Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Xf3rn1smZw.exe

Overview

General Information

Sample name:Xf3rn1smZw.exe
renamed because original name is a hash value
Original sample name:0766e43d3968a048e78c18383353ea6450934bcd0427ec9757c8da2570884580.exe
Analysis ID:1587910
MD5:223342da9548abad8b253b0918baffd1
SHA1:9d1dfe8772a94721f3aaeef0077dd867987973f9
SHA256:0766e43d3968a048e78c18383353ea6450934bcd0427ec9757c8da2570884580
Tags:exeRedLineStealeruser-adrian__luca
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected RedLine Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Xf3rn1smZw.exe (PID: 3316 cmdline: "C:\Users\user\Desktop\Xf3rn1smZw.exe" MD5: 223342DA9548ABAD8B253B0918BAFFD1)
    • Xf3rn1smZw.exe (PID: 6212 cmdline: "C:\Users\user\Desktop\Xf3rn1smZw.exe" MD5: 223342DA9548ABAD8B253B0918BAFFD1)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["87.120.120.86:1912"], "Bot Id": "LOGS", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1373252363.0000000003A69000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    00000003.00000002.2620504999.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      00000000.00000002.1373252363.00000000042D5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        Process Memory Space: Xf3rn1smZw.exe PID: 3316JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          Process Memory Space: Xf3rn1smZw.exe PID: 3316JoeSecurity_RedLineYara detected RedLine StealerJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.Xf3rn1smZw.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              3.2.Xf3rn1smZw.exe.400000.0.unpackinfostealer_win_redline_stringsFinds Redline samples based on characteristic stringsSekoia.io
              • 0x24cc3:$gen01: ChromeGetRoamingName
              • 0x24ce8:$gen02: ChromeGetLocalName
              • 0x24d2b:$gen03: get_UserDomainName
              • 0x28bc4:$gen04: get_encrypted_key
              • 0x27943:$gen05: browserPaths
              • 0x27c19:$gen06: GetBrowsers
              • 0x27501:$gen07: get_InstalledInputLanguages
              • 0x239cc:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION
              • 0x3018:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
              • 0x29006:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole
              • 0x290a4:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\
              • 0x296be:$spe9: *wallet*
              • 0x219ea:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0
              • 0x21f14:$typ03: A937C899247696B6565665BE3BD09607F49A2042
              • 0x21fc1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2
              • 0x21998:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60
              • 0x219c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280
              • 0x21b92:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301
              • 0x21de5:$typ11: 2A19BFD7333718195216588A698752C517111B02
              • 0x220d4:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
              0.2.Xf3rn1smZw.exe.46373c8.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                0.2.Xf3rn1smZw.exe.46373c8.0.unpackinfostealer_win_redline_stringsFinds Redline samples based on characteristic stringsSekoia.io
                • 0x22ec3:$gen01: ChromeGetRoamingName
                • 0x22ee8:$gen02: ChromeGetLocalName
                • 0x22f2b:$gen03: get_UserDomainName
                • 0x26dc4:$gen04: get_encrypted_key
                • 0x25b43:$gen05: browserPaths
                • 0x25e19:$gen06: GetBrowsers
                • 0x25701:$gen07: get_InstalledInputLanguages
                • 0x21bcc:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION
                • 0x1218:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
                • 0x4a838:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
                • 0x27206:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole
                • 0x272a4:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\
                • 0x278be:$spe9: *wallet*
                • 0x1fbea:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0
                • 0x20114:$typ03: A937C899247696B6565665BE3BD09607F49A2042
                • 0x201c1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2
                • 0x1fb98:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60
                • 0x1fbc1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280
                • 0x1fd92:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301
                • 0x1ffe5:$typ11: 2A19BFD7333718195216588A698752C517111B02
                • 0x202d4:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
                0.2.Xf3rn1smZw.exe.46373c8.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  Click to see the 5 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: Xf3rn1smZw.exeAvira: detected
                  Found malware configuration
                  Source: 00000000.00000002.1373252363.00000000042D5000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": ["87.120.120.86:1912"], "Bot Id": "LOGS", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
                  Multi AV Scanner detection for submitted file
                  Source: Xf3rn1smZw.exeReversingLabs: Detection: 76%
                  Source: Xf3rn1smZw.exeVirustotal: Detection: 79%Perma Link
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: Xf3rn1smZw.exeJoe Sandbox ML: detected
                  Source: Xf3rn1smZw.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: Xf3rn1smZw.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: Xf3rn1smZw.exe, 00000003.00000002.2621131062.0000000000C57000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb<x source: Xf3rn1smZw.exe, 00000003.00000002.2621131062.0000000000C57000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: Xf3rn1smZw.exe, 00000003.00000002.2621131062.0000000000C57000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb9 source: Xf3rn1smZw.exe, 00000003.00000002.2621131062.0000000000C57000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdbk source: Xf3rn1smZw.exe, 00000003.00000002.2621131062.0000000000C57000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb source: Xf3rn1smZw.exe, 00000003.00000002.2621131062.0000000000CEB000.00000004.00000020.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2621131062.0000000000D0C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: Xf3rn1smZw.exe, 00000003.00000002.2621131062.0000000000C57000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: Xf3rn1smZw.exe, 00000003.00000002.2621131062.0000000000C57000.00000004.00000020.00020000.00000000.sdmp

                  Networking

                  barindex
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 87.120.120.86:1912
                  Source: global trafficTCP traffic: 192.168.2.9:49755 -> 87.120.120.86:1912
                  Source: Joe Sandbox ViewIP Address: 87.120.120.86 87.120.120.86
                  Source: Joe Sandbox ViewASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10LR
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11LR
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12LR
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13LR
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14LR
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15LR
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16LR
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17LR
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18LR
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19LR
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1LR
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20LR
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21LR
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22LR
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23LR
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24LR
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2LR
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3LR
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4LR
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5LR
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6LR
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7LR
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8LR
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9LR
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/x
                  Source: Xf3rn1smZw.exe, 00000000.00000002.1373252363.00000000042D5000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000000.00000002.1373252363.0000000003A69000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2620504999.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                  Source: Xf3rn1smZw.exeString found in binary or memory: https://api.libertyreserve.com/beta/xml/
                  Source: Xf3rn1smZw.exeString found in binary or memory: https://api.libertyreserve.com/beta/xml/balance.aspx$AccountNameRequestphttps://api.libertyreserve.c
                  Source: Xf3rn1smZw.exeString found in binary or memory: https://api.libertyreserve.com/beta/xml/balance.aspx%AccountNameRequestqhttps://api.libertyreserve.c
                  Source: Xf3rn1smZw.exeString found in binary or memory: https://api.libertyreserve.com/beta/xml/history.aspx
                  Source: Xf3rn1smZw.exeString found in binary or memory: https://api.libertyreserve.com/beta/xml/transfer.aspx
                  Source: Xf3rn1smZw.exeString found in binary or memory: https://sci.libertyreserve.com/

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 3.2.Xf3rn1smZw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 0.2.Xf3rn1smZw.exe.46373c8.0.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 0.2.Xf3rn1smZw.exe.46373c8.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 0.2.Xf3rn1smZw.exe.45a7da8.1.raw.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 0.2.Xf3rn1smZw.exe.4518788.2.raw.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeCode function: 0_2_0290D57C0_2_0290D57C
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeCode function: 0_2_072041800_2_07204180
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeCode function: 0_2_072090E80_2_072090E8
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeCode function: 0_2_07202B580_2_07202B58
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeCode function: 0_2_07204A800_2_07204A80
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeCode function: 0_2_0720353A0_2_0720353A
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeCode function: 0_2_072035480_2_07203548
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeCode function: 0_2_072034A00_2_072034A0
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeCode function: 0_2_0720C4800_2_0720C480
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeCode function: 0_2_072041700_2_07204170
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeCode function: 0_2_072031400_2_07203140
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeCode function: 0_2_072031500_2_07203150
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeCode function: 0_2_072050210_2_07205021
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeCode function: 0_2_072050300_2_07205030
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeCode function: 0_2_072000070_2_07200007
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeCode function: 0_2_072000400_2_07200040
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeCode function: 0_2_072090D80_2_072090D8
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeCode function: 0_2_07202E020_2_07202E02
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeCode function: 0_2_07202E100_2_07202E10
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeCode function: 0_2_0720CCF00_2_0720CCF0
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeCode function: 0_2_07202B4A0_2_07202B4A
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeCode function: 0_2_07204A710_2_07204A71
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeCode function: 0_2_07202AD60_2_07202AD6
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeCode function: 0_2_072039080_2_07203908
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeCode function: 0_2_0720C8B80_2_0720C8B8
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeCode function: 0_2_072038F80_2_072038F8
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeCode function: 3_2_028F25F93_2_028F25F9
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeCode function: 3_2_028FDC743_2_028FDC74
                  Source: Xf3rn1smZw.exe, 00000000.00000000.1356834521.0000000000790000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameoQRC.exe4 vs Xf3rn1smZw.exe
                  Source: Xf3rn1smZw.exe, 00000000.00000002.1373252363.00000000042D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Xf3rn1smZw.exe
                  Source: Xf3rn1smZw.exe, 00000000.00000002.1373252363.00000000042D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs Xf3rn1smZw.exe
                  Source: Xf3rn1smZw.exe, 00000000.00000002.1373252363.00000000046B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs Xf3rn1smZw.exe
                  Source: Xf3rn1smZw.exe, 00000000.00000002.1373252363.0000000003A69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs Xf3rn1smZw.exe
                  Source: Xf3rn1smZw.exe, 00000000.00000002.1384555784.0000000005520000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs Xf3rn1smZw.exe
                  Source: Xf3rn1smZw.exe, 00000000.00000002.1386136729.000000000B680000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Xf3rn1smZw.exe
                  Source: Xf3rn1smZw.exe, 00000000.00000002.1371054006.0000000000D9E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Xf3rn1smZw.exe
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2620504999.0000000000446000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs Xf3rn1smZw.exe
                  Source: Xf3rn1smZw.exeBinary or memory string: OriginalFilenameoQRC.exe4 vs Xf3rn1smZw.exe
                  Source: Xf3rn1smZw.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 3.2.Xf3rn1smZw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 0.2.Xf3rn1smZw.exe.46373c8.0.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 0.2.Xf3rn1smZw.exe.46373c8.0.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 0.2.Xf3rn1smZw.exe.45a7da8.1.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 0.2.Xf3rn1smZw.exe.4518788.2.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: Xf3rn1smZw.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@3/1@0/1
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Xf3rn1smZw.exe.logJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeMutant created: NULL
                  Source: Xf3rn1smZw.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: Xf3rn1smZw.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: Xf3rn1smZw.exeReversingLabs: Detection: 76%
                  Source: Xf3rn1smZw.exeVirustotal: Detection: 79%
                  Source: Xf3rn1smZw.exeString found in binary or memory: PageCount-Start date is missing.MHistory is not available before '{0}'.
                  Source: unknownProcess created: C:\Users\user\Desktop\Xf3rn1smZw.exe "C:\Users\user\Desktop\Xf3rn1smZw.exe"
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess created: C:\Users\user\Desktop\Xf3rn1smZw.exe "C:\Users\user\Desktop\Xf3rn1smZw.exe"
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess created: C:\Users\user\Desktop\Xf3rn1smZw.exe "C:\Users\user\Desktop\Xf3rn1smZw.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeSection loaded: iconcodecservice.dllJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: Xf3rn1smZw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: Xf3rn1smZw.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: Xf3rn1smZw.exe, 00000003.00000002.2621131062.0000000000C57000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb<x source: Xf3rn1smZw.exe, 00000003.00000002.2621131062.0000000000C57000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: Xf3rn1smZw.exe, 00000003.00000002.2621131062.0000000000C57000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb9 source: Xf3rn1smZw.exe, 00000003.00000002.2621131062.0000000000C57000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdbk source: Xf3rn1smZw.exe, 00000003.00000002.2621131062.0000000000C57000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb source: Xf3rn1smZw.exe, 00000003.00000002.2621131062.0000000000CEB000.00000004.00000020.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2621131062.0000000000D0C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: Xf3rn1smZw.exe, 00000003.00000002.2621131062.0000000000C57000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: Xf3rn1smZw.exe, 00000003.00000002.2621131062.0000000000C57000.00000004.00000020.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeCode function: 0_2_0290E9B8 pushfd ; retf 0_2_0290E9B9
                  Source: Xf3rn1smZw.exeStatic PE information: section name: .text entropy: 7.661544124615996
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: Xf3rn1smZw.exe PID: 3316, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeMemory allocated: 28A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeMemory allocated: 2A60000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeMemory allocated: 4A60000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeMemory allocated: 8E70000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeMemory allocated: 7710000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeMemory allocated: 9E70000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeMemory allocated: AE70000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeMemory allocated: B710000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeMemory allocated: C710000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeMemory allocated: D710000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeMemory allocated: 28F0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeMemory allocated: 2930000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeMemory allocated: 4930000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exe TID: 2656Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: Xf3rn1smZw.exe, 00000003.00000002.2621131062.0000000000D0C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeMemory written: C:\Users\user\Desktop\Xf3rn1smZw.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeProcess created: C:\Users\user\Desktop\Xf3rn1smZw.exe "C:\Users\user\Desktop\Xf3rn1smZw.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeQueries volume information: C:\Users\user\Desktop\Xf3rn1smZw.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeQueries volume information: C:\Users\user\Desktop\Xf3rn1smZw.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Xf3rn1smZw.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: 3.2.Xf3rn1smZw.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Xf3rn1smZw.exe.46373c8.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Xf3rn1smZw.exe.46373c8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Xf3rn1smZw.exe.45a7da8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Xf3rn1smZw.exe.4518788.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1373252363.0000000003A69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2620504999.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1373252363.00000000042D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Xf3rn1smZw.exe PID: 3316, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Xf3rn1smZw.exe PID: 6212, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: 3.2.Xf3rn1smZw.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Xf3rn1smZw.exe.46373c8.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Xf3rn1smZw.exe.46373c8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Xf3rn1smZw.exe.45a7da8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Xf3rn1smZw.exe.4518788.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1373252363.0000000003A69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2620504999.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1373252363.00000000042D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Xf3rn1smZw.exe PID: 3316, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Xf3rn1smZw.exe PID: 6212, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                  Command and Scripting Interpreter                  		1
                  DLL Side-Loading                  		111
                  Process Injection                  		1
                  Masquerading                  		OS Credential Dumping1
                  Security Software Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		LSASS Memory31
                  Virtualization/Sandbox Evasion                  		Remote Desktop ProtocolData from Removable Media1
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                  Virtualization/Sandbox Evasion                  		Security Account Manager12
                  System Information Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                  Process Injection                  		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                  Obfuscated Files or Information                  		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                  Software Packing                  		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  DLL Side-Loading                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  Xf3rn1smZw.exe76%ReversingLabsByteCode-MSIL.Trojan.StormKitty
                  Xf3rn1smZw.exe79%VirustotalBrowse
                  Xf3rn1smZw.exe100%AviraHEUR/AGEN.1305624
                  Xf3rn1smZw.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  87.120.120.86:19120%Avira URL Cloudsafe
                  https://api.libertyreserve.com/beta/xml/balance.aspx$AccountNameRequestphttps://api.libertyreserve.c0%Avira URL Cloudsafe
                  https://api.libertyreserve.com/beta/xml/balance.aspx%AccountNameRequestqhttps://api.libertyreserve.c0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  s-part-0017.t-0009.t-msedge.net
                  		13.107.246.45
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    87.120.120.86:1912true
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://tempuri.org/Entity/Id10ResponseXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://tempuri.org/Entity/Id24LRXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://tempuri.org/Entity/Id8ResponseXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://tempuri.org/Entity/Id22LRXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://tempuri.org/Entity/Id20LRXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://tempuri.org/Entity/Id12ResponseXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/soap/envelope/Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id2ResponseXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id21ResponseXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id19LRXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/Entity/Id23ResponseXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id17LRXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://tempuri.org/Entity/Id15LRXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://tempuri.org/Entity/Id9LRXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://tempuri.org/Entity/Id19ResponseXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://tempuri.org/Entity/Id13LRXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://tempuri.org/Entity/Id7LRXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://api.libertyreserve.com/beta/xml/transfer.aspxXf3rn1smZw.exefalse
                                                        		high
                                                        http://tempuri.org/Entity/Id11LRXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponseXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2004/08/addressing/faultXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://tempuri.org/Entity/Id17ResponseXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://tempuri.org/Entity/Id1LRXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://tempuri.org/Entity/Id5LRXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://tempuri.org/Entity/Id20ResponseXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://tempuri.org/Entity/Id3LRXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/Entity/Id15ResponseXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://tempuri.org/Entity/Id13ResponseXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://tempuri.org/Entity/Id4ResponseXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://tempuri.org/Entity/Id6ResponseXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://api.ip.sb/ipXf3rn1smZw.exe, 00000000.00000002.1373252363.00000000042D5000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000000.00000002.1373252363.0000000003A69000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2620504999.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgementXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://tempuri.org/Entity/Id23LRXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://tempuri.org/Entity/Id7ResponseXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://tempuri.org/Entity/Id21LRXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://tempuri.org/xXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://tempuri.org/Entity/Id11ResponseXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://api.libertyreserve.com/beta/xml/history.aspxXf3rn1smZw.exefalse
                                                                                                      		high
                                                                                                      http://tempuri.org/Entity/Id9ResponseXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://tempuri.org/Entity/Id22ResponseXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://tempuri.org/Entity/Id24ResponseXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://tempuri.org/Entity/Id1ResponseXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://api.libertyreserve.com/beta/xml/Xf3rn1smZw.exefalse
                                                                                                                  		high
                                                                                                                  http://tempuri.org/Entity/Id18LRXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://tempuri.org/Entity/Id16LRXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://tempuri.org/Entity/Id8LRXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://api.libertyreserve.com/beta/xml/balance.aspx%AccountNameRequestqhttps://api.libertyreserve.cXf3rn1smZw.exefalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        http://tempuri.org/Entity/Id14LRXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://tempuri.org/Entity/Id6LRXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://tempuri.org/Entity/Id18ResponseXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://api.libertyreserve.com/beta/xml/balance.aspx$AccountNameRequestphttps://api.libertyreserve.cXf3rn1smZw.exefalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              http://tempuri.org/Entity/Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://tempuri.org/Entity/Id12LRXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/08/addressingXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://tempuri.org/Entity/Id10LRXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://tempuri.org/Entity/Id4LRXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://tempuri.org/Entity/Id2LRXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/rmXXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://tempuri.org/Entity/Id3ResponseXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessageXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://tempuri.org/Entity/Id16ResponseXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://sci.libertyreserve.com/Xf3rn1smZw.exefalse
                                                                                                                                                    		high
                                                                                                                                                    http://tempuri.org/Entity/Id5ResponseXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://schemas.xmlsoap.org/soap/actor/nextXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://tempuri.org/Entity/Id14ResponseXf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002A93000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002AE2000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Xf3rn1smZw.exe, 00000003.00000002.2622521591.0000000002B30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high

