Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
shaLnqmyTS.exe

Overview

General Information

Sample name:shaLnqmyTS.exe
renamed because original name is a hash value
Original sample name:2d38fac7d02a4d32b8579c25ec1ce2d6bb14bc27d846874ad6f1897ca21889cd.exe
Analysis ID:1588696
MD5:8b2612c44a0951e150dc47ba2741d26e
SHA1:0d5a4030a841a8a77c130f6689712e24aaa9a674
SHA256:2d38fac7d02a4d32b8579c25ec1ce2d6bb14bc27d846874ad6f1897ca21889cd
Tags:exeRedLineStealeruser-adrian__luca
Infos:

Detection

RedLine
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected RedLine Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • shaLnqmyTS.exe (PID: 5172 cmdline: "C:\Users\user\Desktop\shaLnqmyTS.exe" MD5: 8B2612C44A0951E150DC47BA2741D26E)
    • shaLnqmyTS.exe (PID: 6680 cmdline: "C:\Users\user\Desktop\shaLnqmyTS.exe" MD5: 8B2612C44A0951E150DC47BA2741D26E)
    • shaLnqmyTS.exe (PID: 1408 cmdline: "C:\Users\user\Desktop\shaLnqmyTS.exe" MD5: 8B2612C44A0951E150DC47BA2741D26E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["87.120.120.86:1912"], "Bot Id": "LOGS", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1305242014.0000000004417000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    00000004.00000002.2534725479.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      00000000.00000002.1305242014.00000000043CC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.1305242014.0000000004389000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          Process Memory Space: shaLnqmyTS.exe PID: 5172JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.shaLnqmyTS.exe.43d4b90.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              0.2.shaLnqmyTS.exe.43d4b90.1.raw.unpackinfostealer_win_redline_stringsFinds Redline samples based on characteristic stringsSekoia.io
              • 0x24cc3:$gen01: ChromeGetRoamingName
              • 0x24ce8:$gen02: ChromeGetLocalName
              • 0x24d2b:$gen03: get_UserDomainName
              • 0x28bc4:$gen04: get_encrypted_key
              • 0x27943:$gen05: browserPaths
              • 0x27c19:$gen06: GetBrowsers
              • 0x27501:$gen07: get_InstalledInputLanguages
              • 0x239cc:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION
              • 0x3018:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
              • 0x29006:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole
              • 0x290a4:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\
              • 0x296be:$spe9: *wallet*
              • 0x219ea:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0
              • 0x21f14:$typ03: A937C899247696B6565665BE3BD09607F49A2042
              • 0x21fc1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2
              • 0x21998:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60
              • 0x219c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280
              • 0x21b92:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301
              • 0x21de5:$typ11: 2A19BFD7333718195216588A698752C517111B02
              • 0x220d4:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
              0.2.shaLnqmyTS.exe.4389970.3.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                0.2.shaLnqmyTS.exe.4389970.3.raw.unpackinfostealer_win_redline_stringsFinds Redline samples based on characteristic stringsSekoia.io
                • 0x24cc3:$gen01: ChromeGetRoamingName
                • 0x24ce8:$gen02: ChromeGetLocalName
                • 0x24d2b:$gen03: get_UserDomainName
                • 0x28bc4:$gen04: get_encrypted_key
                • 0x27943:$gen05: browserPaths
                • 0x27c19:$gen06: GetBrowsers
                • 0x27501:$gen07: get_InstalledInputLanguages
                • 0x239cc:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION
                • 0x3018:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
                • 0x29006:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole
                • 0x290a4:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\
                • 0x296be:$spe9: *wallet*
                • 0x219ea:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0
                • 0x21f14:$typ03: A937C899247696B6565665BE3BD09607F49A2042
                • 0x21fc1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2
                • 0x21998:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60
                • 0x219c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280
                • 0x21b92:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301
                • 0x21de5:$typ11: 2A19BFD7333718195216588A698752C517111B02
                • 0x220d4:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
                4.2.shaLnqmyTS.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  Click to see the 5 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000000.00000002.1305242014.0000000004417000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": ["87.120.120.86:1912"], "Bot Id": "LOGS", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
                  Multi AV Scanner detection for submitted file
                  Source: shaLnqmyTS.exeVirustotal: Detection: 37%Perma Link
                  Source: shaLnqmyTS.exeReversingLabs: Detection: 71%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: shaLnqmyTS.exeJoe Sandbox ML: detected
                  Source: shaLnqmyTS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: shaLnqmyTS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb source: shaLnqmyTS.exe, 00000004.00000002.2536007924.000000000130F000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: shaLnqmyTS.exe, 00000004.00000002.2536007924.0000000001274000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbNqx source: shaLnqmyTS.exe, 00000004.00000002.2536007924.0000000001274000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb_ source: shaLnqmyTS.exe, 00000004.00000002.2536007924.0000000001326000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb source: shaLnqmyTS.exe, 00000004.00000002.2536007924.0000000001306000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: shaLnqmyTS.exe, 00000004.00000002.2536007924.0000000001274000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdbLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: shaLnqmyTS.exe, 00000004.00000002.2536007924.00000000012CF000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: shaLnqmyTS.exe, 00000004.00000002.2536007924.0000000001274000.00000004.00000020.00020000.00000000.sdmp

