Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
zAGUEDGSTM.exe

Overview

General Information

Sample name:zAGUEDGSTM.exe
renamed because original name is a hash value
Original sample name:c4a993a439395763eaa84f6f2cdcd20c2b8d3a9bafe795ce1874f7d510d34293.exe
Analysis ID:1588368
MD5:2e9813378670ee5306aea0d39794b450
SHA1:bc27715b7741492851b146dc3eaad9fdabdc586f
SHA256:c4a993a439395763eaa84f6f2cdcd20c2b8d3a9bafe795ce1874f7d510d34293
Tags:exeRedLineStealeruser-adrian__luca
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected RedLine Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • zAGUEDGSTM.exe (PID: 6068 cmdline: "C:\Users\user\Desktop\zAGUEDGSTM.exe" MD5: 2E9813378670EE5306AEA0D39794B450)
    • zAGUEDGSTM.exe (PID: 6368 cmdline: "C:\Users\user\Desktop\zAGUEDGSTM.exe" MD5: 2E9813378670EE5306AEA0D39794B450)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["87.120.120.86:1912"], "Bot Id": "LOGS", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2142749084.0000000003FF9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    00000000.00000002.2142749084.000000000403C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      00000003.00000002.3377135764.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.2142749084.0000000004087000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          Process Memory Space: zAGUEDGSTM.exe PID: 6068JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.zAGUEDGSTM.exe.3ff9970.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              0.2.zAGUEDGSTM.exe.3ff9970.0.raw.unpackinfostealer_win_redline_stringsFinds Redline samples based on characteristic stringsSekoia.io
              • 0x24cc3:$gen01: ChromeGetRoamingName
              • 0x24ce8:$gen02: ChromeGetLocalName
              • 0x24d2b:$gen03: get_UserDomainName
              • 0x28bc4:$gen04: get_encrypted_key
              • 0x27943:$gen05: browserPaths
              • 0x27c19:$gen06: GetBrowsers
              • 0x27501:$gen07: get_InstalledInputLanguages
              • 0x239cc:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION
              • 0x3018:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
              • 0x29006:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole
              • 0x290a4:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\
              • 0x296be:$spe9: *wallet*
              • 0x219ea:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0
              • 0x21f14:$typ03: A937C899247696B6565665BE3BD09607F49A2042
              • 0x21fc1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2
              • 0x21998:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60
              • 0x219c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280
              • 0x21b92:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301
              • 0x21de5:$typ11: 2A19BFD7333718195216588A698752C517111B02
              • 0x220d4:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
              0.2.zAGUEDGSTM.exe.4044b90.2.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                0.2.zAGUEDGSTM.exe.4044b90.2.raw.unpackinfostealer_win_redline_stringsFinds Redline samples based on characteristic stringsSekoia.io
                • 0x24cc3:$gen01: ChromeGetRoamingName
                • 0x24ce8:$gen02: ChromeGetLocalName
                • 0x24d2b:$gen03: get_UserDomainName
                • 0x28bc4:$gen04: get_encrypted_key
                • 0x27943:$gen05: browserPaths
                • 0x27c19:$gen06: GetBrowsers
                • 0x27501:$gen07: get_InstalledInputLanguages
                • 0x239cc:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION
                • 0x3018:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
                • 0x29006:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole
                • 0x290a4:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\
                • 0x296be:$spe9: *wallet*
                • 0x219ea:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0
                • 0x21f14:$typ03: A937C899247696B6565665BE3BD09607F49A2042
                • 0x21fc1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2
                • 0x21998:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60
                • 0x219c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280
                • 0x21b92:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301
                • 0x21de5:$typ11: 2A19BFD7333718195216588A698752C517111B02
                • 0x220d4:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
                3.2.zAGUEDGSTM.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  Click to see the 5 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: zAGUEDGSTM.exeAvira: detected
                  Found malware configuration
                  Source: 00000000.00000002.2142749084.0000000004087000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": ["87.120.120.86:1912"], "Bot Id": "LOGS", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
                  Multi AV Scanner detection for submitted file
                  Source: zAGUEDGSTM.exeVirustotal: Detection: 70%Perma Link
                  Source: zAGUEDGSTM.exeReversingLabs: Detection: 68%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: zAGUEDGSTM.exeJoe Sandbox ML: detected
                  Source: zAGUEDGSTM.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: zAGUEDGSTM.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbv source: zAGUEDGSTM.exe, 00000003.00000002.3377720452.00000000013BC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: zAGUEDGSTM.exe, 00000003.00000002.3377720452.00000000013BC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb<, source: zAGUEDGSTM.exe, 00000003.00000002.3377720452.00000000013BC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb source: zAGUEDGSTM.exe, 00000003.00000002.3377720452.0000000001444000.00000004.00000020.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3377720452.0000000001424000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.ServiceModel.pdbYi source: zAGUEDGSTM.exe, 00000003.00000002.3377720452.00000000013EF000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: zAGUEDGSTM.exe, 00000003.00000002.3377720452.00000000013BC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb@ source: zAGUEDGSTM.exe, 00000003.00000002.3377720452.00000000013EF000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: zAGUEDGSTM.exe, 00000003.00000002.3377720452.00000000013BC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb0 source: zAGUEDGSTM.exe, 00000003.00000002.3377720452.00000000013BC000.00000004.00000020.00020000.00000000.sdmp