                                                                                                                                                              World Map of Contacted IPs

                                                                                                                                                              • No. of IPs < 25%
                                                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                                                              • 75% < No. of IPs

                                                                                                                                                              Public IPs

                                                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                              87.120.120.86
                                                                                                                                                              		unknownBulgaria
                                                                                                                                                              		25206UNACS-AS-BG8000BurgasBGtrue

                                                                                                                                                              General Information

                                                                                                                                                              Joe Sandbox version:42.0.0 Malachite
                                                                                                                                                              Analysis ID:1587910
                                                                                                                                                              Start date and time:2025-01-10 19:16:22 +01:00
                                                                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                                                                              Overall analysis duration:0h 4m 57s
                                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                                              Report type:full
                                                                                                                                                              Cookbook file name:default.jbs
                                                                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                              Number of analysed new started processes analysed:10
                                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                                              Number of injected processes analysed:0
                                                                                                                                                              Technologies:
                                                                                                                                                              • HCA enabled
                                                                                                                                                              • EGA enabled
                                                                                                                                                              • AMSI enabled
                                                                                                                                                              Analysis Mode:default
                                                                                                                                                              Analysis stop reason:Timeout
                                                                                                                                                              Sample name:Xf3rn1smZw.exe
                                                                                                                                                              renamed because original name is a hash value
                                                                                                                                                              Original Sample Name:0766e43d3968a048e78c18383353ea6450934bcd0427ec9757c8da2570884580.exe
                                                                                                                                                              Detection:MAL
                                                                                                                                                              Classification:mal100.troj.evad.winEXE@3/1@0/1
                                                                                                                                                              EGA Information:
                                                                                                                                                              • Successful, ratio: 100%
                                                                                                                                                              HCA Information:
                                                                                                                                                              • Successful, ratio: 96%
                                                                                                                                                              • Number of executed functions: 51
                                                                                                                                                              • Number of non-executed functions: 17
                                                                                                                                                              Cookbook Comments:
                                                                                                                                                              • Found application associated with file extension: .exe

                                                                                                                                                              Warnings

                                                                                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                                              • Excluded IPs from analysis (whitelisted): 13.107.246.45, 2.23.242.162, 4.175.87.197
                                                                                                                                                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                              Simulations

                                                                                                                                                              Behavior and APIs

                                                                                                                                                              TimeTypeDescription
                                                                                                                                                              13:17:18API Interceptor1x Sleep call for process: Xf3rn1smZw.exe modified

                                                                                                                                                              Joe Sandbox View / Context

                                                                                                                                                              IPs

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                              87.120.120.862eRd5imEKU.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                2eRd5imEKU.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                  17.12.2024 ________.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                    #U0417#U0430#U043f#U0440#U043e#U0441 11.12.2024.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                      po4877383.exeGet hashmaliciousRedLineBrowse

                                                                                                                                                                        Domains

                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                        s-part-0017.t-0009.t-msedge.netThBJg59JRC.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                        • 13.107.246.45
                                                                                                                                                                        293816234142143228.jsGet hashmaliciousStrela DownloaderBrowse
                                                                                                                                                                        • 13.107.246.45
                                                                                                                                                                        Voicemail_+Transcription+_ATT006151.docxGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 13.107.246.45
                                                                                                                                                                        https://www.mentimeter.com/app/presentation/alp52o7zih4ubnvbqe9pvb585a1z3bd7/edit?source=share-modalGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 13.107.246.45
                                                                                                                                                                        MWP0FO5rAF.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 13.107.246.45
                                                                                                                                                                        3HnH4uJtE7.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                        • 13.107.246.45
                                                                                                                                                                        Encrypted_Archive_2025_LHC1W64SMW.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                        • 13.107.246.45
                                                                                                                                                                        GcA5z6ZWRK.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 13.107.246.45
                                                                                                                                                                        Unconfirmed 287374.emlGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 13.107.246.45
                                                                                                                                                                        https://www.depoqq.win/genoGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 13.107.246.45

                                                                                                                                                                        ASNs

                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                        UNACS-AS-BG8000BurgasBGwqSmINeWgm.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                        • 87.120.120.7
                                                                                                                                                                        2eRd5imEKU.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                        • 87.120.120.86
                                                                                                                                                                        2eRd5imEKU.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                        • 87.120.120.86
                                                                                                                                                                        17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                        • 87.120.116.179
                                                                                                                                                                        Material Requirments.pif.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                                                                                                        • 87.120.116.245
                                                                                                                                                                        Material requirements_1.pif.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                        • 87.120.116.245
                                                                                                                                                                        17363482243fcf48f1d103ef5a4702c871424ad69b9eb7d3f5e5957f5c4810f2a51fea8e76776.dat-decoded.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                        • 87.120.116.179
                                                                                                                                                                        17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                        • 87.120.116.179
                                                                                                                                                                        Inquiry List.docGet hashmaliciousDarkVision RatBrowse
                                                                                                                                                                        • 87.120.113.91
                                                                                                                                                                        3lhrJ4X.exeGet hashmaliciousLiteHTTP BotBrowse
                                                                                                                                                                        • 87.120.126.5

                                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                                        No context

                                                                                                                                                                        Dropped Files

                                                                                                                                                                        No context

                                                                                                                                                                        Created / dropped Files

                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Xf3rn1smZw.exe.log

                                                                                                                                                                        Download File
                                                                                                                                                                        Process:C:\Users\user\Desktop\Xf3rn1smZw.exe
                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):1216
                                                                                                                                                                        Entropy (8bit):5.34331486778365
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                                                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                                                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                                                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                                                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                                                                        Malicious:true
                                                                                                                                                                        Reputation:high, very likely benign file
                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                                        Static File Info

                                                                                                                                                                        General

                                                                                                                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                        Entropy (8bit):7.650401988316433
                                                                                                                                                                        TrID:
                                                                                                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                        • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                                        File name:Xf3rn1smZw.exe
                                                                                                                                                                        File size:846'336 bytes
                                                                                                                                                                        MD5:223342da9548abad8b253b0918baffd1
                                                                                                                                                                        SHA1:9d1dfe8772a94721f3aaeef0077dd867987973f9
                                                                                                                                                                        SHA256:0766e43d3968a048e78c18383353ea6450934bcd0427ec9757c8da2570884580
                                                                                                                                                                        SHA512:e655ffeb9b63bbab56b8bd7246fe6ace7e4235e86950c8a673340ad2ab99d841b75328671a6f314e63d5b181f8b38870fb6a6e5d9ae28a6d3fe6e0c9a01c0289
                                                                                                                                                                        SSDEEP:12288:C88f2uE1zDYj657DjU2HAu4TjYMJ5Q0PepO/lJhaFv3Ji6L8cUK:C8u2uOC6pDjU2HAu6YGQ3wJhwvxPU
                                                                                                                                                                        TLSH:A505CFD03F3AB706DE786534C536DCB862692E687000B9E76EDD3B477698202AE1CF51
                                                                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._.ag..............0.................. ........@.. .......................@............@................................