                  Networking

                  barindex
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 87.120.120.86:1912
                  Source: global trafficTCP traffic: 192.168.2.7:49702 -> 87.120.120.86:1912
                  Source: Joe Sandbox ViewIP Address: 87.120.120.86 87.120.120.86
                  Source: Joe Sandbox ViewASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: shaLnqmyTS.exeString found in binary or memory: http://localhost/arkanoid_server/requests.php
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10LR
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11LR
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12LR
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13LR
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14LR
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15LR
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16LR
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17LR
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18LR
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19LR
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1LR
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20LR
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21LR
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22LR
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23LR
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24LR
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2LR
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3LR
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4LR
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5LR
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6LR
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7LR
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8LR
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9LR
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/x
                  Source: shaLnqmyTS.exe, 00000000.00000002.1305242014.0000000004417000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000000.00000002.1305242014.00000000043CC000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000000.00000002.1305242014.0000000004389000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2534725479.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.shaLnqmyTS.exe.43d4b90.1.raw.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 0.2.shaLnqmyTS.exe.4389970.3.raw.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 4.2.shaLnqmyTS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 0.2.shaLnqmyTS.exe.4389970.3.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 0.2.shaLnqmyTS.exe.43d4b90.1.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeCode function: 0_2_0197DF140_2_0197DF14
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeCode function: 0_2_064746200_2_06474620
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeCode function: 0_2_064746300_2_06474630
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeCode function: 0_2_0647A1E00_2_0647A1E0
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeCode function: 0_2_064741F80_2_064741F8
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeCode function: 0_2_06475E5F0_2_06475E5F
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeCode function: 0_2_06475E700_2_06475E70
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeCode function: 0_2_06473DC00_2_06473DC0
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeCode function: 0_2_06474A680_2_06474A68
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeCode function: 4_2_013DDC744_2_013DDC74
                  Source: shaLnqmyTS.exe, 00000000.00000002.1305242014.0000000004417000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs shaLnqmyTS.exe
                  Source: shaLnqmyTS.exe, 00000000.00000002.1305242014.0000000004417000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs shaLnqmyTS.exe
                  Source: shaLnqmyTS.exe, 00000000.00000002.1305242014.00000000044F3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs shaLnqmyTS.exe
                  Source: shaLnqmyTS.exe, 00000000.00000002.1305242014.00000000044F3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs shaLnqmyTS.exe
                  Source: shaLnqmyTS.exe, 00000000.00000002.1315319909.0000000007810000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs shaLnqmyTS.exe
                  Source: shaLnqmyTS.exe, 00000000.00000002.1314006839.0000000005C40000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs shaLnqmyTS.exe
                  Source: shaLnqmyTS.exe, 00000000.00000002.1303364759.00000000033C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs shaLnqmyTS.exe
                  Source: shaLnqmyTS.exe, 00000000.00000000.1291386185.0000000000FB2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedLRK.exe0 vs shaLnqmyTS.exe
                  Source: shaLnqmyTS.exe, 00000000.00000002.1302180953.00000000015FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs shaLnqmyTS.exe
                  Source: shaLnqmyTS.exe, 00000000.00000002.1305242014.00000000043CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs shaLnqmyTS.exe
                  Source: shaLnqmyTS.exe, 00000004.00000002.2534725479.0000000000446000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs shaLnqmyTS.exe
                  Source: shaLnqmyTS.exeBinary or memory string: OriginalFilenamedLRK.exe0 vs shaLnqmyTS.exe
                  Source: shaLnqmyTS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 0.2.shaLnqmyTS.exe.43d4b90.1.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 0.2.shaLnqmyTS.exe.4389970.3.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 4.2.shaLnqmyTS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 0.2.shaLnqmyTS.exe.4389970.3.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 0.2.shaLnqmyTS.exe.43d4b90.1.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: shaLnqmyTS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: classification engineClassification label: mal96.troj.evad.winEXE@5/1@0/1
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\shaLnqmyTS.exe.logJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeMutant created: NULL
                  Source: shaLnqmyTS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: shaLnqmyTS.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: shaLnqmyTS.exeVirustotal: Detection: 37%
                  Source: shaLnqmyTS.exeReversingLabs: Detection: 71%
                  Source: unknownProcess created: C:\Users\user\Desktop\shaLnqmyTS.exe "C:\Users\user\Desktop\shaLnqmyTS.exe"
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess created: C:\Users\user\Desktop\shaLnqmyTS.exe "C:\Users\user\Desktop\shaLnqmyTS.exe"
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess created: C:\Users\user\Desktop\shaLnqmyTS.exe "C:\Users\user\Desktop\shaLnqmyTS.exe"
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess created: C:\Users\user\Desktop\shaLnqmyTS.exe "C:\Users\user\Desktop\shaLnqmyTS.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess created: C:\Users\user\Desktop\shaLnqmyTS.exe "C:\Users\user\Desktop\shaLnqmyTS.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: iconcodecservice.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: shaLnqmyTS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: shaLnqmyTS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb source: shaLnqmyTS.exe, 00000004.00000002.2536007924.000000000130F000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: shaLnqmyTS.exe, 00000004.00000002.2536007924.0000000001274000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbNqx source: shaLnqmyTS.exe, 00000004.00000002.2536007924.0000000001274000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb_ source: shaLnqmyTS.exe, 00000004.00000002.2536007924.0000000001326000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb source: shaLnqmyTS.exe, 00000004.00000002.2536007924.0000000001306000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: shaLnqmyTS.exe, 00000004.00000002.2536007924.0000000001274000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdbLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: shaLnqmyTS.exe, 00000004.00000002.2536007924.00000000012CF000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: shaLnqmyTS.exe, 00000004.00000002.2536007924.0000000001274000.00000004.00000020.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeCode function: 0_2_0197EE60 push esp; iretd 0_2_0197EE61
                  Source: shaLnqmyTS.exeStatic PE information: section name: .text entropy: 7.813051520440733
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: shaLnqmyTS.exe PID: 5172, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeMemory allocated: 1930000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeMemory allocated: 3380000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeMemory allocated: 31D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeMemory allocated: 79E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeMemory allocated: 89E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeMemory allocated: 8B70000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeMemory allocated: 9B70000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeMemory allocated: 1380000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeMemory allocated: 2EF0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeMemory allocated: 4EF0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exe TID: 6444Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: shaLnqmyTS.exe, 00000004.00000002.2536007924.000000000130F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeMemory written: C:\Users\user\Desktop\shaLnqmyTS.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess created: C:\Users\user\Desktop\shaLnqmyTS.exe "C:\Users\user\Desktop\shaLnqmyTS.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeProcess created: C:\Users\user\Desktop\shaLnqmyTS.exe "C:\Users\user\Desktop\shaLnqmyTS.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeQueries volume information: C:\Users\user\Desktop\shaLnqmyTS.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeQueries volume information: C:\Users\user\Desktop\shaLnqmyTS.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\shaLnqmyTS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: 0.2.shaLnqmyTS.exe.43d4b90.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.shaLnqmyTS.exe.4389970.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.shaLnqmyTS.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.shaLnqmyTS.exe.4389970.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.shaLnqmyTS.exe.43d4b90.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1305242014.0000000004417000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2534725479.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1305242014.00000000043CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1305242014.0000000004389000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: shaLnqmyTS.exe PID: 5172, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: shaLnqmyTS.exe PID: 1408, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: 0.2.shaLnqmyTS.exe.43d4b90.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.shaLnqmyTS.exe.4389970.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.shaLnqmyTS.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.shaLnqmyTS.exe.4389970.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.shaLnqmyTS.exe.43d4b90.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1305242014.0000000004417000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2534725479.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1305242014.00000000043CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1305242014.0000000004389000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: shaLnqmyTS.exe PID: 5172, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: shaLnqmyTS.exe PID: 1408, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                  DLL Side-Loading                  		111
                  Process Injection                  		1
                  Masquerading                  		OS Credential Dumping1
                  Security Software Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		LSASS Memory1
                  Process Discovery                  		Remote Desktop ProtocolData from Removable Media1
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                  Virtualization/Sandbox Evasion                  		Security Account Manager31
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                  Process Injection                  		NTDS12
                  System Information Discovery                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                  Obfuscated Files or Information                  		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                  Software Packing                  		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  DLL Side-Loading                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  shaLnqmyTS.exe38%VirustotalBrowse
                  shaLnqmyTS.exe71%ReversingLabsWin32.Ransomware.RedLine
                  shaLnqmyTS.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  87.120.120.86:1912false
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://tempuri.org/Entity/Id10ResponseshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://tempuri.org/Entity/Id24LRshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://tempuri.org/Entity/Id8ResponseshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://tempuri.org/Entity/Id22LRshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://tempuri.org/Entity/Id20LRshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://tempuri.org/Entity/Id12ResponseshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/soap/envelope/shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id2ResponseshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id21ResponseshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id19LRshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/Entity/Id23ResponseshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id17LRshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://tempuri.org/Entity/Id15LRshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://tempuri.org/Entity/Id9LRshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://tempuri.org/Entity/Id19ResponseshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://tempuri.org/Entity/Id13LRshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://tempuri.org/Entity/Id7LRshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://tempuri.org/Entity/Id11LRshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponseshaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2004/08/addressing/faultshaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://tempuri.org/Entity/Id17ResponseshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://tempuri.org/Entity/Id1LRshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceshaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://tempuri.org/Entity/Id5LRshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://tempuri.org/Entity/Id20ResponseshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://tempuri.org/Entity/Id3LRshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://tempuri.org/Entity/Id15ResponseshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/Entity/Id13ResponseshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://tempuri.org/Entity/Id4ResponseshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyshaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://tempuri.org/Entity/Id6ResponseshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://api.ip.sb/ipshaLnqmyTS.exe, 00000000.00000002.1305242014.0000000004417000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000000.00000002.1305242014.00000000043CC000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000000.00000002.1305242014.0000000004389000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2534725479.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgementshaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://tempuri.org/Entity/Id23LRshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://tempuri.org/Entity/Id7ResponseshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://tempuri.org/Entity/Id21LRshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousshaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://tempuri.org/xshaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://tempuri.org/Entity/Id11ResponseshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://tempuri.org/Entity/Id9ResponseshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://tempuri.org/Entity/Id22ResponseshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://tempuri.org/Entity/Id23shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://tempuri.org/Entity/Id24ResponseshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://tempuri.org/Entity/Id1ResponseshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedshaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://tempuri.org/Entity/Id18LRshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://tempuri.org/Entity/Id16LRshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://tempuri.org/Entity/Id8LRshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://tempuri.org/Entity/Id14LRshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://tempuri.org/Entity/Id6LRshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://tempuri.org/Entity/Id18ResponseshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://tempuri.org/Entity/shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://tempuri.org/Entity/Id12LRshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://schemas.xmlsoap.org/ws/2004/08/addressingshaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://tempuri.org/Entity/Id10LRshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://tempuri.org/Entity/Id4LRshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://tempuri.org/Entity/Id2LRshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/rmXshaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://tempuri.org/Entity/Id3ResponseshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://localhost/arkanoid_server/requests.phpshaLnqmyTS.exefalse
                                                                                                                                            		high
                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessageshaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://tempuri.org/Entity/Id16ResponseshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://tempuri.org/Entity/Id5ResponseshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceshaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://schemas.xmlsoap.org/soap/actor/nextshaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsshaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://tempuri.org/Entity/Id14ResponseshaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000003053000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, shaLnqmyTS.exe, 00000004.00000002.2536996781.0000000002FFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high