                  Networking

                  barindex
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 87.120.120.86:1912
                  Source: global trafficTCP traffic: 192.168.2.6:49712 -> 87.120.120.86:1912
                  Source: Joe Sandbox ViewIP Address: 87.120.120.86 87.120.120.86
                  Source: Joe Sandbox ViewASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: zAGUEDGSTM.exeString found in binary or memory: http://localhost/calculator_server/requests.php
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10LR
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11LR
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12LR
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13LR
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14LR
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15LR
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16LR
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17LR
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18LR
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19LR
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1LR
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20LR
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21LR
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22LR
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23LR
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24LR
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2LR
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3LR
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4LR
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5LR
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6LR
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7LR
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8LR
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9LR
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/P
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/x
                  Source: zAGUEDGSTM.exe, 00000000.00000002.2142749084.0000000004087000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000000.00000002.2142749084.0000000003FF9000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000000.00000002.2142749084.000000000403C000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3377135764.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.zAGUEDGSTM.exe.3ff9970.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 0.2.zAGUEDGSTM.exe.4044b90.2.raw.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 3.2.zAGUEDGSTM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 0.2.zAGUEDGSTM.exe.4044b90.2.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 0.2.zAGUEDGSTM.exe.3ff9970.0.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeCode function: 0_2_012D3E280_2_012D3E28
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeCode function: 0_2_012D6F900_2_012D6F90
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeCode function: 0_2_012DDFB40_2_012DDFB4
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeCode function: 3_2_02F7DC743_2_02F7DC74
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeCode function: 3_2_0569EE583_2_0569EE58
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeCode function: 3_2_056988503_2_05698850
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeCode function: 3_2_056900403_2_05690040
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeCode function: 3_2_056900063_2_05690006
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeCode function: 3_2_056988403_2_05698840
                  Source: zAGUEDGSTM.exeBinary or memory string: OriginalFilename vs zAGUEDGSTM.exe
                  Source: zAGUEDGSTM.exe, 00000000.00000002.2142749084.0000000004087000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs zAGUEDGSTM.exe
                  Source: zAGUEDGSTM.exe, 00000000.00000002.2142749084.0000000004087000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs zAGUEDGSTM.exe
                  Source: zAGUEDGSTM.exe, 00000000.00000000.2131484750.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamexrgrP.exe" vs zAGUEDGSTM.exe
                  Source: zAGUEDGSTM.exe, 00000000.00000002.2141922868.0000000003030000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs zAGUEDGSTM.exe
                  Source: zAGUEDGSTM.exe, 00000000.00000002.2141578002.000000000148E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs zAGUEDGSTM.exe
                  Source: zAGUEDGSTM.exe, 00000000.00000002.2151136038.00000000059D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs zAGUEDGSTM.exe
                  Source: zAGUEDGSTM.exe, 00000000.00000002.2155640165.00000000074D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs zAGUEDGSTM.exe
                  Source: zAGUEDGSTM.exe, 00000000.00000002.2142749084.000000000403C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs zAGUEDGSTM.exe
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3377135764.0000000000446000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs zAGUEDGSTM.exe
                  Source: zAGUEDGSTM.exeBinary or memory string: OriginalFilenamexrgrP.exe" vs zAGUEDGSTM.exe
                  Source: zAGUEDGSTM.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 0.2.zAGUEDGSTM.exe.3ff9970.0.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 0.2.zAGUEDGSTM.exe.4044b90.2.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 3.2.zAGUEDGSTM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 0.2.zAGUEDGSTM.exe.4044b90.2.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 0.2.zAGUEDGSTM.exe.3ff9970.0.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: zAGUEDGSTM.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@3/1@0/1
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\zAGUEDGSTM.exe.logJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeMutant created: NULL
                  Source: zAGUEDGSTM.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: zAGUEDGSTM.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: zAGUEDGSTM.exeVirustotal: Detection: 70%
                  Source: zAGUEDGSTM.exeReversingLabs: Detection: 68%
                  Source: unknownProcess created: C:\Users\user\Desktop\zAGUEDGSTM.exe "C:\Users\user\Desktop\zAGUEDGSTM.exe"
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess created: C:\Users\user\Desktop\zAGUEDGSTM.exe "C:\Users\user\Desktop\zAGUEDGSTM.exe"
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess created: C:\Users\user\Desktop\zAGUEDGSTM.exe "C:\Users\user\Desktop\zAGUEDGSTM.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeSection loaded: iconcodecservice.dllJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: zAGUEDGSTM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: zAGUEDGSTM.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbv source: zAGUEDGSTM.exe, 00000003.00000002.3377720452.00000000013BC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: zAGUEDGSTM.exe, 00000003.00000002.3377720452.00000000013BC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb<, source: zAGUEDGSTM.exe, 00000003.00000002.3377720452.00000000013BC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb source: zAGUEDGSTM.exe, 00000003.00000002.3377720452.0000000001444000.00000004.00000020.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3377720452.0000000001424000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.ServiceModel.pdbYi source: zAGUEDGSTM.exe, 00000003.00000002.3377720452.00000000013EF000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: zAGUEDGSTM.exe, 00000003.00000002.3377720452.00000000013BC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb@ source: zAGUEDGSTM.exe, 00000003.00000002.3377720452.00000000013EF000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: zAGUEDGSTM.exe, 00000003.00000002.3377720452.00000000013BC000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb0 source: zAGUEDGSTM.exe, 00000003.00000002.3377720452.00000000013BC000.00000004.00000020.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeCode function: 0_2_012D5E00 push eax; iretd 0_2_012D5E09
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeCode function: 3_2_0569D442 push eax; ret 3_2_0569D451
                  Source: zAGUEDGSTM.exeStatic PE information: section name: .text entropy: 7.80801054220798
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: zAGUEDGSTM.exe PID: 6068, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeMemory allocated: 12D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeMemory allocated: 2FF0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeMemory allocated: 2F20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeMemory allocated: 7F60000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeMemory allocated: 76B0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeMemory allocated: 8F60000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeMemory allocated: 9F60000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeMemory allocated: 2F30000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeMemory allocated: 3110000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeMemory allocated: 5110000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exe TID: 6316Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: zAGUEDGSTM.exe, 00000003.00000002.3377720452.0000000001430000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeMemory written: C:\Users\user\Desktop\zAGUEDGSTM.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeProcess created: C:\Users\user\Desktop\zAGUEDGSTM.exe "C:\Users\user\Desktop\zAGUEDGSTM.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeQueries volume information: C:\Users\user\Desktop\zAGUEDGSTM.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeQueries volume information: C:\Users\user\Desktop\zAGUEDGSTM.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zAGUEDGSTM.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: 0.2.zAGUEDGSTM.exe.3ff9970.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.zAGUEDGSTM.exe.4044b90.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.zAGUEDGSTM.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.zAGUEDGSTM.exe.4044b90.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.zAGUEDGSTM.exe.3ff9970.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2142749084.0000000003FF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2142749084.000000000403C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.3377135764.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2142749084.0000000004087000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: zAGUEDGSTM.exe PID: 6068, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: zAGUEDGSTM.exe PID: 6368, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: 0.2.zAGUEDGSTM.exe.3ff9970.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.zAGUEDGSTM.exe.4044b90.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.zAGUEDGSTM.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.zAGUEDGSTM.exe.4044b90.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.zAGUEDGSTM.exe.3ff9970.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2142749084.0000000003FF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2142749084.000000000403C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.3377135764.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2142749084.0000000004087000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: zAGUEDGSTM.exe PID: 6068, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: zAGUEDGSTM.exe PID: 6368, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                  DLL Side-Loading                  		111
                  Process Injection                  		1
                  Masquerading                  		OS Credential Dumping1
                  Security Software Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		LSASS Memory31
                  Virtualization/Sandbox Evasion                  		Remote Desktop ProtocolData from Removable Media1
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                  Virtualization/Sandbox Evasion                  		Security Account Manager12
                  System Information Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                  Process Injection                  		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                  Obfuscated Files or Information                  		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                  Software Packing                  		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  DLL Side-Loading                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  zAGUEDGSTM.exe71%VirustotalBrowse
                  zAGUEDGSTM.exe68%ReversingLabsByteCode-MSIL.Backdoor.FormBook
                  zAGUEDGSTM.exe100%AviraHEUR/AGEN.1307351
                  zAGUEDGSTM.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  87.120.120.86:1912false
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://tempuri.org/Entity/Id10ResponsezAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://tempuri.org/Entity/Id24LRzAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://tempuri.org/Entity/Id8ResponsezAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://tempuri.org/Entity/Id22LRzAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://tempuri.org/Entity/Id20LRzAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://tempuri.org/Entity/Id12ResponsezAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/soap/envelope/zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id2ResponsezAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id21ResponsezAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id19LRzAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/Entity/Id23ResponsezAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id17LRzAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://tempuri.org/Entity/Id15LRzAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://tempuri.org/Entity/Id9LRzAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://tempuri.org/Entity/Id19ResponsezAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://tempuri.org/Entity/Id13LRzAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://tempuri.org/Entity/Id7LRzAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://tempuri.org/Entity/Id11LRzAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponsezAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2004/08/addressing/faultzAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://tempuri.org/Entity/Id17ResponsezAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://tempuri.org/Entity/Id1LRzAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequencezAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://tempuri.org/Entity/Id5LRzAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://tempuri.org/Entity/Id20ResponsezAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://tempuri.org/Entity/Id3LRzAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://tempuri.org/Entity/Id15ResponsezAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/Entity/Id13ResponsezAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://tempuri.org/Entity/Id4ResponsezAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyzAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://tempuri.org/Entity/Id6ResponsezAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://api.ip.sb/ipzAGUEDGSTM.exe, 00000000.00000002.2142749084.0000000004087000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000000.00000002.2142749084.0000000003FF9000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000000.00000002.2142749084.000000000403C000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3377135764.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgementzAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://tempuri.org/Entity/Id23LRzAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://tempuri.org/Entity/Id7ResponsezAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://tempuri.org/Entity/Id21LRzAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymouszAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://tempuri.org/xzAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://tempuri.org/Entity/Id11ResponsezAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://tempuri.org/Entity/Id9ResponsezAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://tempuri.org/Entity/Id22ResponsezAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://tempuri.org/Entity/Id24ResponsezAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://tempuri.org/Entity/Id1ResponsezAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedzAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://tempuri.org/Entity/Id18LRzAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://tempuri.org/Entity/Id16LRzAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://tempuri.org/Entity/Id8LRzAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://tempuri.org/Entity/Id14LRzAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://tempuri.org/Entity/Id6LRzAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://tempuri.org/Entity/Id18ResponsezAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://tempuri.org/Entity/zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://tempuri.org/Entity/Id12LRzAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://schemas.xmlsoap.org/ws/2004/08/addressingzAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://tempuri.org/Entity/Id10LRzAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://localhost/calculator_server/requests.phpzAGUEDGSTM.exefalse
                                                                                                                                  		high
                                                                                                                                  http://tempuri.org/Entity/Id4LRzAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://tempuri.org/Entity/Id2LRzAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/rmXzAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://tempuri.org/Entity/Id3ResponsezAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessagezAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://tempuri.org/Entity/Id16ResponsezAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://tempuri.org/Entity/PzAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://tempuri.org/Entity/Id5ResponsezAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequencezAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://schemas.xmlsoap.org/soap/actor/nextzAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnszAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://tempuri.org/Entity/Id14ResponsezAGUEDGSTM.exe, 00000003.00000002.3379388245.000000000321E000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003111000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003273000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, zAGUEDGSTM.exe, 00000003.00000002.3379388245.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high

                                                                                                                                                          World Map of Contacted IPs

                                                                                                                                                          • No. of IPs < 25%
                                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                                          • 75% < No. of IPs