                                                                                                                                                                        File Icon

                                                                                                                                                                        Icon Hash:32642092d4f29244

                                                                                                                                                                        Static PE Info

                                                                                                                                                                        General

                                                                                                                                                                        Entrypoint:0x4cee8a
                                                                                                                                                                        Entrypoint Section:.text
                                                                                                                                                                        Digitally signed:false
                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                        Subsystem:windows gui
                                                                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                        Time Stamp:0x6761955F [Tue Dec 17 15:14:39 2024 UTC]
                                                                                                                                                                        TLS Callbacks:
                                                                                                                                                                        CLR (.Net) Version:
                                                                                                                                                                        OS Version Major:4
                                                                                                                                                                        OS Version Minor:0
                                                                                                                                                                        File Version Major:4
                                                                                                                                                                        File Version Minor:0
                                                                                                                                                                        Subsystem Version Major:4
                                                                                                                                                                        Subsystem Version Minor:0
                                                                                                                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                        Entrypoint Preview

                                                                                                                                                                        Instruction
                                                                                                                                                                        jmp dword ptr [00402000h]
                                                                                                                                                                        dec esp
                                                                                                                                                                        add byte ptr [edi+00h], ch
                                                                                                                                                                        popad
                                                                                                                                                                        add byte ptr [eax+eax+00h], ah
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                        add byte ptr [eax], al

                                                                                                                                                                        Data Directories

                                                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xcee380x4f.text
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xd00000x1440.rsrc
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xd20000xc.reloc
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                        Sections

                                                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                        .text0x20000xcce980xcd000f2b7585300c737a8de29f5c3f7293b6fFalse0.8707805354420731data7.661544124615996IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                        .rsrc0xd00000x14400x160035f32badc69ce0d844393b508ed8e867False0.357421875data4.88956655348528IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                        .reloc0xd20000xc0x200ea4e6549b3b941567250f70ab7acca13False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                        Resources

                                                                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                        RT_ICON0xd01180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.3726547842401501
                                                                                                                                                                        RT_GROUP_ICON0xd11c00x14data1.1
                                                                                                                                                                        RT_GROUP_ICON0xd11d40x14data1.05
                                                                                                                                                                        RT_VERSION0xd11e80x258data0.485

                                                                                                                                                                        Imports

                                                                                                                                                                        DLLImport
                                                                                                                                                                        mscoree.dll_CorExeMain

                                                                                                                                                                        Network Behavior

                                                                                                                                                                        Network Port Distribution

                                                                                                                                                                        TCP Packets

                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                        Jan 10, 2025 19:17:22.115499020 CET497551912192.168.2.987.120.120.86
                                                                                                                                                                        Jan 10, 2025 19:17:22.120316029 CET19124975587.120.120.86192.168.2.9
                                                                                                                                                                        Jan 10, 2025 19:17:22.120430946 CET497551912192.168.2.987.120.120.86
                                                                                                                                                                        Jan 10, 2025 19:17:22.129415989 CET497551912192.168.2.987.120.120.86
                                                                                                                                                                        Jan 10, 2025 19:17:22.134179115 CET19124975587.120.120.86192.168.2.9
                                                                                                                                                                        Jan 10, 2025 19:17:43.476161003 CET19124975587.120.120.86192.168.2.9
                                                                                                                                                                        Jan 10, 2025 19:17:43.476286888 CET497551912192.168.2.987.120.120.86
                                                                                                                                                                        Jan 10, 2025 19:17:43.498215914 CET497551912192.168.2.987.120.120.86
                                                                                                                                                                        Jan 10, 2025 19:17:48.525563955 CET499201912192.168.2.987.120.120.86
                                                                                                                                                                        Jan 10, 2025 19:17:48.530348063 CET19124992087.120.120.86192.168.2.9
                                                                                                                                                                        Jan 10, 2025 19:17:48.530482054 CET499201912192.168.2.987.120.120.86
                                                                                                                                                                        Jan 10, 2025 19:17:48.530852079 CET499201912192.168.2.987.120.120.86
                                                                                                                                                                        Jan 10, 2025 19:17:48.535681963 CET19124992087.120.120.86192.168.2.9
                                                                                                                                                                        Jan 10, 2025 19:18:09.883151054 CET19124992087.120.120.86192.168.2.9
                                                                                                                                                                        Jan 10, 2025 19:18:09.883251905 CET499201912192.168.2.987.120.120.86
                                                                                                                                                                        Jan 10, 2025 19:18:09.883542061 CET499201912192.168.2.987.120.120.86
                                                                                                                                                                        Jan 10, 2025 19:18:14.899552107 CET499811912192.168.2.987.120.120.86
                                                                                                                                                                        Jan 10, 2025 19:18:14.904484987 CET19124998187.120.120.86192.168.2.9
                                                                                                                                                                        Jan 10, 2025 19:18:14.904555082 CET499811912192.168.2.987.120.120.86
                                                                                                                                                                        Jan 10, 2025 19:18:14.904791117 CET499811912192.168.2.987.120.120.86
                                                                                                                                                                        Jan 10, 2025 19:18:14.909631968 CET19124998187.120.120.86192.168.2.9
                                                                                                                                                                        Jan 10, 2025 19:18:36.243005037 CET19124998187.120.120.86192.168.2.9
                                                                                                                                                                        Jan 10, 2025 19:18:36.243237972 CET499811912192.168.2.987.120.120.86
                                                                                                                                                                        Jan 10, 2025 19:18:36.243400097 CET499811912192.168.2.987.120.120.86
                                                                                                                                                                        Jan 10, 2025 19:18:41.259733915 CET499821912192.168.2.987.120.120.86
                                                                                                                                                                        Jan 10, 2025 19:18:41.264626026 CET19124998287.120.120.86192.168.2.9
                                                                                                                                                                        Jan 10, 2025 19:18:41.264710903 CET499821912192.168.2.987.120.120.86
                                                                                                                                                                        Jan 10, 2025 19:18:41.264935017 CET499821912192.168.2.987.120.120.86
                                                                                                                                                                        Jan 10, 2025 19:18:41.269675970 CET19124998287.120.120.86192.168.2.9
                                                                                                                                                                        Jan 10, 2025 19:19:02.774748087 CET19124998287.120.120.86192.168.2.9
                                                                                                                                                                        Jan 10, 2025 19:19:02.776561975 CET499821912192.168.2.987.120.120.86
                                                                                                                                                                        Jan 10, 2025 19:19:02.777976036 CET499821912192.168.2.987.120.120.86
                                                                                                                                                                        Jan 10, 2025 19:19:07.805444956 CET499831912192.168.2.987.120.120.86
                                                                                                                                                                        Jan 10, 2025 19:19:07.810307026 CET19124998387.120.120.86192.168.2.9
                                                                                                                                                                        Jan 10, 2025 19:19:07.810409069 CET499831912192.168.2.987.120.120.86
                                                                                                                                                                        Jan 10, 2025 19:19:07.810631990 CET499831912192.168.2.987.120.120.86
                                                                                                                                                                        Jan 10, 2025 19:19:07.815418005 CET19124998387.120.120.86192.168.2.9

                                                                                                                                                                        DNS Answers

                                                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                        Jan 10, 2025 19:17:13.906418085 CET1.1.1.1192.168.2.90x3034No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                        Jan 10, 2025 19:17:13.906418085 CET1.1.1.1192.168.2.90x3034No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false

                                                                                                                                                                        Statistics

                                                                                                                                                                        CPU Usage

                                                                                                                                                                        Click to jump to process

                                                                                                                                                                        Memory Usage

                                                                                                                                                                        Click to jump to process

                                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                                        Behavior

                                                                                                                                                                        Click to jump to process

                                                                                                                                                                        System Behavior

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:0
                                                                                                                                                                        Start time:13:17:17
                                                                                                                                                                        Start date:10/01/2025
                                                                                                                                                                        Path:C:\Users\user\Desktop\Xf3rn1smZw.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:"C:\Users\user\Desktop\Xf3rn1smZw.exe"
                                                                                                                                                                        Imagebase:0x6c0000
                                                                                                                                                                        File size:846'336 bytes
                                                                                                                                                                        MD5 hash:223342DA9548ABAD8B253B0918BAFFD1
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Yara matches:
                                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1373252363.0000000003A69000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1373252363.00000000042D5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                        Reputation:low
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:3
                                                                                                                                                                        Start time:13:17:19
                                                                                                                                                                        Start date:10/01/2025
                                                                                                                                                                        Path:C:\Users\user\Desktop\Xf3rn1smZw.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:"C:\Users\user\Desktop\Xf3rn1smZw.exe"
                                                                                                                                                                        Imagebase:0x5f0000
                                                                                                                                                                        File size:846'336 bytes
                                                                                                                                                                        MD5 hash:223342DA9548ABAD8B253B0918BAFFD1
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Yara matches:
                                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.2620504999.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                        Reputation:low
                                                                                                                                                                        Has exited:false

                                                                                                                                                                        Disassembly

                                                                                                                                                                        Reset < >

                                                                                                                                                                          Execution Graph

                                                                                                                                                                          Execution Coverage:10.2%
                                                                                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                                          Total number of Nodes:78
                                                                                                                                                                          Total number of Limit Nodes:5
                                                                                                                                                                          execution_graph 24508 290d650 DuplicateHandle 24509 290d6e6 24508->24509 24557 720eb40 24558 720eb8b ReadProcessMemory 24557->24558 24560 720ebcf 24558->24560 24561 290ac70 24562 290ac7f 24561->24562 24565 290ad68 24561->24565 24570 290ad59 24561->24570 24566 290ad9c 24565->24566 24567 290ad79 24565->24567 24566->24562 24567->24566 24568 290afa0 GetModuleHandleW 24567->24568 24569 290afcd 24568->24569 24569->24562 24571 290ad9c 24570->24571 24572 290ad79 24570->24572 24571->24562 24572->24571 24573 290afa0 GetModuleHandleW 24572->24573 24574 290afcd 24573->24574 24574->24562 24580 720e808 24581 720e848 ResumeThread 24580->24581 24583 720e879 24581->24583 24510 720046c 24515 7202770 24510->24515 24518 720271a 24510->24518 24523 7202778 24510->24523 24511 720049d 24516 72027c0 VirtualProtect 24515->24516 24517 72027fa 24516->24517 24517->24511 24519 7202779 VirtualProtect 24518->24519 24522 7202723 24518->24522 24521 72027fa 24519->24521 24521->24511 24522->24511 24524 7202779 VirtualProtect 24523->24524 24526 72027fa 24524->24526 24526->24511 24532 290d000 24533 290d046 GetCurrentProcess 24532->24533 24535 290d091 24533->24535 24536 290d098 GetCurrentThread 24533->24536 24535->24536 24537 290d0d5 GetCurrentProcess 24536->24537 24538 290d0ce 24536->24538 24539 290d10b 24537->24539 24538->24537 24540 290d133 GetCurrentThreadId 24539->24540 24541 290d164 24540->24541 24594 720ea50 24595 720ea98 WriteProcessMemory 24594->24595 24597 720eaef 24595->24597 24598 720e990 24599 720e9d0 VirtualAllocEx 24598->24599 24601 720ea0d 24599->24601 24542 720e8b8 24543 720e8fd Wow64SetThreadContext 24542->24543 24545 720e945 24543->24545 24602 2904668 24603 2904672 24602->24603 24605 2904759 24602->24605 24606 290477d 24605->24606 24610 2904858 24606->24610 24614 2904868 24606->24614 24611 290488f 24610->24611 24612 290496c 24611->24612 24618 29044b0 24611->24618 24616 290488f 24614->24616 24615 290496c 24615->24615 24616->24615 24617 29044b0 CreateActCtxA 24616->24617 24617->24615 24619 29058f8 CreateActCtxA 24618->24619 24621 29059bb 24619->24621 24622 720ecd8 24623 720ed61 CreateProcessA 24622->24623 24625 720ef23 24623->24625 24546 7201179 24548 720117c 24546->24548 24547 72011e1 24548->24547 24549 7202770 VirtualProtect 24548->24549 24550 7202778 VirtualProtect 24548->24550 24551 720271a VirtualProtect 24548->24551 24549->24548 24550->24548 24551->24548 24552 72009fe 24554 7202770 VirtualProtect 24552->24554 24555 7202778 VirtualProtect 24552->24555 24556 720271a VirtualProtect 24552->24556 24553 7200a15 24554->24553 24555->24553 24556->24553