                                                                                                                                                          World Map of Contacted IPs

                                                                                                                                                          • No. of IPs < 25%
                                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                                          • 75% < No. of IPs

                                                                                                                                                          Public IPs

                                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                          87.120.120.86
                                                                                                                                                          		unknownBulgaria
                                                                                                                                                          		25206UNACS-AS-BG8000BurgasBGtrue

                                                                                                                                                          General Information

                                                                                                                                                          Joe Sandbox version:42.0.0 Malachite
                                                                                                                                                          Analysis ID:1588696
                                                                                                                                                          Start date and time:2025-01-11 04:18:35 +01:00
                                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                                          Overall analysis duration:0h 4m 58s
                                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                                          Report type:full
                                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                          Number of analysed new started processes analysed:10
                                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                                          Technologies:
                                                                                                                                                          • HCA enabled
                                                                                                                                                          • EGA enabled
                                                                                                                                                          • AMSI enabled
                                                                                                                                                          Analysis Mode:default
                                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                                          Sample name:shaLnqmyTS.exe
                                                                                                                                                          renamed because original name is a hash value
                                                                                                                                                          Original Sample Name:2d38fac7d02a4d32b8579c25ec1ce2d6bb14bc27d846874ad6f1897ca21889cd.exe
                                                                                                                                                          Detection:MAL
                                                                                                                                                          Classification:mal96.troj.evad.winEXE@5/1@0/1
                                                                                                                                                          EGA Information:
                                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                                          HCA Information:
                                                                                                                                                          • Successful, ratio: 99%
                                                                                                                                                          • Number of executed functions: 42
                                                                                                                                                          • Number of non-executed functions: 9
                                                                                                                                                          Cookbook Comments:
                                                                                                                                                          • Found application associated with file extension: .exe

                                                                                                                                                          Warnings

                                                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                                          • Excluded IPs from analysis (whitelisted): 2.23.242.162, 13.107.246.45, 52.149.20.212
                                                                                                                                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                          Simulations

                                                                                                                                                          Behavior and APIs

                                                                                                                                                          TimeTypeDescription
                                                                                                                                                          22:19:33API Interceptor1x Sleep call for process: shaLnqmyTS.exe modified

                                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                                          IPs

                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                          87.120.120.86zAGUEDGSTM.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                            C5Zr4LSzmp.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                              C5Zr4LSzmp.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                VmoLw6EKj5.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                  Xf3rn1smZw.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                    2eRd5imEKU.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                      2eRd5imEKU.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                        17.12.2024 ________.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                          #U0417#U0430#U043f#U0440#U043e#U0441 11.12.2024.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                            po4877383.exeGet hashmaliciousRedLineBrowse

                                                                                                                                                                              Domains

                                                                                                                                                                              No context

                                                                                                                                                                              ASNs

                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                              UNACS-AS-BG8000BurgasBGzAGUEDGSTM.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                              • 87.120.120.86
                                                                                                                                                                              WtZl31OLfA.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                              • 87.120.116.187
                                                                                                                                                                              C5Zr4LSzmp.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                              • 87.120.120.86
                                                                                                                                                                              C5Zr4LSzmp.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                              • 87.120.120.86
                                                                                                                                                                              2XnMqJW0u1.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                              • 87.120.120.15
                                                                                                                                                                              VmoLw6EKj5.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                              • 87.120.120.86
                                                                                                                                                                              QwMcsmYcxv.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                                                                                                                                                                              • 87.120.120.15
                                                                                                                                                                              QwMcsmYcxv.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                                                                                                                                                                              • 87.120.120.15
                                                                                                                                                                              Xf3rn1smZw.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                              • 87.120.120.86
                                                                                                                                                                              wqSmINeWgm.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                              • 87.120.120.7