                                                                                                                                                          Public IPs

                                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                          87.120.120.86
                                                                                                                                                          		unknownBulgaria
                                                                                                                                                          		25206UNACS-AS-BG8000BurgasBGtrue

                                                                                                                                                          General Information

                                                                                                                                                          Joe Sandbox version:42.0.0 Malachite
                                                                                                                                                          Analysis ID:1588368
                                                                                                                                                          Start date and time:2025-01-11 01:26:51 +01:00
                                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                                          Overall analysis duration:0h 4m 45s
                                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                                          Report type:full
                                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                          Number of analysed new started processes analysed:7
                                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                                          Technologies:
                                                                                                                                                          • HCA enabled
                                                                                                                                                          • EGA enabled
                                                                                                                                                          • AMSI enabled
                                                                                                                                                          Analysis Mode:default
                                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                                          Sample name:zAGUEDGSTM.exe
                                                                                                                                                          renamed because original name is a hash value
                                                                                                                                                          Original Sample Name:c4a993a439395763eaa84f6f2cdcd20c2b8d3a9bafe795ce1874f7d510d34293.exe
                                                                                                                                                          Detection:MAL
                                                                                                                                                          Classification:mal100.troj.evad.winEXE@3/1@0/1
                                                                                                                                                          EGA Information:
                                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                                          HCA Information:
                                                                                                                                                          • Successful, ratio: 90%
                                                                                                                                                          • Number of executed functions: 33
                                                                                                                                                          • Number of non-executed functions: 1
                                                                                                                                                          Cookbook Comments:
                                                                                                                                                          • Found application associated with file extension: .exe

                                                                                                                                                          Warnings

                                                                                                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                                                                                          • Excluded IPs from analysis (whitelisted): 184.28.90.27, 13.107.246.45, 4.175.87.197
                                                                                                                                                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                          Simulations

                                                                                                                                                          Behavior and APIs

                                                                                                                                                          TimeTypeDescription
                                                                                                                                                          19:27:42API Interceptor1x Sleep call for process: zAGUEDGSTM.exe modified

                                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                                          IPs

                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                          87.120.120.86C5Zr4LSzmp.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                            C5Zr4LSzmp.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                              VmoLw6EKj5.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                Xf3rn1smZw.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                  2eRd5imEKU.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                    2eRd5imEKU.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                      17.12.2024 ________.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                        #U0417#U0430#U043f#U0440#U043e#U0441 11.12.2024.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                          po4877383.exeGet hashmaliciousRedLineBrowse

                                                                                                                                                                            Domains

                                                                                                                                                                            No context

                                                                                                                                                                            ASNs

                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                            UNACS-AS-BG8000BurgasBGWtZl31OLfA.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                            • 87.120.116.187
                                                                                                                                                                            C5Zr4LSzmp.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                            • 87.120.120.86
                                                                                                                                                                            C5Zr4LSzmp.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                            • 87.120.120.86
                                                                                                                                                                            2XnMqJW0u1.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                            • 87.120.120.15
                                                                                                                                                                            VmoLw6EKj5.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                            • 87.120.120.86
                                                                                                                                                                            QwMcsmYcxv.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                                                                                                                                                                            • 87.120.120.15
                                                                                                                                                                            QwMcsmYcxv.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                                                                                                                                                                            • 87.120.120.15
                                                                                                                                                                            Xf3rn1smZw.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                            • 87.120.120.86
                                                                                                                                                                            wqSmINeWgm.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                            • 87.120.120.7
                                                                                                                                                                            2eRd5imEKU.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                            • 87.120.120.86

                                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                                            No context

                                                                                                                                                                            Dropped Files

                                                                                                                                                                            No context

                                                                                                                                                                            Created / dropped Files

                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\zAGUEDGSTM.exe.log

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\zAGUEDGSTM.exe
                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1216
                                                                                                                                                                            Entropy (8bit):5.34331486778365
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Reputation:high, very likely benign file
                                                                                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                                            Static File Info

                                                                                                                                                                            General

                                                                                                                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                            Entropy (8bit):7.792977045611438
                                                                                                                                                                            TrID:
                                                                                                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                                                                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                            • Windows Screen Saver (13104/52) 0.07%
                                                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                            File name:zAGUEDGSTM.exe
                                                                                                                                                                            File size:726'016 bytes
                                                                                                                                                                            MD5:2e9813378670ee5306aea0d39794b450
                                                                                                                                                                            SHA1:bc27715b7741492851b146dc3eaad9fdabdc586f
                                                                                                                                                                            SHA256:c4a993a439395763eaa84f6f2cdcd20c2b8d3a9bafe795ce1874f7d510d34293
                                                                                                                                                                            SHA512:8383846103499338e231737ba23b8a3a56420d4b03510ae254c5fb42ae7f82f15afcfee5e2f1513834ed1c1bf8c6db23c1d27aa57a9547b57519a82a1e8d9c0f
                                                                                                                                                                            SSDEEP:12288:cPGO3+TQNW1wTpHK2eF8kF4zv9b01yuiEtIlu1Y23b5Xa:SdNbBKDZ4truiEtT1Y239
                                                                                                                                                                            TLSH:20F4026C6A15DD0BD94417780FB2F1792BAC6EDDE900C2078FED6EEBB836D120C45692
                                                                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...TwRg..............0.................. ... ....@.. .......................`............@................................

                                                                                                                                                                            File Icon

                                                                                                                                                                            Icon Hash:32642092d4f29244

                                                                                                                                                                            Static PE Info

                                                                                                                                                                            General

                                                                                                                                                                            Entrypoint:0x4b16e6
                                                                                                                                                                            Entrypoint Section:.text
                                                                                                                                                                            Digitally signed:false
                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                            Subsystem:windows gui
                                                                                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                            Time Stamp:0x67527754 [Fri Dec 6 04:02:28 2024 UTC]
                                                                                                                                                                            TLS Callbacks:
                                                                                                                                                                            CLR (.Net) Version:
                                                                                                                                                                            OS Version Major:4
                                                                                                                                                                            OS Version Minor:0
                                                                                                                                                                            File Version Major:4
                                                                                                                                                                            File Version Minor:0
                                                                                                                                                                            Subsystem Version Major:4
                                                                                                                                                                            Subsystem Version Minor:0
                                                                                                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                            Entrypoint Preview

                                                                                                                                                                            Instruction
                                                                                                                                                                            jmp dword ptr [00402000h]
                                                                                                                                                                            push ebx
                                                                                                                                                                            add byte ptr [ecx+00h], bh
                                                                                                                                                                            jnc 00007F1708823E82h
                                                                                                                                                                            je 00007F1708823E82h
                                                                                                                                                                            add byte ptr [ebp+00h], ch
                                                                                                                                                                            add byte ptr [ecx+00h], al
                                                                                                                                                                            arpl word ptr [eax], ax
                                                                                                                                                                            je 00007F1708823E82h
                                                                                                                                                                            imul eax, dword ptr [eax], 00610076h
                                                                                                                                                                            je 00007F1708823E82h
                                                                                                                                                                            outsd
                                                                                                                                                                            add byte ptr [edx+00h], dh
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al

                                                                                                                                                                            Data Directories

                                                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xb16940x4f.text
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xb20000x1710.rsrc
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xb40000xc.reloc
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                            Sections

                                                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                            .text0x20000xaf70c0xaf8004471fe9cbb481677fea83790490ac019False0.9349987758190883data7.80801054220798IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                            .rsrc0xb20000x17100x180083b13d68e3e725330df78fd7e907187fFalse0.38427734375data5.0912108926264015IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                            .reloc0xb40000xc0x2002030cf130ac8d5d43197431540ae81aeFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                            Resources

                                                                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                            RT_ICON0xb21600x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.3726547842401501
                                                                                                                                                                            RT_GROUP_ICON0xb32080x14data1.1
                                                                                                                                                                            RT_GROUP_ICON0xb321c0x14data1.05
                                                                                                                                                                            RT_VERSION0xb32300x2f4data0.4298941798941799
                                                                                                                                                                            RT_MANIFEST0xb35240x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                                                            Imports

                                                                                                                                                                            DLLImport
                                                                                                                                                                            mscoree.dll_CorExeMain