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 07204170 Relevance: 2.7, Strings: 2, Instructions: 225COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 44 7204170-72041a5 46 72041a7 44->46 47 72041ac-72041dd 44->47 46->47 48 72041de 47->48 49 72041e5-7204201 48->49 50 7204203 49->50 51 720420a-720420b 49->51 50->48 52 72042e0-72042f7 50->52 53 7204441-7204458 50->53 54 7204363-7204378 50->54 55 720442a-720443c 50->55 56 720438b-72043b2 50->56 57 720434b-720435e 50->57 58 720426c-7204293 50->58 59 72042af-72042b5 call 72045c2 50->59 60 7204210-7204252 50->60 61 7204413-7204425 50->61 62 7204314-7204318 50->62 63 7204254-7204267 50->63 64 72043f6-720440e 50->64 65 7204477-7204480 50->65 66 72043b7-72043ca 50->66 67 7204298-72042aa 50->67 68 72042fc-720430f 50->68 69 720437d-7204386 50->69 70 720445d-7204472 50->70 51->60 51->65 52->49 53->49 54->49 55->49 56->49 57->49 58->49 78 72042bb-72042db 59->78 60->49 61->49 71 720431a-7204329 62->71 72 720432b-7204332 62->72 63->49 64->49 73 72043cc-72043db 66->73 74 72043dd-72043e4 66->74 67->49 68->49 69->49 70->49 79 7204339-7204346 71->79 72->79 77 72043eb-72043f1 73->77 74->77 77->49 78->49 79->49
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1385404093.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7200000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: TuA$UC;"
                                                                                                                                                                          • API String ID: 0-2071649361
                                                                                                                                                                          • Opcode ID: e29207d9d3f0e3ffe7c2ff30567b9598f5403b7e64790b81f8619e3d24216d03
                                                                                                                                                                          • Instruction ID: 4cdc62a68deb11531e0a888ca93119a9d049bf05b15bb9ba7db842451ee128a9
                                                                                                                                                                          • Opcode Fuzzy Hash: e29207d9d3f0e3ffe7c2ff30567b9598f5403b7e64790b81f8619e3d24216d03
                                                                                                                                                                          • Instruction Fuzzy Hash: 96915D75D25209EFCB08CFE6E48059EFBB2EF8A310F20E42AE515A72A4D7709501CF50
                                                                                                                                                                          Function 07204180 Relevance: 2.7, Strings: 2, Instructions: 224COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 83 7204180-72041a5 84 72041a7 83->84 85 72041ac-72041dd 83->85 84->85 86 72041de 85->86 87 72041e5-7204201 86->87 88 7204203 87->88 89 720420a-720420b 87->89 88->86 90 72042e0-72042f7 88->90 91 7204441-7204458 88->91 92 7204363-7204378 88->92 93 720442a-720443c 88->93 94 720438b-72043b2 88->94 95 720434b-720435e 88->95 96 720426c-7204293 88->96 97 72042af-72042b5 call 72045c2 88->97 98 7204210-7204252 88->98 99 7204413-7204425 88->99 100 7204314-7204318 88->100 101 7204254-7204267 88->101 102 72043f6-720440e 88->102 103 7204477-7204480 88->103 104 72043b7-72043ca 88->104 105 7204298-72042aa 88->105 106 72042fc-720430f 88->106 107 720437d-7204386 88->107 108 720445d-7204472 88->108 89->98 89->103 90->87 91->87 92->87 93->87 94->87 95->87 96->87 116 72042bb-72042db 97->116 98->87 99->87 109 720431a-7204329 100->109 110 720432b-7204332 100->110 101->87 102->87 111 72043cc-72043db 104->111 112 72043dd-72043e4 104->112 105->87 106->87 107->87 108->87 117 7204339-7204346 109->117 110->117 115 72043eb-72043f1 111->115 112->115 115->87 116->87 117->87
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1385404093.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7200000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: TuA$UC;"
                                                                                                                                                                          • API String ID: 0-2071649361
                                                                                                                                                                          • Opcode ID: be2ef513414ae84061134c3e5452fbf8660d41978c2047759c1dd2ad750db73b
                                                                                                                                                                          • Instruction ID: 5ceff6a62a6ccb359294706e116959d8bb05be5c8cdcaea8a918e7fd8f846de6
                                                                                                                                                                          • Opcode Fuzzy Hash: be2ef513414ae84061134c3e5452fbf8660d41978c2047759c1dd2ad750db73b
                                                                                                                                                                          • Instruction Fuzzy Hash: 37913DB5D24209EFCB08CFE6E48459EFBB2EF8A310F20E42AE515A7264D7709542CF50
                                                                                                                                                                          Function 07202AD6 Relevance: 1.5, Strings: 1, Instructions: 209COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1385404093.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7200000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: 5=6
                                                                                                                                                                          • API String ID: 0-2897083178
                                                                                                                                                                          • Opcode ID: 99281f959ddb825b875faf1c0457ea4083c8739b3dd6730ce3d4fdb35e5beb8c
                                                                                                                                                                          • Instruction ID: 7e29e754c021a8f7ed89e0800524667ff48cae96fc6131cafe5d50bb50de43ed
                                                                                                                                                                          • Opcode Fuzzy Hash: 99281f959ddb825b875faf1c0457ea4083c8739b3dd6730ce3d4fdb35e5beb8c
                                                                                                                                                                          • Instruction Fuzzy Hash: 10817CB4D2924ADFCB04CFA5D84959EFFF2BF8A201F1094AAD015E7291DB785A01CF64
                                                                                                                                                                          Function 07202B4A Relevance: 1.4, Strings: 1, Instructions: 178COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1385404093.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7200000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: 5=6
                                                                                                                                                                          • API String ID: 0-2897083178
                                                                                                                                                                          • Opcode ID: c2f9c5905ba9b6f0bd8c554fa84bbecdb0e82f93783b6bc9846fbb226b59903a
                                                                                                                                                                          • Instruction ID: 830bb79dba9570a8b8002b1e4d750609a08d62412964a90e837b0c8788736c89
                                                                                                                                                                          • Opcode Fuzzy Hash: c2f9c5905ba9b6f0bd8c554fa84bbecdb0e82f93783b6bc9846fbb226b59903a
                                                                                                                                                                          • Instruction Fuzzy Hash: CD714C74E2520ADFCB04CFA5D84959EFBF2BF89201F10D46AD015E7294DB749A01DFA4
                                                                                                                                                                          Function 07202B58 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1385404093.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7200000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: 5=6
                                                                                                                                                                          • API String ID: 0-2897083178
                                                                                                                                                                          • Opcode ID: 23eb09e8f17aada984a40ae00ca3fc066a6fa4f57867ad61eb2ff6a25ec57ab1
                                                                                                                                                                          • Instruction ID: ae079695658f268bfb559ccbb039ff9c3ba7e2a46495328195798462c0949578
                                                                                                                                                                          • Opcode Fuzzy Hash: 23eb09e8f17aada984a40ae00ca3fc066a6fa4f57867ad61eb2ff6a25ec57ab1
                                                                                                                                                                          • Instruction Fuzzy Hash: D6613A74E2520ADFCB08CFA5D8495AEFBF2BF89201F10D46AD015E7294DB749A01DFA4
                                                                                                                                                                          Function 07204A80 Relevance: .3, Instructions: 254COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1385404093.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7200000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: c85bc9118900e203e25967cbcef934dc671d2f9ed301b14b716de8d941c7251b
                                                                                                                                                                          • Instruction ID: 98e542737522016e66a974a866d8a4bad7c6c66c193b941cd29a1cd24f6a1864
                                                                                                                                                                          • Opcode Fuzzy Hash: c85bc9118900e203e25967cbcef934dc671d2f9ed301b14b716de8d941c7251b
                                                                                                                                                                          • Instruction Fuzzy Hash: 76B10AB0D25249DFCB18DFE6D58069EFBB6BF8A300F20D429D115A7295DB34AA06CF50
                                                                                                                                                                          Function 07204A71 Relevance: .3, Instructions: 252COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1385404093.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7200000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: dd794499e977d049f14e43b783ad25cdeb0010f08a9611a13578750385035538
                                                                                                                                                                          • Instruction ID: a5ca1e9b53756b417438cf951f038d8f7fa10ed3a355548a207ebe1f3f9df992
                                                                                                                                                                          • Opcode Fuzzy Hash: dd794499e977d049f14e43b783ad25cdeb0010f08a9611a13578750385035538
                                                                                                                                                                          • Instruction Fuzzy Hash: D0B10CB1D25249DFCB18DFE6D54069EFBB2BF8A200F20D42AD115A7295D734AA06CF50
                                                                                                                                                                          Function 072090E8 Relevance: .1, Instructions: 85COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1385404093.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7200000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 6ccfbbe9694a8c10c27d4dbdcfe5277ebbc57d7a557ea06d26ea175b47712996
                                                                                                                                                                          • Instruction ID: b88367bfe77ce6227f72e4803902bfb4d02d2367b751f31ba2472957f13cfc84
                                                                                                                                                                          • Opcode Fuzzy Hash: 6ccfbbe9694a8c10c27d4dbdcfe5277ebbc57d7a557ea06d26ea175b47712996
                                                                                                                                                                          • Instruction Fuzzy Hash: D5310AB0E14259CFDF18CFAAC84479DFBF6AF89300F10C4A6D80AA7255DB7459858F50
                                                                                                                                                                          Function 072090D8 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1385404093.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7200000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 9ecc5a08d807c44107f944675ac7dd129402755383e36257e731585f4cb446d7
                                                                                                                                                                          • Instruction ID: 102e04fe1071dfba24b1ea5c3bdcafc34e7ff497d5f1f82c458dc577a7b7d3d7
                                                                                                                                                                          • Opcode Fuzzy Hash: 9ecc5a08d807c44107f944675ac7dd129402755383e36257e731585f4cb446d7
                                                                                                                                                                          • Instruction Fuzzy Hash: 0D2119B1E14259CFDB18CFA6C84469EFBF6AFC9300F04C07AD809A6296DB7415868F90
                                                                                                                                                                          Function 0290CFF1 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 0290D07E
                                                                                                                                                                          • GetCurrentThread.KERNEL32 ref: 0290D0BB
                                                                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 0290D0F8
                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0290D151
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1372089326.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2900000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Current$ProcessThread
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2063062207-0
                                                                                                                                                                          • Opcode ID: 997d618ae12a35aa8594cc53600deef96b2844e7d8fcbf2a60c267b1bfa088e5
                                                                                                                                                                          • Instruction ID: 9306a05c3f144c1f08bb9d2c8ef8ee7395922dd535037a2501c171c496cb30e9
                                                                                                                                                                          • Opcode Fuzzy Hash: 997d618ae12a35aa8594cc53600deef96b2844e7d8fcbf2a60c267b1bfa088e5
                                                                                                                                                                          • Instruction Fuzzy Hash: 4C5178B09007498FEB14DFAAD588B9EBBF1EF49304F208459E009A73A0DB75AD45CF65
                                                                                                                                                                          Function 0290D000 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 0290D07E
                                                                                                                                                                          • GetCurrentThread.KERNEL32 ref: 0290D0BB
                                                                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 0290D0F8
                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0290D151
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1372089326.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2900000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Current$ProcessThread
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2063062207-0
                                                                                                                                                                          • Opcode ID: 8ee7735594cb5285c2e8bafcb52db26aa1ccf8a715b7795140fabf898154b4f5
                                                                                                                                                                          • Instruction ID: 9ef21ed168885d184afed135ffec294a13a5191dee6b29e7ae505198661ea667
                                                                                                                                                                          • Opcode Fuzzy Hash: 8ee7735594cb5285c2e8bafcb52db26aa1ccf8a715b7795140fabf898154b4f5
                                                                                                                                                                          • Instruction Fuzzy Hash: BB5177B09007098FEB14DFAAD588B9EBBF1EF49304F208059E409A7390DB75AD44CF66
                                                                                                                                                                          Function 0720ECD8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 121 720ecd8-720ed6d 123 720eda6-720edc6 121->123 124 720ed6f-720ed79 121->124 129 720edc8-720edd2 123->129 130 720edff-720ee2e 123->130 124->123 125 720ed7b-720ed7d 124->125 127 720eda0-720eda3 125->127 128 720ed7f-720ed89 125->128 127->123 131 720ed8b 128->131 132 720ed8d-720ed9c 128->132 129->130 134 720edd4-720edd6 129->134 138 720ee30-720ee3a 130->138 139 720ee67-720ef21 CreateProcessA 130->139 131->132 132->132 133 720ed9e 132->133 133->127 135 720edd8-720ede2 134->135 136 720edf9-720edfc 134->136 140 720ede4 135->140 141 720ede6-720edf5 135->141 136->130 138->139 142 720ee3c-720ee3e 138->142 152 720ef23-720ef29 139->152 153 720ef2a-720efb0 139->153 140->141 141->141 143 720edf7 141->143 144 720ee40-720ee4a 142->144 145 720ee61-720ee64 142->145 143->136 147 720ee4c 144->147 148 720ee4e-720ee5d 144->148 145->139 147->148 148->148 149 720ee5f 148->149 149->145 152->153 163 720efc0-720efc4 153->163 164 720efb2-720efb6 153->164 166 720efd4-720efd8 163->166 167 720efc6-720efca 163->167 164->163 165 720efb8 164->165 165->163 169 720efe8-720efec 166->169 170 720efda-720efde 166->170 167->166 168 720efcc 167->168 168->166 172 720effe-720f005 169->172 173 720efee-720eff4 169->173 170->169 171 720efe0 170->171 171->169 174 720f007-720f016 172->174 175 720f01c 172->175 173->172 174->175
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0720EF0E
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1385404093.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7200000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CreateProcess
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 963392458-0
                                                                                                                                                                          • Opcode ID: 50b56e6e27133e6329ace1a92c36423564737bd950a4a04bf38d2b44d341f653
                                                                                                                                                                          • Instruction ID: 8478d8e93a0b439df4fa44fd9acec8ab3cbd6d17ed13ff599a094459c11d6efd
                                                                                                                                                                          • Opcode Fuzzy Hash: 50b56e6e27133e6329ace1a92c36423564737bd950a4a04bf38d2b44d341f653
                                                                                                                                                                          • Instruction Fuzzy Hash: E2914AB1D1035ACFEB20DF68C84479DBBB6FF48310F158569D818A7281DB749985CFA2
                                                                                                                                                                          Function 0290AD68 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 177 290ad68-290ad77 178 290ada3-290ada7 177->178 179 290ad79-290ad86 call 290a08c 177->179 181 290ada9-290adb3 178->181 182 290adbb-290adfc 178->182 185 290ad88 179->185 186 290ad9c 179->186 181->182 188 290ae09-290ae17 182->188 189 290adfe-290ae06 182->189 232 290ad8e call 290aff0 185->232 233 290ad8e call 290b000 185->233 186->178 190 290ae19-290ae1e 188->190 191 290ae3b-290ae3d 188->191 189->188 193 290ae20-290ae27 call 290a098 190->193 194 290ae29 190->194 195 290ae40-290ae47 191->195 192 290ad94-290ad96 192->186 196 290aed8-290af98 192->196 198 290ae2b-290ae39 193->198 194->198 199 290ae54-290ae5b 195->199 200 290ae49-290ae51 195->200 227 290afa0-290afcb GetModuleHandleW 196->227 228 290af9a-290af9d 196->228 198->195 202 290ae68-290ae71 call 290a0a8 199->202 203 290ae5d-290ae65 199->203 200->199 208 290ae73-290ae7b 202->208 209 290ae7e-290ae83 202->209 203->202 208->209 210 290aea1-290aea5 209->210 211 290ae85-290ae8c 209->211 216 290aeab-290aeae 210->216 211->210 213 290ae8e-290ae9e call 290a0b8 call 290a0c8 211->213 213->210 218 290aeb0-290aece 216->218 219 290aed1-290aed7 216->219 218->219 229 290afd4-290afe8 227->229 230 290afcd-290afd3 227->230 228->227 230->229 232->192 233->192
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0290AFBE
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1372089326.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2900000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: HandleModule
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 4139908857-0
                                                                                                                                                                          • Opcode ID: 6fec3a43aa1a2972eaae45759b2a93c758aa8373e6c7b3ba026b5645d70e79d3
                                                                                                                                                                          • Instruction ID: d535e8c1e178a348732a07afd94a18bd4e9abd40caceacb3838f6ba2c9fb6019
                                                                                                                                                                          • Opcode Fuzzy Hash: 6fec3a43aa1a2972eaae45759b2a93c758aa8373e6c7b3ba026b5645d70e79d3
                                                                                                                                                                          • Instruction Fuzzy Hash: B2712770A00B098FE724DF29D08475ABBF5FF88304F10892DD58AD7A90DB75E949CB91
                                                                                                                                                                          Function 029058ED Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 234 29058ed-290596c 235 290596f-29059b9 CreateActCtxA 234->235 237 29059c2-2905a1c 235->237 238 29059bb-29059c1 235->238 245 2905a2b-2905a2f 237->245 246 2905a1e-2905a21 237->246 238->237 247 2905a40 245->247 248 2905a31-2905a3d 245->248 246->245 249 2905a41 247->249 248->247 249->249
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateActCtxA.KERNEL32(?), ref: 029059A9
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1372089326.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2900000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Create
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2289755597-0
                                                                                                                                                                          • Opcode ID: f503ff65896628282b17475108013a7d32f87dfbc59d540265111ae225c1e9d7
                                                                                                                                                                          • Instruction ID: efac18f6d787459e0d8c1f565e2fc034b7f471b8e643ef815dd6d0722e78d455
                                                                                                                                                                          • Opcode Fuzzy Hash: f503ff65896628282b17475108013a7d32f87dfbc59d540265111ae225c1e9d7
                                                                                                                                                                          • Instruction Fuzzy Hash: 1F41E070C00719CFEB24CFAAC8847CEBBB5BF89704F60806AD418AB251DB756946CF51
                                                                                                                                                                          Function 029044B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 251 29044b0-29059b9 CreateActCtxA 255 29059c2-2905a1c 251->255 256 29059bb-29059c1 251->256 263 2905a2b-2905a2f 255->263 264 2905a1e-2905a21 255->264 256->255 265 2905a40 263->265 266 2905a31-2905a3d 263->266 264->263 267 2905a41 265->267 266->265 267->267
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateActCtxA.KERNEL32(?), ref: 029059A9
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1372089326.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2900000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Create
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2289755597-0
                                                                                                                                                                          • Opcode ID: 0448d629285d2128d1178e13451a7fb6d11d81ffb85ea79dcb0a9f4ab4ae56d5
                                                                                                                                                                          • Instruction ID: 37ec7624d644570532d7791ff70efcd785f860753c8e6fe8d6d5d134a00fe7b7
                                                                                                                                                                          • Opcode Fuzzy Hash: 0448d629285d2128d1178e13451a7fb6d11d81ffb85ea79dcb0a9f4ab4ae56d5
                                                                                                                                                                          • Instruction Fuzzy Hash: 6541CF70C0071DCFEB24DFAAC98478EBBB5BF89304F60806AD418AB251DB756946CF91
                                                                                                                                                                          Function 02905A64 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 269 2905a64-2905a70 270 2905a22-2905a27 269->270 271 2905a72-2905af4 269->271 274 2905a2b-2905a2f 270->274 275 2905a40 274->275 276 2905a31-2905a3d 274->276 277 2905a41 275->277 276->275 277->277
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1372089326.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2900000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 0c2d81c0c5bc77a32dbc89fccff4720fda46e7545271b4d2c28608464597b264
                                                                                                                                                                          • Instruction ID: 4903f4febe589dffacc9e1afc51e9ef84274f4d471951c1d743e156e77b862d3
                                                                                                                                                                          • Opcode Fuzzy Hash: 0c2d81c0c5bc77a32dbc89fccff4720fda46e7545271b4d2c28608464597b264
                                                                                                                                                                          • Instruction Fuzzy Hash: AB31967080474DCFEB11CFA9C8957AEBBF1BF86308F95419AC015AB291C779A90ACF11
                                                                                                                                                                          Function 0720271A Relevance: 1.6, APIs: 1, Instructions: 79memoryCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 279 720271a-7202721 280 7202723-7202743 279->280 281 7202779-72027f8 VirtualProtect 279->281 283 7202745 280->283 284 720274a-7202761 280->284 286 7202801-7202822 281->286 287 72027fa-7202800 281->287 283->284 287->286
                                                                                                                                                                          APIs