                                                                                                                                                                              JA3 Fingerprints

                                                                                                                                                                              No context

                                                                                                                                                                              Dropped Files

                                                                                                                                                                              No context

                                                                                                                                                                              Created / dropped Files

                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\shaLnqmyTS.exe.log

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Users\user\Desktop\shaLnqmyTS.exe
                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1216
                                                                                                                                                                              Entropy (8bit):5.34331486778365
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                                                                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                                                                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                                                                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                                                                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Reputation:high, very likely benign file
                                                                                                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                                              Static File Info

                                                                                                                                                                              General

                                                                                                                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                              Entropy (8bit):7.637446024094241
                                                                                                                                                                              TrID:
                                                                                                                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                              • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                                                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                              File name:shaLnqmyTS.exe
                                                                                                                                                                              File size:788'480 bytes
                                                                                                                                                                              MD5:8b2612c44a0951e150dc47ba2741d26e
                                                                                                                                                                              SHA1:0d5a4030a841a8a77c130f6689712e24aaa9a674
                                                                                                                                                                              SHA256:2d38fac7d02a4d32b8579c25ec1ce2d6bb14bc27d846874ad6f1897ca21889cd
                                                                                                                                                                              SHA512:87052019e30f961c6a77889e789f246d1c529834c90122f3c3a781ee58b519db311b31f36309ae2e56706ccc2a0e34b545ddb054d9fc5cf81700e1c76510387e
                                                                                                                                                                              SSDEEP:12288:uIR4R52J+XtLKxw9rbrramF93MFTzEiBBs/iTxAKnAHORfoO9FHF9jD7Qx1MxQh:uIeew9rbKmF93MxzRTqKnYOBvHPO
                                                                                                                                                                              TLSH:B0F402A8BA42C846DC0153740D76F5B416696FECF411931F2BDA7FABFCB3A13049A246
                                                                                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../tNg..............0.............R.... ... ....@.. .......................`............@................................

                                                                                                                                                                              File Icon

                                                                                                                                                                              Icon Hash:4b66a4ecc5ce527b

                                                                                                                                                                              Static PE Info

                                                                                                                                                                              General

                                                                                                                                                                              Entrypoint:0x4b0e52
                                                                                                                                                                              Entrypoint Section:.text
                                                                                                                                                                              Digitally signed:false
                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                              Subsystem:windows gui
                                                                                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                              Time Stamp:0x674E742F [Tue Dec 3 02:59:59 2024 UTC]
                                                                                                                                                                              TLS Callbacks:
                                                                                                                                                                              CLR (.Net) Version:
                                                                                                                                                                              OS Version Major:4
                                                                                                                                                                              OS Version Minor:0
                                                                                                                                                                              File Version Major:4
                                                                                                                                                                              File Version Minor:0
                                                                                                                                                                              Subsystem Version Major:4
                                                                                                                                                                              Subsystem Version Minor:0
                                                                                                                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                              Entrypoint Preview

                                                                                                                                                                              Instruction
                                                                                                                                                                              jmp dword ptr [00402000h]
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                              add byte ptr [eax], al

                                                                                                                                                                              Data Directories

                                                                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xb0e000x4f.text
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xb20000x10e14.rsrc
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xc40000xc.reloc
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                              Sections

                                                                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                              .text0x20000xaee580xaf000657dd4a31c46c11de6cd16845227f84eFalse0.9366043526785715data7.813051520440733IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                              .rsrc0xb20000x10e140x11000d4415ba155e955a7f9fae907e9b85678False0.21964039522058823data4.392571462049695IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                              .reloc0xc40000xc0x40030c2fd1c86f99d78ba2cd8aa63c81816False0.025390625data0.04468700625387198IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                              Resources

                                                                                                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                              RT_ICON0xb21600x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2834 x 2834 px/m0.21470188098899798
                                                                                                                                                                              RT_GROUP_ICON0xc29880x14data1.0
                                                                                                                                                                              RT_GROUP_ICON0xc299c0x14data1.05
                                                                                                                                                                              RT_VERSION0xc29b00x278data0.47151898734177217
                                                                                                                                                                              RT_MANIFEST0xc2c280x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                                                              Imports

                                                                                                                                                                              DLLImport
                                                                                                                                                                              mscoree.dll_CorExeMain

                                                                                                                                                                              Network Behavior

                                                                                                                                                                              Network Port Distribution

                                                                                                                                                                              TCP Packets

                                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                              Jan 11, 2025 04:19:37.221772909 CET497021912192.168.2.787.120.120.86
                                                                                                                                                                              Jan 11, 2025 04:19:37.226660013 CET19124970287.120.120.86192.168.2.7
                                                                                                                                                                              Jan 11, 2025 04:19:37.226737976 CET497021912192.168.2.787.120.120.86
                                                                                                                                                                              Jan 11, 2025 04:19:37.236819029 CET497021912192.168.2.787.120.120.86
                                                                                                                                                                              Jan 11, 2025 04:19:37.241693974 CET19124970287.120.120.86192.168.2.7
                                                                                                                                                                              Jan 11, 2025 04:19:58.617440939 CET19124970287.120.120.86192.168.2.7
                                                                                                                                                                              Jan 11, 2025 04:19:58.617523909 CET497021912192.168.2.787.120.120.86
                                                                                                                                                                              Jan 11, 2025 04:19:58.645015955 CET497021912192.168.2.787.120.120.86
                                                                                                                                                                              Jan 11, 2025 04:20:03.666884899 CET498561912192.168.2.787.120.120.86
                                                                                                                                                                              Jan 11, 2025 04:20:03.671741962 CET19124985687.120.120.86192.168.2.7
                                                                                                                                                                              Jan 11, 2025 04:20:03.671885014 CET498561912192.168.2.787.120.120.86
                                                                                                                                                                              Jan 11, 2025 04:20:03.672101974 CET498561912192.168.2.787.120.120.86
                                                                                                                                                                              Jan 11, 2025 04:20:03.676970959 CET19124985687.120.120.86192.168.2.7
                                                                                                                                                                              Jan 11, 2025 04:20:25.055514097 CET19124985687.120.120.86192.168.2.7
                                                                                                                                                                              Jan 11, 2025 04:20:25.059839964 CET498561912192.168.2.787.120.120.86
                                                                                                                                                                              Jan 11, 2025 04:20:25.060138941 CET498561912192.168.2.787.120.120.86
                                                                                                                                                                              Jan 11, 2025 04:20:30.071991920 CET499751912192.168.2.787.120.120.86
                                                                                                                                                                              Jan 11, 2025 04:20:30.076865911 CET19124997587.120.120.86192.168.2.7
                                                                                                                                                                              Jan 11, 2025 04:20:30.076958895 CET499751912192.168.2.787.120.120.86
                                                                                                                                                                              Jan 11, 2025 04:20:30.077328920 CET499751912192.168.2.787.120.120.86
                                                                                                                                                                              Jan 11, 2025 04:20:30.082146883 CET19124997587.120.120.86192.168.2.7
                                                                                                                                                                              Jan 11, 2025 04:20:51.480185986 CET19124997587.120.120.86192.168.2.7
                                                                                                                                                                              Jan 11, 2025 04:20:51.480339050 CET499751912192.168.2.787.120.120.86
                                                                                                                                                                              Jan 11, 2025 04:20:51.480710983 CET499751912192.168.2.787.120.120.86
                                                                                                                                                                              Jan 11, 2025 04:20:56.510212898 CET499791912192.168.2.787.120.120.86
                                                                                                                                                                              Jan 11, 2025 04:20:56.515218019 CET19124997987.120.120.86192.168.2.7
                                                                                                                                                                              Jan 11, 2025 04:20:56.515377045 CET499791912192.168.2.787.120.120.86
                                                                                                                                                                              Jan 11, 2025 04:20:56.515626907 CET499791912192.168.2.787.120.120.86
                                                                                                                                                                              Jan 11, 2025 04:20:56.520478010 CET19124997987.120.120.86192.168.2.7
                                                                                                                                                                              Jan 11, 2025 04:21:17.869673014 CET19124997987.120.120.86192.168.2.7
                                                                                                                                                                              Jan 11, 2025 04:21:17.869751930 CET499791912192.168.2.787.120.120.86
                                                                                                                                                                              Jan 11, 2025 04:21:17.870070934 CET499791912192.168.2.787.120.120.86
                                                                                                                                                                              Jan 11, 2025 04:21:22.884702921 CET499801912192.168.2.787.120.120.86
                                                                                                                                                                              Jan 11, 2025 04:21:22.889636040 CET19124998087.120.120.86192.168.2.7
                                                                                                                                                                              Jan 11, 2025 04:21:22.889765024 CET499801912192.168.2.787.120.120.86
                                                                                                                                                                              Jan 11, 2025 04:21:22.889995098 CET499801912192.168.2.787.120.120.86
                                                                                                                                                                              Jan 11, 2025 04:21:22.894838095 CET19124998087.120.120.86192.168.2.7