                                                                                                                                                                            Network Behavior

                                                                                                                                                                            Network Port Distribution

                                                                                                                                                                            TCP Packets

                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                            Jan 11, 2025 01:27:45.600434065 CET497121912192.168.2.687.120.120.86
                                                                                                                                                                            Jan 11, 2025 01:27:45.605454922 CET19124971287.120.120.86192.168.2.6
                                                                                                                                                                            Jan 11, 2025 01:27:45.605537891 CET497121912192.168.2.687.120.120.86
                                                                                                                                                                            Jan 11, 2025 01:27:45.614136934 CET497121912192.168.2.687.120.120.86
                                                                                                                                                                            Jan 11, 2025 01:27:45.618949890 CET19124971287.120.120.86192.168.2.6
                                                                                                                                                                            Jan 11, 2025 01:28:06.978352070 CET19124971287.120.120.86192.168.2.6
                                                                                                                                                                            Jan 11, 2025 01:28:06.978410006 CET497121912192.168.2.687.120.120.86
                                                                                                                                                                            Jan 11, 2025 01:28:07.003709078 CET497121912192.168.2.687.120.120.86
                                                                                                                                                                            Jan 11, 2025 01:28:12.025995970 CET498681912192.168.2.687.120.120.86
                                                                                                                                                                            Jan 11, 2025 01:28:12.032164097 CET19124986887.120.120.86192.168.2.6
                                                                                                                                                                            Jan 11, 2025 01:28:12.032321930 CET498681912192.168.2.687.120.120.86
                                                                                                                                                                            Jan 11, 2025 01:28:12.032501936 CET498681912192.168.2.687.120.120.86
                                                                                                                                                                            Jan 11, 2025 01:28:12.038499117 CET19124986887.120.120.86192.168.2.6
                                                                                                                                                                            Jan 11, 2025 01:28:33.403913975 CET19124986887.120.120.86192.168.2.6
                                                                                                                                                                            Jan 11, 2025 01:28:33.404053926 CET498681912192.168.2.687.120.120.86
                                                                                                                                                                            Jan 11, 2025 01:28:33.404418945 CET498681912192.168.2.687.120.120.86
                                                                                                                                                                            Jan 11, 2025 01:28:38.415697098 CET499901912192.168.2.687.120.120.86
                                                                                                                                                                            Jan 11, 2025 01:28:38.420757055 CET19124999087.120.120.86192.168.2.6
                                                                                                                                                                            Jan 11, 2025 01:28:38.420903921 CET499901912192.168.2.687.120.120.86
                                                                                                                                                                            Jan 11, 2025 01:28:38.421147108 CET499901912192.168.2.687.120.120.86
                                                                                                                                                                            Jan 11, 2025 01:28:38.425935030 CET19124999087.120.120.86192.168.2.6
                                                                                                                                                                            Jan 11, 2025 01:28:59.794425964 CET19124999087.120.120.86192.168.2.6
                                                                                                                                                                            Jan 11, 2025 01:28:59.794480085 CET499901912192.168.2.687.120.120.86
                                                                                                                                                                            Jan 11, 2025 01:28:59.794795036 CET499901912192.168.2.687.120.120.86
                                                                                                                                                                            Jan 11, 2025 01:29:04.806153059 CET499931912192.168.2.687.120.120.86
                                                                                                                                                                            Jan 11, 2025 01:29:04.811096907 CET19124999387.120.120.86192.168.2.6
                                                                                                                                                                            Jan 11, 2025 01:29:04.811182976 CET499931912192.168.2.687.120.120.86
                                                                                                                                                                            Jan 11, 2025 01:29:04.811400890 CET499931912192.168.2.687.120.120.86
                                                                                                                                                                            Jan 11, 2025 01:29:04.816265106 CET19124999387.120.120.86192.168.2.6
                                                                                                                                                                            Jan 11, 2025 01:29:26.186861992 CET19124999387.120.120.86192.168.2.6
                                                                                                                                                                            Jan 11, 2025 01:29:26.187012911 CET499931912192.168.2.687.120.120.86
                                                                                                                                                                            Jan 11, 2025 01:29:26.187247038 CET499931912192.168.2.687.120.120.86
                                                                                                                                                                            Jan 11, 2025 01:29:31.196924925 CET499951912192.168.2.687.120.120.86
                                                                                                                                                                            Jan 11, 2025 01:29:31.202528000 CET19124999587.120.120.86192.168.2.6
                                                                                                                                                                            Jan 11, 2025 01:29:31.202626944 CET499951912192.168.2.687.120.120.86
                                                                                                                                                                            Jan 11, 2025 01:29:31.202939987 CET499951912192.168.2.687.120.120.86
                                                                                                                                                                            Jan 11, 2025 01:29:31.208620071 CET19124999587.120.120.86192.168.2.6

                                                                                                                                                                            Statistics

                                                                                                                                                                            CPU Usage

                                                                                                                                                                            Click to jump to process

                                                                                                                                                                            Memory Usage

                                                                                                                                                                            Click to jump to process

                                                                                                                                                                            High Level Behavior Distribution

                                                                                                                                                                            Click to dive into process behavior distribution

                                                                                                                                                                            Behavior

                                                                                                                                                                            Click to jump to process

                                                                                                                                                                            System Behavior

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:0
                                                                                                                                                                            Start time:19:27:41
                                                                                                                                                                            Start date:10/01/2025
                                                                                                                                                                            Path:C:\Users\user\Desktop\zAGUEDGSTM.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\zAGUEDGSTM.exe"
                                                                                                                                                                            Imagebase:0xbd0000
                                                                                                                                                                            File size:726'016 bytes
                                                                                                                                                                            MD5 hash:2E9813378670EE5306AEA0D39794B450
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Yara matches:
                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2142749084.0000000003FF9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2142749084.000000000403C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2142749084.0000000004087000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            Reputation:low
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:3
                                                                                                                                                                            Start time:19:27:42
                                                                                                                                                                            Start date:10/01/2025
                                                                                                                                                                            Path:C:\Users\user\Desktop\zAGUEDGSTM.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\zAGUEDGSTM.exe"
                                                                                                                                                                            Imagebase:0xd40000
                                                                                                                                                                            File size:726'016 bytes
                                                                                                                                                                            MD5 hash:2E9813378670EE5306AEA0D39794B450
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Yara matches:
                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.3377135764.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            Reputation:low
                                                                                                                                                                            Has exited:false

                                                                                                                                                                            Disassembly

                                                                                                                                                                            Reset < >

                                                                                                                                                                              Execution Graph

                                                                                                                                                                              Execution Coverage:9.2%
                                                                                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                              Signature Coverage:0%
                                                                                                                                                                              Total number of Nodes:38
                                                                                                                                                                              Total number of Limit Nodes:7
                                                                                                                                                                              execution_graph 15225 12dd6a8 DuplicateHandle 15226 12dd73e 15225->15226 15227 12d4668 15228 12d467a 15227->15228 15229 12d4686 15228->15229 15231 12d4778 15228->15231 15232 12d479d 15231->15232 15236 12d4878 15232->15236 15240 12d4888 15232->15240 15238 12d48af 15236->15238 15237 12d498c 15237->15237 15238->15237 15244 12d44b0 15238->15244 15242 12d48af 15240->15242 15241 12d498c 15241->15241 15242->15241 15243 12d44b0 CreateActCtxA 15242->15243 15243->15241 15245 12d5918 CreateActCtxA 15244->15245 15247 12d59db 15245->15247 15247->15247 15248 12dd460 15249 12dd4a6 GetCurrentProcess 15248->15249 15251 12dd4f8 GetCurrentThread 15249->15251 15253 12dd4f1 15249->15253 15252 12dd535 GetCurrentProcess 15251->15252 15254 12dd52e 15251->15254 15257 12dd56b 15252->15257 15253->15251 15254->15252 15255 12dd593 GetCurrentThreadId 15256 12dd5c4 15255->15256 15257->15255 15258 12db0d0 15259 12db0df 15258->15259 15262 12db1b8 15258->15262 15267 12db1c8 15258->15267 15263 12db1fc 15262->15263 15264 12db1d9 15262->15264 15263->15259 15264->15263 15265 12db400 GetModuleHandleW 15264->15265 15266 12db42d 15265->15266 15266->15259 15268 12db1d9 15267->15268 15269 12db1fc 15267->15269 15268->15269 15270 12db400 GetModuleHandleW 15268->15270 15269->15259 15271 12db42d 15270->15271 15271->15259