                                                                                                                                                                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 072027EB
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1385404093.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7200000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ProtectVirtual
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 544645111-0
                                                                                                                                                                          • Opcode ID: 72d4b4958f9c8909974a3802bfc2f939ee3f7d4620b383ba913f4e82f3e11273
                                                                                                                                                                          • Instruction ID: 3ced818484c5259e5d68cec137188154574045b56089a0d982a0d8f91fc04600
                                                                                                                                                                          • Opcode Fuzzy Hash: 72d4b4958f9c8909974a3802bfc2f939ee3f7d4620b383ba913f4e82f3e11273
                                                                                                                                                                          • Instruction Fuzzy Hash: 5F3116B5C00209DFDB10DFAAC845BEEBBF4FB48314F10846AE858A7251D3789A40CFA1
                                                                                                                                                                          Function 0720EA50 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 290 720ea50-720ea9e 292 720eaa0-720eaac 290->292 293 720eaae-720eaed WriteProcessMemory 290->293 292->293 295 720eaf6-720eb26 293->295 296 720eaef-720eaf5 293->296 296->295
                                                                                                                                                                          APIs
                                                                                                                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0720EAE0
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1385404093.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7200000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: MemoryProcessWrite
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3559483778-0
                                                                                                                                                                          • Opcode ID: 1e82d73b51931bfabbb94f8a09183b16d42e107dbfbdfabe74bd9ed67cae3a72
                                                                                                                                                                          • Instruction ID: ecc1cb0dc148e5c7acb21108fe19f140802a3c0d099cb69dee16ea9b58a47a1d
                                                                                                                                                                          • Opcode Fuzzy Hash: 1e82d73b51931bfabbb94f8a09183b16d42e107dbfbdfabe74bd9ed67cae3a72
                                                                                                                                                                          • Instruction Fuzzy Hash: D0215AB1D1030A9FDB10DFA9C8857DEBBF4FF48310F148429E558A7241D7789550CBA0
                                                                                                                                                                          Function 0290D648 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 300 290d648-290d6e4 DuplicateHandle 301 290d6e6-290d6ec 300->301 302 290d6ed-290d70a 300->302 301->302
                                                                                                                                                                          APIs
                                                                                                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0290D6D7
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1372089326.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2900000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DuplicateHandle
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3793708945-0
                                                                                                                                                                          • Opcode ID: 012263e4a5ebbf98a9fdaef2ac042446e8045e3298e9fe9486cebc59eacdd5b3
                                                                                                                                                                          • Instruction ID: 9803eb32e46de37d9d4ad408d7b806afe31b8c86b1a1f92a53e9957282e8252b
                                                                                                                                                                          • Opcode Fuzzy Hash: 012263e4a5ebbf98a9fdaef2ac042446e8045e3298e9fe9486cebc59eacdd5b3
                                                                                                                                                                          • Instruction Fuzzy Hash: 6421E3B5900249DFDB10CFAAD585ADEBBF4EB48314F14802AE958A7350D374A941CFA5
                                                                                                                                                                          Function 0720EB40 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 315 720eb40-720ebcd ReadProcessMemory 318 720ebd6-720ec06 315->318 319 720ebcf-720ebd5 315->319 319->318
                                                                                                                                                                          APIs
                                                                                                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0720EBC0
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1385404093.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7200000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: MemoryProcessRead
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1726664587-0
                                                                                                                                                                          • Opcode ID: d3996f8b9c0aae9ea145fe33381baef56b7ae782fba39aa51ff140938ec65f2f
                                                                                                                                                                          • Instruction ID: 4c4ec29ba11c53379d9f3f1aaf60f58246c1b8176c571389101be76a2d60cf72
                                                                                                                                                                          • Opcode Fuzzy Hash: d3996f8b9c0aae9ea145fe33381baef56b7ae782fba39aa51ff140938ec65f2f
                                                                                                                                                                          • Instruction Fuzzy Hash: 2A2125B1C003499FDB10DFAAC885BEEBBF5FF48310F54882AE559A7240D7799940CBA1
                                                                                                                                                                          Function 0720E8B8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 305 720e8b8-720e903 307 720e913-720e943 Wow64SetThreadContext 305->307 308 720e905-720e911 305->308 310 720e945-720e94b 307->310 311 720e94c-720e97c 307->311 308->307 310->311
                                                                                                                                                                          APIs
                                                                                                                                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0720E936
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1385404093.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7200000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ContextThreadWow64
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 983334009-0
                                                                                                                                                                          • Opcode ID: f1a64137ae78833a0f16756c942a84757e64f67b3462f50e86432e22930450ed
                                                                                                                                                                          • Instruction ID: e19723fb62d3a55c5f8b15c1475ffe8507b9b6d0bcf16c6c2a1ca2409975dcd5
                                                                                                                                                                          • Opcode Fuzzy Hash: f1a64137ae78833a0f16756c942a84757e64f67b3462f50e86432e22930450ed
                                                                                                                                                                          • Instruction Fuzzy Hash: EE2149B1D103098FEB10DFAAC4857EEBBF4EF48310F54842AD459A7281C7789A45CFA1
                                                                                                                                                                          Function 0290D650 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 323 290d650-290d6e4 DuplicateHandle 324 290d6e6-290d6ec 323->324 325 290d6ed-290d70a 323->325 324->325
                                                                                                                                                                          APIs
                                                                                                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0290D6D7
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1372089326.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2900000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DuplicateHandle
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3793708945-0
                                                                                                                                                                          • Opcode ID: 1ee78ed734d02239b320828311b4004743e6c878c1ddef3288d8613a417c3770
                                                                                                                                                                          • Instruction ID: bd830c5cf3737e2637b206684b552181e8aab76caf2a5aacbcfce86c8228ad5f
                                                                                                                                                                          • Opcode Fuzzy Hash: 1ee78ed734d02239b320828311b4004743e6c878c1ddef3288d8613a417c3770
                                                                                                                                                                          • Instruction Fuzzy Hash: D221E0B5900249DFDB10CFAAD984ADEBBF8EB48310F14801AE918A3350D378A940CFA5
                                                                                                                                                                          Function 07202770 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 072027EB
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1385404093.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7200000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ProtectVirtual
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 544645111-0
                                                                                                                                                                          • Opcode ID: 5e9cc7269219391c46e9d2eec03b5c1159e582ca8cb23f343259603fae660759
                                                                                                                                                                          • Instruction ID: 6f18189a8fdf4fb6d055359e8c900b213b52f58c6f48de07cc63b92a1a3b8e59
                                                                                                                                                                          • Opcode Fuzzy Hash: 5e9cc7269219391c46e9d2eec03b5c1159e582ca8cb23f343259603fae660759
                                                                                                                                                                          • Instruction Fuzzy Hash: F521F4B5910249DFDB10CF9AC985BDEBBF4FB48310F14842AE858A7251D378A544CFA1
                                                                                                                                                                          Function 07202778 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 072027EB
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1385404093.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7200000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ProtectVirtual
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 544645111-0
                                                                                                                                                                          • Opcode ID: 727583b369b44f62a1add906501810162e48dd07a2b7ba5b532a3ca5d43cf598
                                                                                                                                                                          • Instruction ID: 670a70444e74de66d15f04931dbcdd75233578fab288046ee3aca016a9f3c297
                                                                                                                                                                          • Opcode Fuzzy Hash: 727583b369b44f62a1add906501810162e48dd07a2b7ba5b532a3ca5d43cf598
                                                                                                                                                                          • Instruction Fuzzy Hash: BF21E4B5900249DFDB10CF9AC984BDEFBF4FB48320F10842AE958A7251D378A644CFA1
                                                                                                                                                                          Function 0720E990 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0720E9FE
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1385404093.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7200000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AllocVirtual
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 4275171209-0
                                                                                                                                                                          • Opcode ID: 3609c28354dcd9c497b2ab4baf21b0948ca746057bdcc4bb7f04e212e51439dc
                                                                                                                                                                          • Instruction ID: 9e2a36a5cf511f4f86ebbf1929b17bc9f7fcf809bcaae9111d2ec83bb11ba2a5
                                                                                                                                                                          • Opcode Fuzzy Hash: 3609c28354dcd9c497b2ab4baf21b0948ca746057bdcc4bb7f04e212e51439dc
                                                                                                                                                                          • Instruction Fuzzy Hash: D71137728003499FDB10DFAAC845BDEBBF5EF48310F148819E559A7250C7759550CFA1
                                                                                                                                                                          Function 0720E808 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1385404093.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7200000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ResumeThread
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 947044025-0
                                                                                                                                                                          • Opcode ID: 390e68d1dda6975e89a11e917c0106abd1b2abf00fc7f65a91714c46309e19bd
                                                                                                                                                                          • Instruction ID: 7c4c617d0509973a852ef8984a028e0c6acd7eb85bbadd036f3856dc2fcd2d5a
                                                                                                                                                                          • Opcode Fuzzy Hash: 390e68d1dda6975e89a11e917c0106abd1b2abf00fc7f65a91714c46309e19bd
                                                                                                                                                                          • Instruction Fuzzy Hash: A41128B1D003498BDB10DFAAC4457DEFBF4EB88314F148829D559A7240C7796544CBA5
                                                                                                                                                                          Function 0290AF58 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0290AFBE
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1372089326.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2900000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: HandleModule
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 4139908857-0
                                                                                                                                                                          • Opcode ID: 702bdac07538f6b2a4f1aa1e62ea4d1ab31e9f7af5a831405ffe70757eebcdc4
                                                                                                                                                                          • Instruction ID: 955bf14d058f60763d036676b91201b22861d67fae2a979e297933dcafdf987a
                                                                                                                                                                          • Opcode Fuzzy Hash: 702bdac07538f6b2a4f1aa1e62ea4d1ab31e9f7af5a831405ffe70757eebcdc4
                                                                                                                                                                          • Instruction Fuzzy Hash: A51110B6C003498FDB10CF9AC544BDEFBF8EB88314F10842AD518A7640C379A545CFA1
                                                                                                                                                                          Function 00D6D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1370796075.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_d6d000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: f5212e61e090c5cbd33054ea89e03c6b3f20846c59e9f7adc1121a672fb7cabc
                                                                                                                                                                          • Instruction ID: fba2b2451d9881fcdfae29ebb1e556d86c214169c353fc2697e630a69cb0f90f
                                                                                                                                                                          • Opcode Fuzzy Hash: f5212e61e090c5cbd33054ea89e03c6b3f20846c59e9f7adc1121a672fb7cabc
                                                                                                                                                                          • Instruction Fuzzy Hash: 94210671A00244DFDB04DF10E9C0B16BB66FB98314F24C169D8094B256C736FC56CAB2
                                                                                                                                                                          Function 00D6D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1370796075.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_d6d000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 84fa671073fb7464cb4431050ae7c942f8a81023d182cc79fc23b03d986c145b
                                                                                                                                                                          • Instruction ID: fa93636c759c625a4ca9a1660b55a120b9cb4c4721e62b7c49f70efe16bc4c11
                                                                                                                                                                          • Opcode Fuzzy Hash: 84fa671073fb7464cb4431050ae7c942f8a81023d182cc79fc23b03d986c145b
                                                                                                                                                                          • Instruction Fuzzy Hash: 95210371A04340DFDB15DF10E9C0B26BB66FB88318F28C569E84A0B656C336D856CAB2
                                                                                                                                                                          Function 00D7D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1370856678.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_d7d000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 9420a749f102b078b9d61628c9ec66fea1a154fd523b6f9937459aecb018c2cf
                                                                                                                                                                          • Instruction ID: 109c92d661d6931c883056557cc3d41e6133a7a6c1b5654f139ecdc456641e30
                                                                                                                                                                          • Opcode Fuzzy Hash: 9420a749f102b078b9d61628c9ec66fea1a154fd523b6f9937459aecb018c2cf
                                                                                                                                                                          • Instruction Fuzzy Hash: 4421CF71604244AFDB05DF10D9C0B26BBB6FF84314F28C5A9E84E4B292D336D846CA75
                                                                                                                                                                          Function 00D7D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1370856678.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_d7d000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 4d466e7f8793fd6399562fb5d71e1b2fb5e0d3b596eb59db0246fa42fb62d9fc
                                                                                                                                                                          • Instruction ID: dc58b5540aafb0e79aeef5bac96c949459e96b5a060e188f766192b632a4df76
                                                                                                                                                                          • Opcode Fuzzy Hash: 4d466e7f8793fd6399562fb5d71e1b2fb5e0d3b596eb59db0246fa42fb62d9fc
                                                                                                                                                                          • Instruction Fuzzy Hash: AD21CF756042449FDB14DF10D980B26BB66EF84314F28C569E84E4B286D336D846CA72
                                                                                                                                                                          Function 00D7D005 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1370856678.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_d7d000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 26b74cca128eda51b8232ff02ab8c4d1b5c03b2717a545d2b4bbf87377c522d3
                                                                                                                                                                          • Instruction ID: 7c5ab9e7038298448ff5181c204e9e0784010b01123379d8d051039045ff9f62
                                                                                                                                                                          • Opcode Fuzzy Hash: 26b74cca128eda51b8232ff02ab8c4d1b5c03b2717a545d2b4bbf87377c522d3
                                                                                                                                                                          • Instruction Fuzzy Hash: 722150755093808FCB12CF24D994715BF72EF46314F28C5EBD8498B6A7D33A984ACB62
                                                                                                                                                                          Function 00D6D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1370796075.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_d6d000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                                                                                                                                                                          • Instruction ID: 205a5f8bc8178c46ce6dbbaa48d2349178832dcc42b97920f28143b35fee6bb1
                                                                                                                                                                          • Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                                                                                                                                                                          • Instruction Fuzzy Hash: B611E676904240DFCF15CF10D5C4B56BF72FB94324F28C6A9D8094B656C33AE856CBA1
                                                                                                                                                                          Function 00D6D4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1370796075.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_d6d000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                                                                                                                                                                          • Instruction ID: d409b546ac582ed984937f2736f863a2c3022605be6a30636f3c0b0e0579135b
                                                                                                                                                                          • Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                                                                                                                                                                          • Instruction Fuzzy Hash: 4111E676904280CFCF15CF10D5C4B56BF72FB94318F28C6AAD84A0B656C336D856CBA1
                                                                                                                                                                          Function 00D7D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1370856678.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_d7d000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                                                                                                                                                          • Instruction ID: 139faa87f50404f003b8ab512dcf42755b27ba38a6badc848cc9456ba0d162af
                                                                                                                                                                          • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                                                                                                                                                          • Instruction Fuzzy Hash: 89118B75504280DFCB15CF50D5C4B15BBB2FF84314F28C6AAD8494B696D33AD84ACB61
                                                                                                                                                                          Function 00D6D745 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1370796075.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_d6d000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 5cd24e25096f200fd9d9a9aea697d3bb8adfb523bf2ca7f904f6b5b00d7064b5
                                                                                                                                                                          • Instruction ID: a410a7e30c1d928380a181f98fea52efcfd1a06546c2a48c98597bd786c63f0c
                                                                                                                                                                          • Opcode Fuzzy Hash: 5cd24e25096f200fd9d9a9aea697d3bb8adfb523bf2ca7f904f6b5b00d7064b5
                                                                                                                                                                          • Instruction Fuzzy Hash: 46012631A043409BF7108E25ED84B26BB98DF41324F1CC52AED0A4A282D679D800CAB3
                                                                                                                                                                          Function 00D6D744 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1370796075.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_d6d000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: a1398f27cea535acaa97823bdb01807d53e0fc0a0e23e8229007cfa4c81a071a
                                                                                                                                                                          • Instruction ID: c8f7c0301e71c0a262aba4c770a6aa8405a9c7651f77dd8b110f487264686a85
                                                                                                                                                                          • Opcode Fuzzy Hash: a1398f27cea535acaa97823bdb01807d53e0fc0a0e23e8229007cfa4c81a071a
                                                                                                                                                                          • Instruction Fuzzy Hash: F5F062715043449FE7108E16D988B62FB98EB91734F18C45AED094A286C2799C44CAB2