                                                                                                                                                                              Statistics

                                                                                                                                                                              CPU Usage

                                                                                                                                                                              Click to jump to process

                                                                                                                                                                              Memory Usage

                                                                                                                                                                              Click to jump to process

                                                                                                                                                                              High Level Behavior Distribution

                                                                                                                                                                              Click to dive into process behavior distribution

                                                                                                                                                                              Behavior

                                                                                                                                                                              Click to jump to process

                                                                                                                                                                              System Behavior

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:0
                                                                                                                                                                              Start time:22:19:33
                                                                                                                                                                              Start date:10/01/2025
                                                                                                                                                                              Path:C:\Users\user\Desktop\shaLnqmyTS.exe
                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                              Commandline:"C:\Users\user\Desktop\shaLnqmyTS.exe"
                                                                                                                                                                              Imagebase:0xf00000
                                                                                                                                                                              File size:788'480 bytes
                                                                                                                                                                              MD5 hash:8B2612C44A0951E150DC47BA2741D26E
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Yara matches:
                                                                                                                                                                              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1305242014.0000000004417000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1305242014.00000000043CC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1305242014.0000000004389000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                              Reputation:low
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:3
                                                                                                                                                                              Start time:22:19:34
                                                                                                                                                                              Start date:10/01/2025
                                                                                                                                                                              Path:C:\Users\user\Desktop\shaLnqmyTS.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:"C:\Users\user\Desktop\shaLnqmyTS.exe"
                                                                                                                                                                              Imagebase:0x420000
                                                                                                                                                                              File size:788'480 bytes
                                                                                                                                                                              MD5 hash:8B2612C44A0951E150DC47BA2741D26E
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:low
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:4
                                                                                                                                                                              Start time:22:19:34
                                                                                                                                                                              Start date:10/01/2025
                                                                                                                                                                              Path:C:\Users\user\Desktop\shaLnqmyTS.exe
                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                              Commandline:"C:\Users\user\Desktop\shaLnqmyTS.exe"
                                                                                                                                                                              Imagebase:0xb50000
                                                                                                                                                                              File size:788'480 bytes
                                                                                                                                                                              MD5 hash:8B2612C44A0951E150DC47BA2741D26E
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Yara matches:
                                                                                                                                                                              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000002.2534725479.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                              Reputation:low
                                                                                                                                                                              Has exited:false