                                                                                                                                                                              Executed Functions

                                                                                                                                                                              Function 012D6F90 Relevance: .2, Instructions: 187COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2141372444.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_12d0000_zAGUEDGSTM.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 096d41b1321834c13876063b3eb8442f1c16cc2c9678f6107d369dc250712b84
                                                                                                                                                                              • Instruction ID: 2403cba0bd2103626c9ebeca1e4ef1289f6c0c6e0ca07218a27935e611e1937e
                                                                                                                                                                              • Opcode Fuzzy Hash: 096d41b1321834c13876063b3eb8442f1c16cc2c9678f6107d369dc250712b84
                                                                                                                                                                              • Instruction Fuzzy Hash: E081B274E01219DFDB09DFA9D894AEEBBB2FF88300F248129D505AB365DB745942CF90
                                                                                                                                                                              Function 012D3E28 Relevance: .2, Instructions: 181COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2141372444.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_12d0000_zAGUEDGSTM.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 669d63ebb6e368ae7e491937844010e0b636139aa35765e77c1568ba97dfa156
                                                                                                                                                                              • Instruction ID: 3f63ad494dcbc62fb39813b4688bdda4799492e5eb5953f380ebf43ba512e509
                                                                                                                                                                              • Opcode Fuzzy Hash: 669d63ebb6e368ae7e491937844010e0b636139aa35765e77c1568ba97dfa156
                                                                                                                                                                              • Instruction Fuzzy Hash: AF81A274E01219DFDB08DFA9D894AEEBBB2FF88300F248529D505AB365DB749941CF90
                                                                                                                                                                              Function 012DD450 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              APIs
                                                                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 012DD4DE
                                                                                                                                                                              • GetCurrentThread.KERNEL32 ref: 012DD51B
                                                                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 012DD558
                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 012DD5B1
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2141372444.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_12d0000_zAGUEDGSTM.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Current$ProcessThread
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2063062207-0
                                                                                                                                                                              • Opcode ID: e64bfbf0100162f26f99e99a1686bf922121764ffa8f7bce5502c194ba177e85
                                                                                                                                                                              • Instruction ID: 9610551a56e65fd98eeb0d7950b033b2995456e0a8930a9ff0810e541c87c3eb
                                                                                                                                                                              • Opcode Fuzzy Hash: e64bfbf0100162f26f99e99a1686bf922121764ffa8f7bce5502c194ba177e85
                                                                                                                                                                              • Instruction Fuzzy Hash: 0B5164B090174A8FDB54CFA9D648BEEBBF1FF88314F208459D109A73A0DB74A944CB65
                                                                                                                                                                              Function 012DD460 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              APIs
                                                                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 012DD4DE
                                                                                                                                                                              • GetCurrentThread.KERNEL32 ref: 012DD51B
                                                                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 012DD558
                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 012DD5B1
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2141372444.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_12d0000_zAGUEDGSTM.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Current$ProcessThread
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2063062207-0
                                                                                                                                                                              • Opcode ID: b7418dd014d5cbc8c7f5ac59f54183f6365f77bd94491ce2121c62f02bf7fbc1
                                                                                                                                                                              • Instruction ID: 524663224878eccb4aa25edfac225d87bd540fadb47ff70b047565883a9c2174
                                                                                                                                                                              • Opcode Fuzzy Hash: b7418dd014d5cbc8c7f5ac59f54183f6365f77bd94491ce2121c62f02bf7fbc1
                                                                                                                                                                              • Instruction Fuzzy Hash: 235165B090070A8FDB54CFA9D648BEEBBF1FF88314F208459D109A73A0DB74A944CB65
                                                                                                                                                                              Function 012DB1C8 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 44 12db1c8-12db1d7 45 12db1d9-12db1e6 call 12d9c38 44->45 46 12db203-12db207 44->46 53 12db1fc 45->53 54 12db1e8 45->54 47 12db209-12db213 46->47 48 12db21b-12db25c 46->48 47->48 55 12db25e-12db266 48->55 56 12db269-12db277 48->56 53->46 99 12db1ee call 12db460 54->99 100 12db1ee call 12db450 54->100 55->56 58 12db279-12db27e 56->58 59 12db29b-12db29d 56->59 57 12db1f4-12db1f6 57->53 60 12db338-12db3f8 57->60 62 12db289 58->62 63 12db280-12db287 call 12dae80 58->63 61 12db2a0-12db2a7 59->61 94 12db3fa-12db3fd 60->94 95 12db400-12db42b GetModuleHandleW 60->95 64 12db2a9-12db2b1 61->64 65 12db2b4-12db2bb 61->65 66 12db28b-12db299 62->66 63->66 64->65 69 12db2bd-12db2c5 65->69 70 12db2c8-12db2d1 call 12dae90 65->70 66->61 69->70 75 12db2de-12db2e3 70->75 76 12db2d3-12db2db 70->76 78 12db2e5-12db2ec 75->78 79 12db301-12db30e 75->79 76->75 78->79 80 12db2ee-12db2fe call 12daea0 call 12daeb0 78->80 84 12db331-12db337 79->84 85 12db310-12db32e 79->85 80->79 85->84 94->95 96 12db42d-12db433 95->96 97 12db434-12db448 95->97 96->97 99->57 100->57
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 012DB41E
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2141372444.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_12d0000_zAGUEDGSTM.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: HandleModule
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4139908857-0
                                                                                                                                                                              • Opcode ID: 40950f6594dc0152efba2652cad6d09e0b0b48e2f6247b98ca09e7cceb175758
                                                                                                                                                                              • Instruction ID: b889dc70b608f007da4a7549c9788ebbb2d5ca9011038b31d87d9a4149857485
                                                                                                                                                                              • Opcode Fuzzy Hash: 40950f6594dc0152efba2652cad6d09e0b0b48e2f6247b98ca09e7cceb175758
                                                                                                                                                                              • Instruction Fuzzy Hash: 2B714670A10B068FE724DF69D4547AABBF1FF89204F108A2DD58AD7B50DB74E805CB90
                                                                                                                                                                              Function 012D44B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 101 12d44b0-12d59d9 CreateActCtxA 104 12d59db-12d59e1 101->104 105 12d59e2-12d5a3c 101->105 104->105 112 12d5a3e-12d5a41 105->112 113 12d5a4b-12d5a4f 105->113 112->113 114 12d5a51-12d5a5d 113->114 115 12d5a60 113->115 114->115 117 12d5a61 115->117 117->117
                                                                                                                                                                              APIs
                                                                                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 012D59C9
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2141372444.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_12d0000_zAGUEDGSTM.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Create
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2289755597-0
                                                                                                                                                                              • Opcode ID: 35b36e6e765f6fd452f92c0ea377dbd0b1f398b7c29c9747fb7d61198031f11b
                                                                                                                                                                              • Instruction ID: 55c74bb4d8b156ae8cae98469dad9b1a654b9d00dc491352aa9224a937e7f549
                                                                                                                                                                              • Opcode Fuzzy Hash: 35b36e6e765f6fd452f92c0ea377dbd0b1f398b7c29c9747fb7d61198031f11b
                                                                                                                                                                              • Instruction Fuzzy Hash: 9741F4B1C1071DCBEB24CFA9C9447DEBBB5BF85704F20806AD508AB251DBB15945CF90
                                                                                                                                                                              Function 012D590C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 118 12d590c-12d59d9 CreateActCtxA 120 12d59db-12d59e1 118->120 121 12d59e2-12d5a3c 118->121 120->121 128 12d5a3e-12d5a41 121->128 129 12d5a4b-12d5a4f 121->129 128->129 130 12d5a51-12d5a5d 129->130 131 12d5a60 129->131 130->131 133 12d5a61 131->133 133->133
                                                                                                                                                                              APIs
                                                                                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 012D59C9
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2141372444.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_12d0000_zAGUEDGSTM.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Create
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2289755597-0
                                                                                                                                                                              • Opcode ID: 08c3564cf38e5bdc12a3758f75f81ee3953a455e4396caaad7fd553c0557a037
                                                                                                                                                                              • Instruction ID: 83ce6bed6c2e3aeb923af3aa630ba0895bc96b9bff229fa3e7084b0d7bfb326e
                                                                                                                                                                              • Opcode Fuzzy Hash: 08c3564cf38e5bdc12a3758f75f81ee3953a455e4396caaad7fd553c0557a037
                                                                                                                                                                              • Instruction Fuzzy Hash: 2341F2B1C10719CFEB24CFA9C984BDDBBB5BF89704F20806AD508AB251DBB15945CF50
                                                                                                                                                                              Function 012DD6A8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 139 12dd6a8-12dd73c DuplicateHandle 140 12dd73e-12dd744 139->140 141 12dd745-12dd762 139->141 140->141
                                                                                                                                                                              APIs
                                                                                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012DD72F
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2141372444.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_12d0000_zAGUEDGSTM.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: DuplicateHandle
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3793708945-0
                                                                                                                                                                              • Opcode ID: a9e807c868285dc505f496a535404a416b121617616bb045894a68e8384b7479
                                                                                                                                                                              • Instruction ID: 85784af72f806795ad4511f5e0dfadb029bc38c84365e2c621c94960dd6fa65f
                                                                                                                                                                              • Opcode Fuzzy Hash: a9e807c868285dc505f496a535404a416b121617616bb045894a68e8384b7479