                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                          Function 07205030 Relevance: 1.6, Strings: 1, Instructions: 325COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1385404093.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7200000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: {#L
                                                                                                                                                                          • API String ID: 0-1361971085
                                                                                                                                                                          • Opcode ID: fc0ffe416b703f5390d3f5b8cbf46ee490b26ddb508bb4233c71183bcce730b9
                                                                                                                                                                          • Instruction ID: 880f76e52cdb9f8fad8ca77fadf81923fdd1408df664e2ecdb07c49db0541eff
                                                                                                                                                                          • Opcode Fuzzy Hash: fc0ffe416b703f5390d3f5b8cbf46ee490b26ddb508bb4233c71183bcce730b9
                                                                                                                                                                          • Instruction Fuzzy Hash: 7CD129B1D25619DFDB18CFA6D58099EFBF2FF89300F14D52AD015AB265E73099028FA0
                                                                                                                                                                          Function 07205021 Relevance: 1.6, Strings: 1, Instructions: 324COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1385404093.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7200000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: {#L
                                                                                                                                                                          • API String ID: 0-1361971085
                                                                                                                                                                          • Opcode ID: 219412df4f996d78bba5d8a2bb12f0c8c79af8d334d7fa2f09ae83c80c8b40e8
                                                                                                                                                                          • Instruction ID: 957fdb58fb9b6eb91e1bf6b49723337fd981dd9465653aab44b317cb54266dda
                                                                                                                                                                          • Opcode Fuzzy Hash: 219412df4f996d78bba5d8a2bb12f0c8c79af8d334d7fa2f09ae83c80c8b40e8
                                                                                                                                                                          • Instruction Fuzzy Hash: 0CD129B1E25619DFDB18CFA6D58099DFBF2FF89300F14D52AD015AB265E73099028FA0
                                                                                                                                                                          Function 072034A0 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1385404093.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7200000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: w7e^
                                                                                                                                                                          • API String ID: 0-1657886525
                                                                                                                                                                          • Opcode ID: 9af055f199b70985a170ff03493fa88287b165a99305b2a6fb12600be48b901e
                                                                                                                                                                          • Instruction ID: b3e7080fc831b812a7512d55792eba789078d026435e336f9a5d650b34ebe1a9
                                                                                                                                                                          • Opcode Fuzzy Hash: 9af055f199b70985a170ff03493fa88287b165a99305b2a6fb12600be48b901e
                                                                                                                                                                          • Instruction Fuzzy Hash: B65128B0D2121AEFCB04CFAAC8456EEBBF1FB8E301F14856AC415A7291D7784641CFA5
                                                                                                                                                                          Function 07203150 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1385404093.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7200000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: iUfo
                                                                                                                                                                          • API String ID: 0-3820436262
                                                                                                                                                                          • Opcode ID: 51079b96776333ab0972cac9bae527a143e9154925311574c71425d6d09f67c2
                                                                                                                                                                          • Instruction ID: b7092779fa89a46f0f788ecba7ecf728197aa8553db2357b42591bdd9caa9373
                                                                                                                                                                          • Opcode Fuzzy Hash: 51079b96776333ab0972cac9bae527a143e9154925311574c71425d6d09f67c2
                                                                                                                                                                          • Instruction Fuzzy Hash: 795106B4E212199FCB08CFAAD8855DEFBB2FF89301F10942AE405B7255EB7459418FA4
                                                                                                                                                                          Function 07203140 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1385404093.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7200000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: iUfo
                                                                                                                                                                          • API String ID: 0-3820436262
                                                                                                                                                                          • Opcode ID: 964aa72d00dd1745d9cf59be7732164cb9aee0f6e37568750aec0e5255929e1a
                                                                                                                                                                          • Instruction ID: bf7532a5cd105bbeb21f261e6efae2c8c5148d57c8ff1a436ca3d810acf544d3
                                                                                                                                                                          • Opcode Fuzzy Hash: 964aa72d00dd1745d9cf59be7732164cb9aee0f6e37568750aec0e5255929e1a
                                                                                                                                                                          • Instruction Fuzzy Hash: 0A5106B4E212199FCF08CFAAD9495DEFBB2FF89301F10942AE405B7355E77459018BA4
                                                                                                                                                                          Function 07200007 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1385404093.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7200000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: 0ni
                                                                                                                                                                          • API String ID: 0-1488673370
                                                                                                                                                                          • Opcode ID: bd6212f488bc411e2c98477610318d345f611d1915c1861d221b04e988027f2c
                                                                                                                                                                          • Instruction ID: e179f2f84b2a7d9fbdc36d259f06cb3d7c025eda61d90b505bd6933c742b4a9d
                                                                                                                                                                          • Opcode Fuzzy Hash: bd6212f488bc411e2c98477610318d345f611d1915c1861d221b04e988027f2c
                                                                                                                                                                          • Instruction Fuzzy Hash: AF519A71D057588FEB58CF6B8D4578AFBF3AFC9200F08C1AAD44CA6265DB340A858F51
                                                                                                                                                                          Function 07203548 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1385404093.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7200000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: w7e^
                                                                                                                                                                          • API String ID: 0-1657886525
                                                                                                                                                                          • Opcode ID: ecfbe62b9a1c6a41077cbd483af8efbc081cdd9f0ff960dc7a4d4221df768a0b
                                                                                                                                                                          • Instruction ID: 7c1b9a40ee82c4238a7def9b02bad7eb6bfa3a9f3c9a5277860ce2cb2f670ea2
                                                                                                                                                                          • Opcode Fuzzy Hash: ecfbe62b9a1c6a41077cbd483af8efbc081cdd9f0ff960dc7a4d4221df768a0b
                                                                                                                                                                          • Instruction Fuzzy Hash: E04104B4D2421ADBCB04CFAAC4445EEFBB1BB8E301F14952AC416B7295D77846428FA8
                                                                                                                                                                          Function 0720353A Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1385404093.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7200000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: w7e^
                                                                                                                                                                          • API String ID: 0-1657886525
                                                                                                                                                                          • Opcode ID: 07cf976b1f908c0d21eac85d69a1c311e9a074d5e9a01e32f5e4788f4ffa92dc
                                                                                                                                                                          • Instruction ID: 6dc58295270bc57a18a15bef2a8e83a2ac8ad3ff0d488c7671a214126b005006
                                                                                                                                                                          • Opcode Fuzzy Hash: 07cf976b1f908c0d21eac85d69a1c311e9a074d5e9a01e32f5e4788f4ffa92dc
                                                                                                                                                                          • Instruction Fuzzy Hash: 744128B4D2021ADBCB04CFAAC8456EEFBB1BB8E300F54942AC005B7295D77846418FA8
                                                                                                                                                                          Function 07200040 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1385404093.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7200000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: 0ni
                                                                                                                                                                          • API String ID: 0-1488673370
                                                                                                                                                                          • Opcode ID: 2a71430bbc6afc14462f9c50489616f0a0e343dda27ddca5556c938f7f4176e1
                                                                                                                                                                          • Instruction ID: 97109088b9fabb14e298ecfe49ea2c97c68f4e326be17494b6fb1902164bee9a
                                                                                                                                                                          • Opcode Fuzzy Hash: 2a71430bbc6afc14462f9c50489616f0a0e343dda27ddca5556c938f7f4176e1
                                                                                                                                                                          • Instruction Fuzzy Hash: EE5159B1E116198BEB68CF6B9D4579AFAF3AFC9300F14C1BA950CA6254DB300A858F51
                                                                                                                                                                          Function 0720C480 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1385404093.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7200000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 773bc4b503117b203ff021694097ee65f5322dd2a5a90d73ec42137bba57b678
                                                                                                                                                                          • Instruction ID: a65baef7ecc42ccc812ea2831fe6a9eacc1305973ef37e72928f53b0c6f12562
                                                                                                                                                                          • Opcode Fuzzy Hash: 773bc4b503117b203ff021694097ee65f5322dd2a5a90d73ec42137bba57b678
                                                                                                                                                                          • Instruction Fuzzy Hash: DAE10AB4E102198FDB14DF99C580AAEFBB2FF89305F248269D415AB356C7319D42CFA0
                                                                                                                                                                          Function 0720CCF0 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1385404093.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7200000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 993ba2fcbd2bcb91733b263c36af4bb3bc59baa54c77b204f87be1e980498b50
                                                                                                                                                                          • Instruction ID: 35136bccfd7c1676bac7f23c9ea1e952df7caaaf7987c309dc57f8185a545064
                                                                                                                                                                          • Opcode Fuzzy Hash: 993ba2fcbd2bcb91733b263c36af4bb3bc59baa54c77b204f87be1e980498b50
                                                                                                                                                                          • Instruction Fuzzy Hash: 13E10BB4E102198FDB14DFA8C5809AEFBB2FF49305F248269D415A735AD7319D42CFA1
                                                                                                                                                                          Function 0720C8B8 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1385404093.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7200000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: e80e4d76f6da1e102133fe255f57d74be12d92b07af7cbd7096430ca77140ecd
                                                                                                                                                                          • Instruction ID: 0c5ab46b5af790ac4e7b28d84d219ad9d10c468da4b8a478ec3de4a925017d7c
                                                                                                                                                                          • Opcode Fuzzy Hash: e80e4d76f6da1e102133fe255f57d74be12d92b07af7cbd7096430ca77140ecd
                                                                                                                                                                          • Instruction Fuzzy Hash: 0BE10AB4E102198FDB14DFA9C580AAEFBB2FF89305F248269D415A7356D731AD41CFA0
                                                                                                                                                                          Function 0290D57C Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1372089326.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2900000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: d5c324a5ef81e2828d8c5bc507a002fb46b5dade66dfa89b4e9938fcccccc645
                                                                                                                                                                          • Instruction ID: 2d244298a7975534014a9fee3724627dd57bee43c35ea4e2a65bf4ecb401e4fe
                                                                                                                                                                          • Opcode Fuzzy Hash: d5c324a5ef81e2828d8c5bc507a002fb46b5dade66dfa89b4e9938fcccccc645
                                                                                                                                                                          • Instruction Fuzzy Hash: 5FA14E32E006098FCF15DFB4C8845AEB7B6FF85304B15456AE806AB2A1DF71EA56CF40
                                                                                                                                                                          Function 07203908 Relevance: .2, Instructions: 183COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1385404093.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7200000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 4d14253d51a25dbf8da6b6066f823ccf6c469a91e20a03a1abcc5cf60a6b99fd
                                                                                                                                                                          • Instruction ID: 89f413e352d9308537be5c2dea2d8b91863233bdd52cc6d057fab00448030fe4
                                                                                                                                                                          • Opcode Fuzzy Hash: 4d14253d51a25dbf8da6b6066f823ccf6c469a91e20a03a1abcc5cf60a6b99fd
                                                                                                                                                                          • Instruction Fuzzy Hash: 64812CB4E202598FDB14DF69C580AAEFBF6FF89305F24C169D408A7256D7309A41CFA1
                                                                                                                                                                          Function 072038F8 Relevance: .2, Instructions: 179COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1385404093.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7200000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 60b714bec8e4dc9a2b1a9cd73b60e8ed5219083293db013fbf35ecfc9a2e631a
                                                                                                                                                                          • Instruction ID: 13cbd5212a9155b295cc15cd083240468b427a82d10955a96253a7c4b5ff94f4
                                                                                                                                                                          • Opcode Fuzzy Hash: 60b714bec8e4dc9a2b1a9cd73b60e8ed5219083293db013fbf35ecfc9a2e631a
                                                                                                                                                                          • Instruction Fuzzy Hash: DA812AB4D202598FDB14DF69C580AAEFBF6FF89304F24C569D408A7256D7309A41CFA1
                                                                                                                                                                          Function 07202E02 Relevance: .1, Instructions: 107COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1385404093.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7200000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: c89ed0aebef540e6066ea137f414e16ac8a2e39758cf36aea634466db1803476
                                                                                                                                                                          • Instruction ID: 4f1627e30211120a39361e031f41b72a81750339e7a6346ad6b52131eb540109
                                                                                                                                                                          • Opcode Fuzzy Hash: c89ed0aebef540e6066ea137f414e16ac8a2e39758cf36aea634466db1803476
                                                                                                                                                                          • Instruction Fuzzy Hash: 49416EB0E2521ADFCB04CFA9C5856AFFBF5BF99300F20946AC504B7254E37497418BA4
                                                                                                                                                                          Function 07202E10 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1385404093.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_7200000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 371dbd4e76cf18d36b2a79fc34144c0a4ff11f854fa696c92d1797816b2f697f
                                                                                                                                                                          • Instruction ID: 519baac6393ae71dfaaeb64d949ea749dc43c6934810c6c56c7b074f8d372379
                                                                                                                                                                          • Opcode Fuzzy Hash: 371dbd4e76cf18d36b2a79fc34144c0a4ff11f854fa696c92d1797816b2f697f
                                                                                                                                                                          • Instruction Fuzzy Hash: 24415EB0E2521ADFCB04CFA5C5456AFFBF5BF89300F20946AC515B7264E37457418BA4