                                                                                                                                                                              Disassembly

                                                                                                                                                                              Reset < >

                                                                                                                                                                                Execution Graph

                                                                                                                                                                                Execution Coverage:8.7%
                                                                                                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                Signature Coverage:0%
                                                                                                                                                                                Total number of Nodes:137
                                                                                                                                                                                Total number of Limit Nodes:10
                                                                                                                                                                                execution_graph 21999 6479140 22000 64792cb 21999->22000 22002 6479166 21999->22002 22002->22000 22003 6476a7c 22002->22003 22004 64793c0 PostMessageW 22003->22004 22005 647942c 22004->22005 22005->22002 22161 197d5a0 DuplicateHandle 22162 197d636 22161->22162 22006 197afd8 22010 197b0d0 22006->22010 22015 197b0bf 22006->22015 22007 197afe7 22011 197b104 22010->22011 22012 197b0e1 22010->22012 22011->22007 22012->22011 22013 197b308 GetModuleHandleW 22012->22013 22014 197b335 22013->22014 22014->22007 22016 197b104 22015->22016 22017 197b0e1 22015->22017 22016->22007 22017->22016 22018 197b308 GetModuleHandleW 22017->22018 22019 197b335 22018->22019 22019->22007 22020 197d358 22021 197d39e GetCurrentProcess 22020->22021 22023 197d3f0 GetCurrentThread 22021->22023 22024 197d3e9 22021->22024 22025 197d426 22023->22025 22026 197d42d GetCurrentProcess 22023->22026 22024->22023 22025->22026 22027 197d463 22026->22027 22028 197d48b GetCurrentThreadId 22027->22028 22029 197d4bc 22028->22029 22030 6477da8 22031 6477dc2 22030->22031 22032 6477dca 22031->22032 22043 6478767 22031->22043 22048 64781f8 22031->22048 22053 64782e8 22031->22053 22057 647853c 22031->22057 22062 647846e 22031->22062 22066 64783de 22031->22066 22070 647825e 22031->22070 22074 647862f 22031->22074 22079 64784e5 22031->22079 22089 6478595 22031->22089 22044 64787c7 22043->22044 22093 6478ec0 22044->22093 22098 6478ebf 22044->22098 22045 64787e0 22049 6478202 22048->22049 22050 64782a5 22049->22050 22111 6476f5c 22049->22111 22115 6476f68 22049->22115 22050->22032 22119 6476820 22053->22119 22123 647681a 22053->22123 22054 6478306 22059 6478549 22057->22059 22058 6478ba4 22127 64768e0 22059->22127 22131 64768da 22059->22131 22135 6476dd0 22062->22135 22139 6476dc9 22062->22139 22063 6478490 22063->22032 22068 64768e0 WriteProcessMemory 22066->22068 22069 64768da WriteProcessMemory 22066->22069 22067 6478332 22067->22032 22068->22067 22069->22067 22072 6476f5c CreateProcessA 22070->22072 22073 6476f68 CreateProcessA 22070->22073 22071 64782a5 22071->22032 22072->22071 22073->22071 22075 647854f 22074->22075 22143 64790d0 22075->22143 22148 64790cf 22075->22148 22076 6478579 22080 64784f9 22079->22080 22081 647854f 22079->22081 22080->22081 22082 647899d 22080->22082 22084 6478579 22081->22084 22085 64790d0 2 API calls 22081->22085 22086 64790cf 2 API calls 22081->22086 22087 6476742 Wow64SetThreadContext 22082->22087 22088 6476748 Wow64SetThreadContext 22082->22088 22083 64789b8 22085->22084 22086->22084 22087->22083 22088->22083 22091 64768e0 WriteProcessMemory 22089->22091 22092 64768da WriteProcessMemory 22089->22092 22090 64782d0 22090->22032 22091->22090 22092->22090 22094 6478ed5 22093->22094 22103 6476742 22094->22103 22107 6476748 22094->22107 22095 6478eeb 22095->22045 22099 6478ed5 22098->22099 22101 6476742 Wow64SetThreadContext 22099->22101 22102 6476748 Wow64SetThreadContext 22099->22102 22100 6478eeb 22100->22045 22101->22100 22102->22100 22104 647678d Wow64SetThreadContext 22103->22104 22106 64767d5 22104->22106 22106->22095 22108 647678d Wow64SetThreadContext 22107->22108 22110 64767d5 22108->22110 22110->22095 22112 6476ff1 CreateProcessA 22111->22112 22114 64771b3 22112->22114 22114->22114 22116 6476ff1 CreateProcessA 22115->22116 22118 64771b3 22116->22118 22120 6476860 VirtualAllocEx 22119->22120 22122 647689d 22120->22122 22122->22054 22124 6476860 VirtualAllocEx 22123->22124 22126 647689d 22124->22126 22126->22054 22128 6476928 WriteProcessMemory 22127->22128 22130 647697f 22128->22130 22130->22058 22132 6476928 WriteProcessMemory 22131->22132 22134 647697f 22132->22134 22134->22058 22136 6476e1b ReadProcessMemory 22135->22136 22138 6476e5f 22136->22138 22138->22063 22140 6476e1b ReadProcessMemory 22139->22140 22142 6476e5f 22140->22142 22142->22063 22144 64790e5 22143->22144 22153 6476690 22144->22153 22157 6476698 22144->22157 22145 64790f8 22145->22076 22149 64790e5 22148->22149 22151 6476690 ResumeThread 22149->22151 22152 6476698 ResumeThread 22149->22152 22150 64790f8 22150->22076 22151->22150 22152->22150 22154 64766d8 ResumeThread 22153->22154 22156 6476709 22154->22156 22156->22145 22158 64766d8 ResumeThread 22157->22158 22160 6476709 22158->22160 22160->22145 22163 1974668 22164 1974672 22163->22164 22166 1974758 22163->22166 22167 197477d 22166->22167 22171 1974858 22167->22171 22175 1974868 22167->22175 22168 1974787 22168->22164 22173 197488f 22171->22173 22172 197496c 22172->22168 22173->22172 22179 19744b4 22173->22179 22177 197488f 22175->22177 22176 197496c 22176->22168 22177->22176 22178 19744b4 CreateActCtxA 22177->22178 22178->22176 22180 19758f8 CreateActCtxA 22179->22180 22182 19759bb 22180->22182