                                                                                                                                                                              • Instruction Fuzzy Hash: 1A21E4B59002499FDB10CF9AD984ADEBFF4FB48320F14801AE914A3350D374A950CF60
                                                                                                                                                                              Function 012DD6A1 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 134 12dd6a1-12dd73c DuplicateHandle 135 12dd73e-12dd744 134->135 136 12dd745-12dd762 134->136 135->136
                                                                                                                                                                              APIs
                                                                                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012DD72F
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2141372444.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_12d0000_zAGUEDGSTM.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: DuplicateHandle
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3793708945-0
                                                                                                                                                                              • Opcode ID: cda46e80b6e0e6579b469a63dbef0f4a21e5136241770f0104d9ce06fdee5f5b
                                                                                                                                                                              • Instruction ID: 298b22fb0c42f9e9ae3a30ee40b0c3e68041485f69169ab44afc622dc378302f
                                                                                                                                                                              • Opcode Fuzzy Hash: cda46e80b6e0e6579b469a63dbef0f4a21e5136241770f0104d9ce06fdee5f5b
                                                                                                                                                                              • Instruction Fuzzy Hash: A621C2B6D10249DFDB10CFA9D984ADEBBF4FB48324F14845AE918A3350D378A954CF64
                                                                                                                                                                              Function 012DB3B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 144 12db3b8-12db3f8 145 12db3fa-12db3fd 144->145 146 12db400-12db42b GetModuleHandleW 144->146 145->146 147 12db42d-12db433 146->147 148 12db434-12db448 146->148 147->148
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 012DB41E
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2141372444.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_12d0000_zAGUEDGSTM.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: HandleModule
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4139908857-0
                                                                                                                                                                              • Opcode ID: 81bec75fde7dd6771c5559345098587bd769eeb7fc410abf4b429031eb614e72
                                                                                                                                                                              • Instruction ID: ec88c8206b85f435ff59f0904442c73061c847d7bcc39a0b696eb6552c635ecc
                                                                                                                                                                              • Opcode Fuzzy Hash: 81bec75fde7dd6771c5559345098587bd769eeb7fc410abf4b429031eb614e72
                                                                                                                                                                              • Instruction Fuzzy Hash: 58110FB6C002498FDB10CF9AD444BDEFBF4EB88224F11841AD528A7210C3B9A545CFA1
                                                                                                                                                                              Function 0127D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2140723942.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_127d000_zAGUEDGSTM.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: fd1d7ad4c51c1757f90eea392bf3eac1d5519f278fed3721957ae64cf37dbd0c
                                                                                                                                                                              • Instruction ID: ef2b34cebffbd4ab2f3e28a7121e24e9d6619160a8e396d0906bbf83043b9fab
                                                                                                                                                                              • Opcode Fuzzy Hash: fd1d7ad4c51c1757f90eea392bf3eac1d5519f278fed3721957ae64cf37dbd0c
                                                                                                                                                                              • Instruction Fuzzy Hash: AC213372510248EFDB05DF54E9C0B27BF61FF88328F20C169EA090B256C376D416CAA1
                                                                                                                                                                              Function 0127D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2140723942.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_127d000_zAGUEDGSTM.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: e7fd03b0172673a3f9bcec015ba363d6fcb5785020cc02dccfdbbd487df6a6f7
                                                                                                                                                                              • Instruction ID: 310b8a1456ee78460ad87bc2eccd4bfc3e8ae973bbc712ff1afb211e0f4d1aaa
                                                                                                                                                                              • Opcode Fuzzy Hash: e7fd03b0172673a3f9bcec015ba363d6fcb5785020cc02dccfdbbd487df6a6f7
                                                                                                                                                                              • Instruction Fuzzy Hash: B12145B6110208EFDB05DF44D9C0B67BF65FF88324F20C16CEA0A0B256C376E456CAA1
                                                                                                                                                                              Function 0128D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2140761501.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_128d000_zAGUEDGSTM.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 771c82b6447db7e78866c0fdbfaf2a3ab5fb3f1331d968206e75f62f0b7c7fd5
                                                                                                                                                                              • Instruction ID: 7433604bfd34bf282eada8ab044cfef73c69dee5f3c8cb913c9e14997361e761
                                                                                                                                                                              • Opcode Fuzzy Hash: 771c82b6447db7e78866c0fdbfaf2a3ab5fb3f1331d968206e75f62f0b7c7fd5
                                                                                                                                                                              • Instruction Fuzzy Hash: 02212275614308EFDB15EFA4D9C0B26BB61FB84314F20C56DDA0A4B2D2C77AD40BCA61
                                                                                                                                                                              Function 0128D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2140761501.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_128d000_zAGUEDGSTM.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 6cf14b4dc40b590b38000cd0f6b0680534d31d01a7648301d64004179d18cab4
                                                                                                                                                                              • Instruction ID: 74090e68abad943ee69ca396b3cdc03ad72231f00812f7ae649a7c13528229f8
                                                                                                                                                                              • Opcode Fuzzy Hash: 6cf14b4dc40b590b38000cd0f6b0680534d31d01a7648301d64004179d18cab4
                                                                                                                                                                              • Instruction Fuzzy Hash: 4F213775524208EFDB05EF94D5C0F25BB61FB84324F20C56DD9094B2DBC376D80ACA61
                                                                                                                                                                              Function 0127D4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2140723942.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_127d000_zAGUEDGSTM.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                                                                                                                                              • Instruction ID: e37da4d5c37e2a78e773ffa43db2b91d0571a596d604637588ca0e68cd8e5660
                                                                                                                                                                              • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                                                                                                                                              • Instruction Fuzzy Hash: 2411DF76404284CFCB12CF54D5C0B16BF71FB84328F24C6A9D9490B256C33AD45ACBA1
                                                                                                                                                                              Function 0127D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2140723942.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_127d000_zAGUEDGSTM.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                                                                                                                                              • Instruction ID: 183a8c248c36ea0e2038e5d55f373fb26ca9b8628aa7d337581744fc8b2c54fe
                                                                                                                                                                              • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                                                                                                                                              • Instruction Fuzzy Hash: 8111DFB6404285DFCB02CF44D5C0B56BF71FB84324F24C2A9D9090B257C33AE456CBA1
                                                                                                                                                                              Function 0128D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2140761501.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_128d000_zAGUEDGSTM.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                                                                                                                                              • Instruction ID: fafcbb7d3d7162cec0a08ca21de5f3e15f86871e620c00dbae7d963cd3bc0e45
                                                                                                                                                                              • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                                                                                                                                              • Instruction Fuzzy Hash: EF11BB75504288DFDB02DF54C5C0B15BBA1FB84324F24C6A9D9494B2ABC33AD41ACB61
                                                                                                                                                                              Function 0128D017 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2140761501.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_128d000_zAGUEDGSTM.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                                                                                                                                              • Instruction ID: c032590b11251f37af7129600c4475be3fc1c3dc8f4d83157da56ec5f510081f
                                                                                                                                                                              • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                                                                                                                                              • Instruction Fuzzy Hash: 1011BB75504288CFDB12DF54D5C4B15BBA2FB84314F24C6AAD9494B696C33AD40BCBA2
                                                                                                                                                                              Function 0127D745 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2140723942.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_127d000_zAGUEDGSTM.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: e1a67f694ddbd7440b895542bf57dd1ce4b9b8f423aceef2fab83ad4ad80822d
                                                                                                                                                                              • Instruction ID: 02d4242b00368b0ac274f0d9dc0cecd7d3ee90e408de30375f9aa30270ff45bb
                                                                                                                                                                              • Opcode Fuzzy Hash: e1a67f694ddbd7440b895542bf57dd1ce4b9b8f423aceef2fab83ad4ad80822d
                                                                                                                                                                              • Instruction Fuzzy Hash: 39012B720143889AF7145EA9CD84B67FF98DF81334F08C51AEF080E282C7B99841C6B1
                                                                                                                                                                              Function 0127D744 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2140723942.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_127d000_zAGUEDGSTM.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 98968516929d596934f434448c59bdf26a4fd4f2573b7cd4cb732e57f0bf6b14
                                                                                                                                                                              • Instruction ID: 67e9c9f911998deb6a3fd23c19014881e8038c2a6151c81bbb9dc23fab72757a
                                                                                                                                                                              • Opcode Fuzzy Hash: 98968516929d596934f434448c59bdf26a4fd4f2573b7cd4cb732e57f0bf6b14
                                                                                                                                                                              • Instruction Fuzzy Hash: F1F0C2724043849AE7158E19CD84B63FF98EF81634F18C45AEE080A287C3799840CBB1