                                                                                                                                                                          Execution Graph

                                                                                                                                                                          Execution Coverage:7.5%
                                                                                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                                          Total number of Nodes:33
                                                                                                                                                                          Total number of Limit Nodes:5
                                                                                                                                                                          execution_graph 14261 28fd0b8 14262 28fd0fe GetCurrentProcess 14261->14262 14264 28fd149 14262->14264 14265 28fd150 GetCurrentThread 14262->14265 14264->14265 14266 28fd18d GetCurrentProcess 14265->14266 14267 28fd186 14265->14267 14268 28fd1c3 14266->14268 14267->14266 14269 28fd1eb GetCurrentThreadId 14268->14269 14270 28fd21c 14269->14270 14271 28fad38 14274 28fae30 14271->14274 14272 28fad47 14275 28fae41 14274->14275 14276 28fae64 14274->14276 14275->14276 14277 28fb068 GetModuleHandleW 14275->14277 14276->14272 14278 28fb095 14277->14278 14278->14272 14279 28f4668 14280 28f4684 14279->14280 14281 28f4696 14280->14281 14283 28f47a0 14280->14283 14284 28f47c5 14283->14284 14288 28f48a1 14284->14288 14292 28f48b0 14284->14292 14290 28f48b0 14288->14290 14289 28f49b4 14290->14289 14296 28f4248 14290->14296 14293 28f48d7 14292->14293 14294 28f49b4 14293->14294 14295 28f4248 CreateActCtxA 14293->14295 14294->14294 14295->14294 14297 28f5940 CreateActCtxA 14296->14297 14299 28f5a03 14297->14299 14300 28fd300 DuplicateHandle 14301 28fd396 14300->14301