                                                                                                                                                                                Executed Functions

                                                                                                                                                                                Function 0197D348 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                APIs
                                                                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 0197D3D6
                                                                                                                                                                                • GetCurrentThread.KERNEL32 ref: 0197D413
                                                                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 0197D450
                                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 0197D4A9
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1302785263.0000000001970000.00000040.00000800.00020000.00000000.sdmp, Offset: 01970000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1970000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Current$ProcessThread
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2063062207-0
                                                                                                                                                                                • Opcode ID: c1a143b588db9fcade0968f045663b6e9dd85ce17530d45fd617ffc484d4ee2f
                                                                                                                                                                                • Instruction ID: 3d13cac293869f6a005488d5379ccbc1aef4e1f3419aa6420c4e7ea1eb5d207d
                                                                                                                                                                                • Opcode Fuzzy Hash: c1a143b588db9fcade0968f045663b6e9dd85ce17530d45fd617ffc484d4ee2f
                                                                                                                                                                                • Instruction Fuzzy Hash: 165145B49003498FEB59CFA9D548BDEBBF1FF48304F208059D409AB2A0D7786945CB65
                                                                                                                                                                                Function 0197D358 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                APIs
                                                                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 0197D3D6
                                                                                                                                                                                • GetCurrentThread.KERNEL32 ref: 0197D413
                                                                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 0197D450
                                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 0197D4A9
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1302785263.0000000001970000.00000040.00000800.00020000.00000000.sdmp, Offset: 01970000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1970000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Current$ProcessThread
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2063062207-0
                                                                                                                                                                                • Opcode ID: 9cabe32b7bdeed533de8881d2df1e8411a8ebf445adff6914a7c7a8cb74eeec0
                                                                                                                                                                                • Instruction ID: ccf3794c094b63d353b7041a26b4406bbe5b5138228aff6dc0bfae9733cb7ac0
                                                                                                                                                                                • Opcode Fuzzy Hash: 9cabe32b7bdeed533de8881d2df1e8411a8ebf445adff6914a7c7a8cb74eeec0
                                                                                                                                                                                • Instruction Fuzzy Hash: 545136B49003098FEB59DFA9D548BDEBBF5FF48304F208059D409A73A0D7786945CB65
                                                                                                                                                                                Function 06476F5C Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 44 6476f5c-6476ffd 46 6477036-6477056 44->46 47 6476fff-6477009 44->47 52 647708f-64770be 46->52 53 6477058-6477062 46->53 47->46 48 647700b-647700d 47->48 50 6477030-6477033 48->50 51 647700f-6477019 48->51 50->46 54 647701d-647702c 51->54 55 647701b 51->55 63 64770f7-64771b1 CreateProcessA 52->63 64 64770c0-64770ca 52->64 53->52 56 6477064-6477066 53->56 54->54 57 647702e 54->57 55->54 58 6477089-647708c 56->58 59 6477068-6477072 56->59 57->50 58->52 61 6477076-6477085 59->61 62 6477074 59->62 61->61 65 6477087 61->65 62->61 75 64771b3-64771b9 63->75 76 64771ba-6477240 63->76 64->63 66 64770cc-64770ce 64->66 65->58 68 64770f1-64770f4 66->68 69 64770d0-64770da 66->69 68->63 70 64770de-64770ed 69->70 71 64770dc 69->71 70->70 72 64770ef 70->72 71->70 72->68 75->76 86 6477242-6477246 76->86 87 6477250-6477254 76->87 86->87 90 6477248 86->90 88 6477256-647725a 87->88 89 6477264-6477268 87->89 88->89 91 647725c 88->91 92 647726a-647726e 89->92 93 6477278-647727c 89->93 90->87 91->89 92->93 94 6477270 92->94 95 647728e-6477295 93->95 96 647727e-6477284 93->96 94->93 97 6477297-64772a6 95->97 98 64772ac 95->98 96->95 97->98 99 64772ad 98->99 99->99
                                                                                                                                                                                APIs
                                                                                                                                                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0647719E
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1314718333.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6470000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CreateProcess
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 963392458-0
                                                                                                                                                                                • Opcode ID: 8f2949cdcc0585aa10d4d9c7543b919e92600d02f858b86269ccb1d9f8aee9bd
                                                                                                                                                                                • Instruction ID: bcb3b2d90ca2a7157647d87056514fc04e4dfe947d97f2dc61b63b6ffcac3a2f
                                                                                                                                                                                • Opcode Fuzzy Hash: 8f2949cdcc0585aa10d4d9c7543b919e92600d02f858b86269ccb1d9f8aee9bd
                                                                                                                                                                                • Instruction Fuzzy Hash: 19916B71D003598FEB65CF68C840BEEBBB2FF49310F1485AAE818A7240DB759985CF91
                                                                                                                                                                                Function 06476F68 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 101 6476f68-6476ffd 103 6477036-6477056 101->103 104 6476fff-6477009 101->104 109 647708f-64770be 103->109 110 6477058-6477062 103->110 104->103 105 647700b-647700d 104->105 107 6477030-6477033 105->107 108 647700f-6477019 105->108 107->103 111 647701d-647702c 108->111 112 647701b 108->112 120 64770f7-64771b1 CreateProcessA 109->120 121 64770c0-64770ca 109->121 110->109 113 6477064-6477066 110->113 111->111 114 647702e 111->114 112->111 115 6477089-647708c 113->115 116 6477068-6477072 113->116 114->107 115->109 118 6477076-6477085 116->118 119 6477074 116->119 118->118 122 6477087 118->122 119->118 132 64771b3-64771b9 120->132 133 64771ba-6477240 120->133 121->120 123 64770cc-64770ce 121->123 122->115 125 64770f1-64770f4 123->125 126 64770d0-64770da 123->126 125->120 127 64770de-64770ed 126->127 128 64770dc 126->128 127->127 129 64770ef 127->129 128->127 129->125 132->133 143 6477242-6477246 133->143 144 6477250-6477254 133->144 143->144 147 6477248 143->147 145 6477256-647725a 144->145 146 6477264-6477268 144->146 145->146 148 647725c 145->148 149 647726a-647726e 146->149 150 6477278-647727c 146->150 147->144 148->146 149->150 151 6477270 149->151 152 647728e-6477295 150->152 153 647727e-6477284 150->153 151->150 154 6477297-64772a6 152->154 155 64772ac 152->155 153->152 154->155 156 64772ad 155->156 156->156
                                                                                                                                                                                APIs
                                                                                                                                                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0647719E
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1314718333.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6470000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CreateProcess
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 963392458-0
                                                                                                                                                                                • Opcode ID: 5f0368944dc22a04aec2d4995eb316074e16c1b6aff0bef8a675ade78772bdc3
                                                                                                                                                                                • Instruction ID: 41eb081ce30f036aa52aaa6cf141c6f5255e61c929073356016bff8972365eff
                                                                                                                                                                                • Opcode Fuzzy Hash: 5f0368944dc22a04aec2d4995eb316074e16c1b6aff0bef8a675ade78772bdc3
                                                                                                                                                                                • Instruction Fuzzy Hash: 12916C71D003598FEB65CF68C840BEEBBB2FF49300F5485AAE818A7240DB759985CF91
                                                                                                                                                                                Function 0197B0D0 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 158 197b0d0-197b0df 159 197b0e1-197b0ee call 1979ad4 158->159 160 197b10b-197b10f 158->160 165 197b104 159->165 166 197b0f0 159->166 162 197b123-197b164 160->162 163 197b111-197b11b 160->163 169 197b166-197b16e 162->169 170 197b171-197b17f 162->170 163->162 165->160 213 197b0f6 call 197b358 166->213 214 197b0f6 call 197b368 166->214 169->170 171 197b1a3-197b1a5 170->171 172 197b181-197b186 170->172 176 197b1a8-197b1af 171->176 174 197b191 172->174 175 197b188-197b18f call 197aab4 172->175 173 197b0fc-197b0fe 173->165 177 197b240-197b300 173->177 178 197b193-197b1a1 174->178 175->178 180 197b1b1-197b1b9 176->180 181 197b1bc-197b1c3 176->181 208 197b302-197b305 177->208 209 197b308-197b333 GetModuleHandleW 177->209 178->176 180->181 183 197b1c5-197b1cd 181->183 184 197b1d0-197b1d9 call 197aac4 181->184 183->184 189 197b1e6-197b1eb 184->189 190 197b1db-197b1e3 184->190 192 197b1ed-197b1f4 189->192 193 197b209-197b216 189->193 190->189 192->193 194 197b1f6-197b206 call 197aad4 call 197aae4 192->194 199 197b239-197b23f 193->199 200 197b218-197b236 193->200 194->193 200->199 208->209 210 197b335-197b33b 209->210 211 197b33c-197b350 209->211 210->211 213->173 214->173
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0197B326
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1302785263.0000000001970000.00000040.00000800.00020000.00000000.sdmp, Offset: 01970000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1970000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: HandleModule
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 4139908857-0
                                                                                                                                                                                • Opcode ID: 53ae3ebdc2d1b170ddff7976a56db6cd70bcfbc025bd0f4711472f273e1f5408
                                                                                                                                                                                • Instruction ID: c246c88023ce2903a5cf9e60db3d709d9d1ce55127aca65de861636a80934ab0