                                                                                                                                                                              Non-executed Functions

                                                                                                                                                                              Function 012DDFB4 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.2141372444.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_12d0000_zAGUEDGSTM.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 99c6c632f4cc636971439a86387a9a690b143ba31e8aae5a9312e42bce115815
                                                                                                                                                                              • Instruction ID: ab748aee249c262bb8257a9c7eb39d985763e48e15094a3b7d06bec338ab8118
                                                                                                                                                                              • Opcode Fuzzy Hash: 99c6c632f4cc636971439a86387a9a690b143ba31e8aae5a9312e42bce115815
                                                                                                                                                                              • Instruction Fuzzy Hash: 04A16032E10216CFCF19DFB4C9405AEBBB2FF84301B15856AE906AF265DB71D916CB80

                                                                                                                                                                              Execution Graph

                                                                                                                                                                              Execution Coverage:8.4%
                                                                                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                              Signature Coverage:0%
                                                                                                                                                                              Total number of Nodes:77
                                                                                                                                                                              Total number of Limit Nodes:6
                                                                                                                                                                              execution_graph 29182 15fd01c 29183 15fd034 29182->29183 29184 15fd08e 29183->29184 29187 5692c08 29183->29187 29196 5690ad4 29183->29196 29189 5692c18 29187->29189 29188 5692c79 29221 5690bfc 29188->29221 29189->29188 29191 5692c69 29189->29191 29205 5692e6c 29191->29205 29211 5692d90 29191->29211 29216 5692da0 29191->29216 29192 5692c77 29197 5690adf 29196->29197 29198 5692c79 29197->29198 29200 5692c69 29197->29200 29199 5690bfc CallWindowProcW 29198->29199 29201 5692c77 29199->29201 29202 5692e6c CallWindowProcW 29200->29202 29203 5692da0 CallWindowProcW 29200->29203 29204 5692d90 CallWindowProcW 29200->29204 29202->29201 29203->29201 29204->29201 29206 5692e7a 29205->29206 29207 5692e2a 29205->29207 29225 5692e48 29207->29225 29229 5692e58 29207->29229 29208 5692e40 29208->29192 29213 5692da0 29211->29213 29212 5692e40 29212->29192 29214 5692e48 CallWindowProcW 29213->29214 29215 5692e58 CallWindowProcW 29213->29215 29214->29212 29215->29212 29218 5692db4 29216->29218 29217 5692e40 29217->29192 29219 5692e48 CallWindowProcW 29218->29219 29220 5692e58 CallWindowProcW 29218->29220 29219->29217 29220->29217 29222 5690c07 29221->29222 29223 569435a CallWindowProcW 29222->29223 29224 5694309 29222->29224 29223->29224 29224->29192 29226 5692e58 29225->29226 29227 5692e69 29226->29227 29232 5694293 29226->29232 29227->29208 29230 5692e69 29229->29230 29231 5694293 CallWindowProcW 29229->29231 29230->29208 29231->29230 29233 5690bfc CallWindowProcW 29232->29233 29234 56942aa 29233->29234 29234->29227 29235 2f7d0b8 29236 2f7d0fe 29235->29236 29240 2f7d289 29236->29240 29243 2f7d298 29236->29243 29237 2f7d1eb 29242 2f7d2c6 29240->29242 29246 2f7c9a0 29240->29246 29242->29237 29244 2f7c9a0 DuplicateHandle 29243->29244 29245 2f7d2c6 29244->29245 29245->29237 29247 2f7d300 DuplicateHandle 29246->29247 29248 2f7d396 29247->29248 29248->29242 29249 2f7ad38 29252 2f7ae30 29249->29252 29250 2f7ad47 29253 2f7ae64 29252->29253 29254 2f7ae41 29252->29254 29253->29250 29254->29253 29255 2f7b068 GetModuleHandleW 29254->29255 29256 2f7b095 29255->29256 29256->29250 29257 2f74668 29258 2f74684 29257->29258 29259 2f74696 29258->29259 29261 2f747a0 29258->29261 29262 2f747c5 29261->29262 29266 2f748a1 29262->29266 29270 2f748b0 29262->29270 29268 2f748b0 29266->29268 29267 2f749b4 29267->29267 29268->29267 29274 2f74248 29268->29274 29271 2f748d7 29270->29271 29272 2f74248 CreateActCtxA 29271->29272 29273 2f749b4 29271->29273 29272->29273 29275 2f75940 CreateActCtxA 29274->29275 29277 2f75a03 29275->29277

