                                                                                                                              • Opcode Fuzzy Hash: 850bca346e415a73556c96ad5258c790e16dffd88ba90f060950899a11fbd5be
                                                                                                                                                              • Instruction Fuzzy Hash: 822102B1100204DFDF09DF44E9C0B56FB65EB94714F20816CDA090A656C336E446CAA2
                                                                                                                                                              Function 011DD01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000004.00000002.4029618964.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_4_2_11dd000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: dbf3b4cc285ad94e2616422279f62e5d0fb3c549972895c87ad2345a1667fb1f
                                                                                                                                                              • Instruction ID: 5b30fc2b0797482568f2d5f8509e24d4989100e15eb556837e1f13e6180ee415
                                                                                                                                                              • Opcode Fuzzy Hash: dbf3b4cc285ad94e2616422279f62e5d0fb3c549972895c87ad2345a1667fb1f
                                                                                                                                                              • Instruction Fuzzy Hash: 7621F271604204DFDF19DF68E984B16BB65EBC8314F24C56DD90A4B296C33AD447CA62
                                                                                                                                                              Function 011DD006 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000004.00000002.4029618964.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_4_2_11dd000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 901a4813c10e1921ec328494ec6f776b5b779e121deb1dbe40c8ec221fca7289
                                                                                                                                                              • Instruction ID: bc3c5b0591a12fc5975813ce2bb7aa7021400382108e3a1ed12f8fb1fc434211
                                                                                                                                                              • Opcode Fuzzy Hash: 901a4813c10e1921ec328494ec6f776b5b779e121deb1dbe40c8ec221fca7289
                                                                                                                                                              • Instruction Fuzzy Hash: 1521A1755093808FCB17CF24D990B15BF71EB85214F28C5EAD8498B6A7C33AD40ACB62
                                                                                                                                                              Function 011CD3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000004.00000002.4029559945.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_4_2_11cd000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
                                                                                                                                                              • Instruction ID: 4da5b93b58957a34edfaca4d0c70b5924df0a5a594a15307810ed8e81a7b0e99
                                                                                                                                                              • Opcode Fuzzy Hash: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
                                                                                                                                                              • Instruction Fuzzy Hash: C011CD72404280DFCF06CF44D9C0B56BF61FB94224F2482ADD9090A657C33AE456CBA2
                                                                                                                                                              Function 011CD5F3 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000004.00000002.4029559945.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_4_2_11cd000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: fd593fd03a946d249ec0117ce50ae2cb58172d1aacb9f8c5a0efbf3ccc3bd0bb
                                                                                                                                                              • Instruction ID: cc8d4520dfb1ff6c372173deb419d8070e493a2c416b8a285d51601a08382b19
                                                                                                                                                              • Opcode Fuzzy Hash: fd593fd03a946d249ec0117ce50ae2cb58172d1aacb9f8c5a0efbf3ccc3bd0bb
                                                                                                                                                              • Instruction Fuzzy Hash: C1F04F75200600AF97148F0AD884C23FBADEFD4770316C16AE84A4B611C731EC41CEA0
                                                                                                                                                              Function 011CD5E4 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                              Download Yara Rule
                                                                                                                                                              Memory Dump Source
                                                                                                                                                              • Source File: 00000004.00000002.4029559945.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                              • Snapshot File: hcaresult_4_2_11cd000_2eRd5imEKU.jbxd
                                                                                                                                                              Similarity
                                                                                                                                                              • API ID:
                                                                                                                                                              • String ID:
                                                                                                                                                              • API String ID:
                                                                                                                                                              • Opcode ID: 9e1520e2c2d69dd886ad1fbb7ca5871b5a4eaf765ad9c85284b86d587efc1438
                                                                                                                                                              • Instruction ID: 7c9ecab139817e32226c456aac36800982fd810be94a89ab618177a8079a253b
                                                                                                                                                              • Opcode Fuzzy Hash: 9e1520e2c2d69dd886ad1fbb7ca5871b5a4eaf765ad9c85284b86d587efc1438
                                                                                                                                                              • Instruction Fuzzy Hash: 56F03C75104680AFD7158F15C884C23BFB9EF9576071A8599E88A4B252C631FC42CBA1