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 028FD0A8 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 028FD136
                                                                                                                                                                          • GetCurrentThread.KERNEL32 ref: 028FD173
                                                                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 028FD1B0
                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 028FD209
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000003.00000002.2622371743.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_3_2_28f0000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Current$ProcessThread
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2063062207-0
                                                                                                                                                                          • Opcode ID: 2d994b8ce35193c096610e9c24c982f9d2e3fba0bf06b90e75b76b482bf9fbfd
                                                                                                                                                                          • Instruction ID: 1d40e0b9e391cca6eb758eac589b631e84dfa47ca3e2a6d32122150a81f3b94d
                                                                                                                                                                          • Opcode Fuzzy Hash: 2d994b8ce35193c096610e9c24c982f9d2e3fba0bf06b90e75b76b482bf9fbfd
                                                                                                                                                                          • Instruction Fuzzy Hash: D25188B49003498FEB44DFAAD948B9EBBF1FF88304F208059E119A7390D774A944CB66
                                                                                                                                                                          Function 028FD0B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 028FD136
                                                                                                                                                                          • GetCurrentThread.KERNEL32 ref: 028FD173
                                                                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 028FD1B0
                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 028FD209
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000003.00000002.2622371743.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_3_2_28f0000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Current$ProcessThread
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2063062207-0
                                                                                                                                                                          • Opcode ID: ffc04779ced081ead555bc5be34e7d0a9f7c4d2fc7c4918b39da322b80f5f4eb
                                                                                                                                                                          • Instruction ID: 069600e771f947dbb4ee36ad1e25b7fc3e62f102f4ba00fa4307ba041b722e07
                                                                                                                                                                          • Opcode Fuzzy Hash: ffc04779ced081ead555bc5be34e7d0a9f7c4d2fc7c4918b39da322b80f5f4eb
                                                                                                                                                                          • Instruction Fuzzy Hash: EA5158B49007098FEB54DFAAD948B9EBBF1FF48304F208059E519A7390D774A984CB65
                                                                                                                                                                          Function 028FAE30 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 44 28fae30-28fae3f 45 28fae6b-28fae6f 44->45 46 28fae41-28fae4e call 28f9838 44->46 48 28fae83-28faec4 45->48 49 28fae71-28fae7b 45->49 52 28fae64 46->52 53 28fae50 46->53 55 28faec6-28faece 48->55 56 28faed1-28faedf 48->56 49->48 52->45 101 28fae56 call 28fb0b8 53->101 102 28fae56 call 28fb0c8 53->102 55->56 57 28faf03-28faf05 56->57 58 28faee1-28faee6 56->58 63 28faf08-28faf0f 57->63 60 28faee8-28faeef call 28fa814 58->60 61 28faef1 58->61 59 28fae5c-28fae5e 59->52 62 28fafa0-28fafb7 59->62 65 28faef3-28faf01 60->65 61->65 77 28fafb9-28fb018 62->77 66 28faf1c-28faf23 63->66 67 28faf11-28faf19 63->67 65->63 70 28faf25-28faf2d 66->70 71 28faf30-28faf39 call 28fa824 66->71 67->66 70->71 75 28faf3b-28faf43 71->75 76 28faf46-28faf4b 71->76 75->76 78 28faf4d-28faf54 76->78 79 28faf69-28faf76 76->79 95 28fb01a-28fb060 77->95 78->79 80 28faf56-28faf66 call 28fa834 call 28fa844 78->80 86 28faf99-28faf9f 79->86 87 28faf78-28faf96 79->87 80->79 87->86 96 28fb068-28fb093 GetModuleHandleW 95->96 97 28fb062-28fb065 95->97 98 28fb09c-28fb0b0 96->98 99 28fb095-28fb09b 96->99 97->96 99->98 101->59 102->59
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 028FB086
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000003.00000002.2622371743.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_3_2_28f0000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: HandleModule
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 4139908857-0
                                                                                                                                                                          • Opcode ID: 1a11d427e1861190c2360ae6af0c4ceab22222e87342ecbea74bf680ad74732a
                                                                                                                                                                          • Instruction ID: 1ba2c46e92353e24146e75b11359f72fb46ead6dd196fdd65cb25fbe1c1401c3
                                                                                                                                                                          • Opcode Fuzzy Hash: 1a11d427e1861190c2360ae6af0c4ceab22222e87342ecbea74bf680ad74732a
                                                                                                                                                                          • Instruction Fuzzy Hash: DA7149B8A00B058FD768DF2AD44075ABBF1FF88314F10892DE58ADBA40E775E845CB91
                                                                                                                                                                          Function 028F5935 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 103 28f5935-28f593b 104 28f5944-28f5a01 CreateActCtxA 103->104 106 28f5a0a-28f5a64 104->106 107 28f5a03-28f5a09 104->107 114 28f5a66-28f5a69 106->114 115 28f5a73-28f5a77 106->115 107->106 114->115 116 28f5a79-28f5a85 115->116 117 28f5a88-28f5ab8 115->117 116->117 121 28f5a6a 117->121 122 28f5aba-28f5b3c 117->122 121->115
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateActCtxA.KERNEL32(?), ref: 028F59F1
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000003.00000002.2622371743.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_3_2_28f0000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Create
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2289755597-0
                                                                                                                                                                          • Opcode ID: ec72c6bc02903bb19bedefd1794b3724743d0d36a56b11bbe0eadf139acfb078
                                                                                                                                                                          • Instruction ID: c667f66d36e1e212d75b2fe7e8b148b35253d7c7bc04025d7205893d4eadd064
                                                                                                                                                                          • Opcode Fuzzy Hash: ec72c6bc02903bb19bedefd1794b3724743d0d36a56b11bbe0eadf139acfb078
                                                                                                                                                                          • Instruction Fuzzy Hash: 1341D2B4D00719CFEB24DFA9C8847DDBBB5BF45304F20816AD508AB251DB75694ACF50
                                                                                                                                                                          Function 028F4248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 124 28f4248-28f5a01 CreateActCtxA 127 28f5a0a-28f5a64 124->127 128 28f5a03-28f5a09 124->128 135 28f5a66-28f5a69 127->135 136 28f5a73-28f5a77 127->136 128->127 135->136 137 28f5a79-28f5a85 136->137 138 28f5a88-28f5ab8 136->138 137->138 142 28f5a6a 138->142 143 28f5aba-28f5b3c 138->143 142->136
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateActCtxA.KERNEL32(?), ref: 028F59F1
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000003.00000002.2622371743.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_3_2_28f0000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Create
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2289755597-0
                                                                                                                                                                          • Opcode ID: 535853bff5337100a43a91fa726725f9bfc849137df1210f1648652814a29777
                                                                                                                                                                          • Instruction ID: 580c5e2321162cbf4d9216adfddcb8ae4d7b0cc146037fa543b4f98bafe8dd23
                                                                                                                                                                          • Opcode Fuzzy Hash: 535853bff5337100a43a91fa726725f9bfc849137df1210f1648652814a29777
                                                                                                                                                                          • Instruction Fuzzy Hash: 8541CFB4D00719CBEB24CFA9C884B9EBBB5BF49704F60806AD508AB251DB756949CF90
                                                                                                                                                                          Function 028FD2F9 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 145 28fd2f9-28fd394 DuplicateHandle 146 28fd39d-28fd3ba 145->146 147 28fd396-28fd39c 145->147 147->146
                                                                                                                                                                          APIs
                                                                                                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 028FD387
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000003.00000002.2622371743.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_3_2_28f0000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DuplicateHandle
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3793708945-0
                                                                                                                                                                          • Opcode ID: 20b25404c678981ed82d6fb26be10c131e4fb6cdde6c6f739e8d1bc668ea5372
                                                                                                                                                                          • Instruction ID: 46a62891ba3e09f3b4fc9355e1b6f36de23d0580355eba55dff022e658aecb4b
                                                                                                                                                                          • Opcode Fuzzy Hash: 20b25404c678981ed82d6fb26be10c131e4fb6cdde6c6f739e8d1bc668ea5372
                                                                                                                                                                          • Instruction Fuzzy Hash: 4121E4B5D00249DFDB10CF9AE584ADEBBF5FB48310F14801AE918A3350D374A955CFA1
                                                                                                                                                                          Function 028FD300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 150 28fd300-28fd394 DuplicateHandle 151 28fd39d-28fd3ba 150->151 152 28fd396-28fd39c 150->152 152->151
                                                                                                                                                                          APIs
                                                                                                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 028FD387
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000003.00000002.2622371743.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_3_2_28f0000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DuplicateHandle
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3793708945-0
                                                                                                                                                                          • Opcode ID: 701f2d74ea84c7e500371b1bcd41667136014b3108eb5b24c8e8cbc11df9369d
                                                                                                                                                                          • Instruction ID: b87ef6d06020cde6f91c59d49a444a65bbec660386a2afcc9af317be4485336e
                                                                                                                                                                          • Opcode Fuzzy Hash: 701f2d74ea84c7e500371b1bcd41667136014b3108eb5b24c8e8cbc11df9369d
                                                                                                                                                                          • Instruction Fuzzy Hash: 3021E4B5900209DFDB10CF9AD984ADEBBF4FB48310F14801AE918A3350D374A954CFA1
                                                                                                                                                                          Function 028FB020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 155 28fb020-28fb060 156 28fb068-28fb093 GetModuleHandleW 155->156 157 28fb062-28fb065 155->157 158 28fb09c-28fb0b0 156->158 159 28fb095-28fb09b 156->159 157->156 159->158
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 028FB086
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000003.00000002.2622371743.00000000028F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_3_2_28f0000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: HandleModule
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 4139908857-0
                                                                                                                                                                          • Opcode ID: 71129d3698a5aa66753752f0f64ba19157d4ebd58c7d0362b63619f064354d12
                                                                                                                                                                          • Instruction ID: d73068422884ec2e51c0ebd5b0f300c081182f2a670730dc659d7f3224ba3f7d
                                                                                                                                                                          • Opcode Fuzzy Hash: 71129d3698a5aa66753752f0f64ba19157d4ebd58c7d0362b63619f064354d12
                                                                                                                                                                          • Instruction Fuzzy Hash: 011110B9C007498FDB20CF9AD444BDEFBF4BB88214F10842AD569B7610D379A545CFA1
                                                                                                                                                                          Function 00FAD3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000003.00000002.2621929422.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_3_2_fad000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 61056dab3ed66a2a4e805b07276504a14b1593afca2224ecc60e6d8b5de0d897
                                                                                                                                                                          • Instruction ID: 4d96567d10f2b72023134451fc6fa51330b4ad9719e5493d0335351651ef94ca
                                                                                                                                                                          • Opcode Fuzzy Hash: 61056dab3ed66a2a4e805b07276504a14b1593afca2224ecc60e6d8b5de0d897
                                                                                                                                                                          • Instruction Fuzzy Hash: 702128B6500344DFDB04DF10D9C0B16BB65FB99324F24C169DC0A0B656C336E856EBA2
                                                                                                                                                                          Function 00FBD01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000003.00000002.2622025189.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_3_2_fbd000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 4020ee30ddf89c254f63d709b86ade81d6922104d11ba760cc440a965329bb54
                                                                                                                                                                          • Instruction ID: 76e57588b25bed57de2b1037ccf743354692cb24d19a090df040444dd2d54baf
                                                                                                                                                                          • Opcode Fuzzy Hash: 4020ee30ddf89c254f63d709b86ade81d6922104d11ba760cc440a965329bb54
                                                                                                                                                                          • Instruction Fuzzy Hash: FB212575A04340DFDB14EF10D8C0B56BB65FB84324F24C569D80A4B28AD336D807DE62
                                                                                                                                                                          Function 00FBD005 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000003.00000002.2622025189.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_3_2_fbd000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: aa8c873415efff6d7c7084bd6497060f1240bea3087410cc3d12dc40e56c0d8b
                                                                                                                                                                          • Instruction ID: 93bf602e7827803a8326d4832e07a60cc57f9fb7e2514c4474fcdc32f5229353
                                                                                                                                                                          • Opcode Fuzzy Hash: aa8c873415efff6d7c7084bd6497060f1240bea3087410cc3d12dc40e56c0d8b
                                                                                                                                                                          • Instruction Fuzzy Hash: 98218E755093808FCB02DF20D990755BF71EB46324F28C5EAD8498B6A7C33A980ADB62
                                                                                                                                                                          Function 00FAD3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000003.00000002.2621929422.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_3_2_fad000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                                                                                                                                                                          • Instruction ID: 05d4713083d902e033fcb87978e1eef284ff11f11a76b7cc3aa962234b9e9998
                                                                                                                                                                          • Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                                                                                                                                                                          • Instruction Fuzzy Hash: 741103B6804240CFCB05CF00D5C4B16BF71FB98324F24C2A9DC0A0B656C33AE856DBA1
                                                                                                                                                                          Function 00FAD5F3 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000003.00000002.2621929422.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_3_2_fad000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 23cf1136cb4c3a9c18b98c7d55a0796674bcab9ac6214874985e168322256fcf
                                                                                                                                                                          • Instruction ID: fd0242297842e585f8ad2ab058d84c65c8cc97cdb033e001b730ec3dfffebafc
                                                                                                                                                                          • Opcode Fuzzy Hash: 23cf1136cb4c3a9c18b98c7d55a0796674bcab9ac6214874985e168322256fcf
                                                                                                                                                                          • Instruction Fuzzy Hash: 0CF0F9B6600600AF97208F0AD884C27FBADFFD5774719C55AE84A4B712C671EC41DEA0
                                                                                                                                                                          Function 00FAD5E4 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000003.00000002.2621929422.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_3_2_fad000_Xf3rn1smZw.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 57596f9ef79340695a381d89161b87a974e6ab09b8d8a0fac751820c975822a2
                                                                                                                                                                          • Instruction ID: e4f95189d272e9c137f40fd844bb0fe72a4233fbf8bcfe88fa57b3474579cbfc
                                                                                                                                                                          • Opcode Fuzzy Hash: 57596f9ef79340695a381d89161b87a974e6ab09b8d8a0fac751820c975822a2
                                                                                                                                                                          • Instruction Fuzzy Hash: 9FF03C75104680AFD3158F06C884C62BFB9FF867607198489E88A4B752C671FC42DB60