                                                                                                                                                                              Executed Functions

                                                                                                                                                                              Function 02F7AE30 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              APIs
                                                                                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 02F7B086
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.3378784737.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2f70000_zAGUEDGSTM.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: HandleModule
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4139908857-0
                                                                                                                                                                              • Opcode ID: 4fe34e7fa5cdfb36453319371153beaf1a4dc452a4a5c3c4c8e3542d9cb6fb89
                                                                                                                                                                              • Instruction ID: 3b3c9519dd10bf57c3a7be63e76d362a8bb9d74413274d5da8079c2f3218fc49
                                                                                                                                                                              • Opcode Fuzzy Hash: 4fe34e7fa5cdfb36453319371153beaf1a4dc452a4a5c3c4c8e3542d9cb6fb89
                                                                                                                                                                              • Instruction Fuzzy Hash: 187146B0A00B058FD724DF2AD54479ABBF2FF88344F04892EE58AD7A40DB74E845CB91
                                                                                                                                                                              Function 05690BFC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 60 5690bfc-56942fc 63 56943ac-56943cc call 5690ad4 60->63 64 5694302-5694307 60->64 71 56943cf-56943dc 63->71 66 5694309-5694340 64->66 67 569435a-5694392 CallWindowProcW 64->67 73 5694349-5694358 66->73 74 5694342-5694348 66->74 69 569439b-56943aa 67->69 70 5694394-569439a 67->70 69->71 70->69 73->71 74->73
                                                                                                                                                                              APIs
                                                                                                                                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 05694381
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.3380744894.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_5690000_zAGUEDGSTM.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CallProcWindow
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2714655100-0
                                                                                                                                                                              • Opcode ID: cf28432c5c31bacf867e1b7ce0273faef304b9d5cb85103076f366d43496d213
                                                                                                                                                                              • Instruction ID: d574c3f53c28a4ef896b2ce14fb04221454ce6bd732cc663e145676de7c214d0
                                                                                                                                                                              • Opcode Fuzzy Hash: cf28432c5c31bacf867e1b7ce0273faef304b9d5cb85103076f366d43496d213
                                                                                                                                                                              • Instruction Fuzzy Hash: 584116B59003098FCF14CF9AC448AAABBF9FF88315F248559D519AB321DB74A841CBA0
                                                                                                                                                                              Function 02F74248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 77 2f74248-2f75a01 CreateActCtxA 80 2f75a03-2f75a09 77->80 81 2f75a0a-2f75a64 77->81 80->81 88 2f75a66-2f75a69 81->88 89 2f75a73-2f75a77 81->89 88->89 90 2f75a79-2f75a85 89->90 91 2f75a88-2f75ab8 89->91 90->91 95 2f75a6a 91->95 96 2f75aba-2f75b3c 91->96 95->89
                                                                                                                                                                              APIs
                                                                                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 02F759F1
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.3378784737.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2f70000_zAGUEDGSTM.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Create
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2289755597-0
                                                                                                                                                                              • Opcode ID: fbeb37ff78b1e08351bc3a1d9413af502ffe66c128d5583ff61c7687cc3d63f4
                                                                                                                                                                              • Instruction ID: 0650362e89d2825bbcb1e00fa1913e23f4a8a1a6fd3b490261b89c551f7e137c
                                                                                                                                                                              • Opcode Fuzzy Hash: fbeb37ff78b1e08351bc3a1d9413af502ffe66c128d5583ff61c7687cc3d63f4
                                                                                                                                                                              • Instruction Fuzzy Hash: 3A41D270D0071DCBEB24CFA9C984B9EBBB5FF48704F60806AD908AB251DB756949CF90
                                                                                                                                                                              Function 02F75935 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 98 2f75935-2f7593c 99 2f75944-2f75a01 CreateActCtxA 98->99 101 2f75a03-2f75a09 99->101 102 2f75a0a-2f75a64 99->102 101->102 109 2f75a66-2f75a69 102->109 110 2f75a73-2f75a77 102->110 109->110 111 2f75a79-2f75a85 110->111 112 2f75a88-2f75ab8 110->112 111->112 116 2f75a6a 112->116 117 2f75aba-2f75b3c 112->117 116->110
                                                                                                                                                                              APIs
                                                                                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 02F759F1
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.3378784737.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2f70000_zAGUEDGSTM.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Create
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2289755597-0
                                                                                                                                                                              • Opcode ID: 9d339b223f912d65a99e78dae13a70cc472ebd2480d90ca206889ead89c85ce9
                                                                                                                                                                              • Instruction ID: 11604f8b03e355bb5898a71afe779606c1545f318f8c1e1a69696645198405ef
                                                                                                                                                                              • Opcode Fuzzy Hash: 9d339b223f912d65a99e78dae13a70cc472ebd2480d90ca206889ead89c85ce9
                                                                                                                                                                              • Instruction Fuzzy Hash: 3041D0B0D0071DCBEB24DFA9C984B9EBBB5FF48304F64806AD508AB251DB756949CF90
                                                                                                                                                                              Function 02F7C9A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 119 2f7c9a0-2f7d394 DuplicateHandle 121 2f7d396-2f7d39c 119->121 122 2f7d39d-2f7d3ba 119->122 121->122
                                                                                                                                                                              APIs
                                                                                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02F7D2C6,?,?,?,?,?), ref: 02F7D387
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.3378784737.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2f70000_zAGUEDGSTM.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: DuplicateHandle
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3793708945-0
                                                                                                                                                                              • Opcode ID: 72eaeb5232ff67002124328848e022940547f96f45499a87463ff69441688770
                                                                                                                                                                              • Instruction ID: e64558eaad8298e421596e025b4f51b3c610f0d6257136b1b00d95336b7f0534
                                                                                                                                                                              • Opcode Fuzzy Hash: 72eaeb5232ff67002124328848e022940547f96f45499a87463ff69441688770
                                                                                                                                                                              • Instruction Fuzzy Hash: DE21E3B5900249DFDB10CF9AD984AEEBBF4EF48324F14841AE918A7350D374A950CFA4
                                                                                                                                                                              Function 02F7D2F9 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 125 2f7d2f9-2f7d394 DuplicateHandle 126 2f7d396-2f7d39c 125->126 127 2f7d39d-2f7d3ba 125->127 126->127
                                                                                                                                                                              APIs
                                                                                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02F7D2C6,?,?,?,?,?), ref: 02F7D387
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.3378784737.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2f70000_zAGUEDGSTM.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: DuplicateHandle
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3793708945-0
                                                                                                                                                                              • Opcode ID: 260cdc62a79d01d9c98f3a0b8a4188c604bb272a7c1ae845f7801ca1b7218e32
                                                                                                                                                                              • Instruction ID: 83051b11756ed02f8069614adf901da8bc032b1956939959de0c75d59f541d51
                                                                                                                                                                              • Opcode Fuzzy Hash: 260cdc62a79d01d9c98f3a0b8a4188c604bb272a7c1ae845f7801ca1b7218e32
                                                                                                                                                                              • Instruction Fuzzy Hash: B121E2B5D00249DFDB10CFAAD585AEEBBF4FF48324F24841AE918A3250D378A950CF64
                                                                                                                                                                              Function 02F7B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 130 2f7b020-2f7b060 131 2f7b062-2f7b065 130->131 132 2f7b068-2f7b093 GetModuleHandleW 130->132 131->132 133 2f7b095-2f7b09b 132->133 134 2f7b09c-2f7b0b0 132->134 133->134
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 02F7B086
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.3378784737.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2f70000_zAGUEDGSTM.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: HandleModule
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4139908857-0
                                                                                                                                                                              • Opcode ID: 66452f32ada2a52051ec90dcf2d4f2527ca5b6ad7ba75308697365410981b408
                                                                                                                                                                              • Instruction ID: 9b50b20db1367cbf21f0fdeeea861a643c9ecde67e0915df53cc5bb3f715cc7d
                                                                                                                                                                              • Opcode Fuzzy Hash: 66452f32ada2a52051ec90dcf2d4f2527ca5b6ad7ba75308697365410981b408
                                                                                                                                                                              • Instruction Fuzzy Hash: 0411DFB6C007498FDB20CF9AC544B9EFBF4AB89728F10845AD529A7210D379A545CFA1
                                                                                                                                                                              Function 015ED3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.3378360694.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_15ed000_zAGUEDGSTM.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 64d068d74b76293fed66d93b30a5e28fe3691ab0aa7162b8eafef5777ab59091
                                                                                                                                                                              • Instruction ID: 3a8695f95f5b37ec3e0172c9b9cebcfbc0084414357b76c623be9e3574f9d254
                                                                                                                                                                              • Opcode Fuzzy Hash: 64d068d74b76293fed66d93b30a5e28fe3691ab0aa7162b8eafef5777ab59091
                                                                                                                                                                              • Instruction Fuzzy Hash: E4212476900204DFDB09DF44D9C4B6ABFF5FB98324F20C568E9090F256C3B6E456CAA1
                                                                                                                                                                              Function 015FD01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.3378432160.00000000015FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015FD000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_15fd000_zAGUEDGSTM.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: d55ea227369d382a9c78fa9fdda47eb6a6c33c51b7c40d8fa4c023477b365cb5
                                                                                                                                                                              • Instruction ID: 1f30386ef5345a7b4b4e9a8065800ba0a2218489e3af40010b262cdf3ca15209
                                                                                                                                                                              • Opcode Fuzzy Hash: d55ea227369d382a9c78fa9fdda47eb6a6c33c51b7c40d8fa4c023477b365cb5
                                                                                                                                                                              • Instruction Fuzzy Hash: D3214275204200EFDB15DF54D9C0B2ABBB9FB84314F20C96DEA0A4F252D33AC407CA61
                                                                                                                                                                              Function 015FD006 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.3378432160.00000000015FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015FD000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_15fd000_zAGUEDGSTM.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 94bcb406b2daf08cda1efdf605dc735ee6a9daf8a3c0622e0ad2f65889c8ec80
                                                                                                                                                                              • Instruction ID: 061297e0a33ca7eec2598854b6bcd430a6697fee346abc5043b7e9897d288d86
                                                                                                                                                                              • Opcode Fuzzy Hash: 94bcb406b2daf08cda1efdf605dc735ee6a9daf8a3c0622e0ad2f65889c8ec80
                                                                                                                                                                              • Instruction Fuzzy Hash: 15218E755093808FCB03CF24D990719BF71FB46214F28C5EAD9498F6A7C33A980ACB62
                                                                                                                                                                              Function 015ED3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.3378360694.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_15ed000_zAGUEDGSTM.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                                                                                                                                              • Instruction ID: 920a94c8ea2d537f12f16267e7df387a04249ee6f668110719d789d2b5639bee
                                                                                                                                                                              • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                                                                                                                                              • Instruction Fuzzy Hash: 5611CDB6804280CFCB06CF44D5C4B5ABFB2FB94224F2482A9D8090A256C37AE456CBA1
                                                                                                                                                                              Function 015ED5F3 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.3378360694.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_15ed000_zAGUEDGSTM.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 0ff97a0cc8a119c0f7a7e6ec5cc0455686bc3aa87cf24f207f8cd7b55eb0e12b
                                                                                                                                                                              • Instruction ID: 48164d9da04f70dfe310f33b6542e0b260956f6cb8c90b4ef1e4be329c12a2fb
                                                                                                                                                                              • Opcode Fuzzy Hash: 0ff97a0cc8a119c0f7a7e6ec5cc0455686bc3aa87cf24f207f8cd7b55eb0e12b
                                                                                                                                                                              • Instruction Fuzzy Hash: 1FF0F976600614AF97248F0AD984C27FBFDFBD4770719C55AE94A4B612C671EC41CEA0
                                                                                                                                                                              Function 015ED5E4 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.3378360694.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_15ed000_zAGUEDGSTM.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 142d0ad766134e3533bb224a5e1f35da1c0a70788960f0168ee63b8dc34d083b
                                                                                                                                                                              • Instruction ID: 85ccc5f048b22c30a34bcd64437a034112ec869015468ccd43a2061e3172d9b8
                                                                                                                                                                              • Opcode Fuzzy Hash: 142d0ad766134e3533bb224a5e1f35da1c0a70788960f0168ee63b8dc34d083b
                                                                                                                                                                              • Instruction Fuzzy Hash: B1F03775104A80AFD7258F06C984C23BFF9FF8A6607198489E88A4B262C671FC42CF60