                                                                                                                                                                                • Opcode Fuzzy Hash: 53ae3ebdc2d1b170ddff7976a56db6cd70bcfbc025bd0f4711472f273e1f5408
                                                                                                                                                                                • Instruction Fuzzy Hash: 57714470A00B458FEB24DF6AE44475ABBF5FF88300F10892ED48ADBA50D779E845CB91
                                                                                                                                                                                Function 019744B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 215 19744b4-19759b9 CreateActCtxA 218 19759c2-1975a1c 215->218 219 19759bb-19759c1 215->219 226 1975a1e-1975a21 218->226 227 1975a2b-1975a2f 218->227 219->218 226->227 228 1975a31-1975a3d 227->228 229 1975a40 227->229 228->229 231 1975a41 229->231 231->231
                                                                                                                                                                                APIs
                                                                                                                                                                                • CreateActCtxA.KERNEL32(?), ref: 019759A9
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1302785263.0000000001970000.00000040.00000800.00020000.00000000.sdmp, Offset: 01970000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1970000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Create
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2289755597-0
                                                                                                                                                                                • Opcode ID: e138947597ad55344a041545e6785b4acfb070bf28180dfc66af846068d1a164
                                                                                                                                                                                • Instruction ID: cac2777db94040131af41a16a93db93492ec36ba8491f59aa8022fb70350ef87
                                                                                                                                                                                • Opcode Fuzzy Hash: e138947597ad55344a041545e6785b4acfb070bf28180dfc66af846068d1a164
                                                                                                                                                                                • Instruction Fuzzy Hash: 0F41A0B0C00719CBEB25DFAAC884BDDBBB5FF49304F20806AD509AB251DB756946CF91
                                                                                                                                                                                Function 019758ED Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 232 19758ed-19758ef 233 19758fc-19759b9 CreateActCtxA 232->233 235 19759c2-1975a1c 233->235 236 19759bb-19759c1 233->236 243 1975a1e-1975a21 235->243 244 1975a2b-1975a2f 235->244 236->235 243->244 245 1975a31-1975a3d 244->245 246 1975a40 244->246 245->246 248 1975a41 246->248 248->248
                                                                                                                                                                                APIs
                                                                                                                                                                                • CreateActCtxA.KERNEL32(?), ref: 019759A9
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1302785263.0000000001970000.00000040.00000800.00020000.00000000.sdmp, Offset: 01970000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1970000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Create
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2289755597-0
                                                                                                                                                                                • Opcode ID: acd4f9bf335822389892e7f8b0df882a521e9257deb59ee8020d688234b67f4f
                                                                                                                                                                                • Instruction ID: 63021286bf03b55affabbfe25f2e318a1109d4446d6302140c669da5cd9060af
                                                                                                                                                                                • Opcode Fuzzy Hash: acd4f9bf335822389892e7f8b0df882a521e9257deb59ee8020d688234b67f4f
                                                                                                                                                                                • Instruction Fuzzy Hash: D741C170C00719CFEB25DFA9C884BDDBBB5BF48304F20806AD408AB251DB756946CF50
                                                                                                                                                                                Function 064768DA Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 249 64768da-647692e 251 6476930-647693c 249->251 252 647693e-647697d WriteProcessMemory 249->252 251->252 254 6476986-64769b6 252->254 255 647697f-6476985 252->255 255->254
                                                                                                                                                                                APIs
                                                                                                                                                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06476970
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1314718333.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6470000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: MemoryProcessWrite
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3559483778-0
                                                                                                                                                                                • Opcode ID: 942415d4b64725424f0b0bdd31ad8b79303f6fde5bfd649beb68f3b9683a9c46
                                                                                                                                                                                • Instruction ID: 3badca0041aa068d57ab797fd1d912a4296f0469555de3664d50be97d5eb60c0
                                                                                                                                                                                • Opcode Fuzzy Hash: 942415d4b64725424f0b0bdd31ad8b79303f6fde5bfd649beb68f3b9683a9c46
                                                                                                                                                                                • Instruction Fuzzy Hash: 7B2124B5D003099FDB10CFAAC880BEEBBF5FF48310F10842AE958A7240C7789940CBA0
                                                                                                                                                                                Function 064768E0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 259 64768e0-647692e 261 6476930-647693c 259->261 262 647693e-647697d WriteProcessMemory 259->262 261->262 264 6476986-64769b6 262->264 265 647697f-6476985 262->265 265->264
                                                                                                                                                                                APIs
                                                                                                                                                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06476970
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1314718333.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6470000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: MemoryProcessWrite
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3559483778-0
                                                                                                                                                                                • Opcode ID: 203e498bdd5ff4891719d67ab14bc7a5c617d89f3f23a00533f2e62a542e1786
                                                                                                                                                                                • Instruction ID: e20add16c75baeef64332ec5ba1ef368b49c7415567ceedf2eefd210a1542e37
                                                                                                                                                                                • Opcode Fuzzy Hash: 203e498bdd5ff4891719d67ab14bc7a5c617d89f3f23a00533f2e62a542e1786
                                                                                                                                                                                • Instruction Fuzzy Hash: 4C2110B59003499FDB10CFAAC880BEEBBF5FF48310F10842AE959A7250C7789954CBA4
                                                                                                                                                                                Function 06476DC9 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 269 6476dc9-6476e5d ReadProcessMemory 272 6476e66-6476e96 269->272 273 6476e5f-6476e65 269->273 273->272
                                                                                                                                                                                APIs
                                                                                                                                                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06476E50
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1314718333.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6470000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: MemoryProcessRead
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 1726664587-0
                                                                                                                                                                                • Opcode ID: d1afc750926e03a955bcf422257a3f2003610fcb2366bf3e2bada99778ea98b3
                                                                                                                                                                                • Instruction ID: 2c1d46e2d62516f73cf16a683969b90efed838e37ff99d918ee606a5e3196dd4
                                                                                                                                                                                • Opcode Fuzzy Hash: d1afc750926e03a955bcf422257a3f2003610fcb2366bf3e2bada99778ea98b3
                                                                                                                                                                                • Instruction Fuzzy Hash: 542148B1C003499FDB10CFAAC880BEEBBF5FF48310F10842AE919A7240C7389901CBA0
                                                                                                                                                                                Function 06476742 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 277 6476742-6476793 279 6476795-64767a1 277->279 280 64767a3-64767d3 Wow64SetThreadContext 277->280 279->280 282 64767d5-64767db 280->282 283 64767dc-647680c 280->283 282->283
                                                                                                                                                                                APIs
                                                                                                                                                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 064767C6
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1314718333.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6470000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: ContextThreadWow64
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 983334009-0
                                                                                                                                                                                • Opcode ID: d4bc2ede779648d535462f1d4feab83f63459f28f2885f15214b7688e9ca9275
                                                                                                                                                                                • Instruction ID: f3e712fe8f70bb6e35899ba05ce3969c20b8eb0516919b8b4c4bf626dc0a3bfb
                                                                                                                                                                                • Opcode Fuzzy Hash: d4bc2ede779648d535462f1d4feab83f63459f28f2885f15214b7688e9ca9275
                                                                                                                                                                                • Instruction Fuzzy Hash: B12128B5D003098FDB14DFAAC4857EEBBF5EF48310F14842AD459A7640CB789945CFA4
                                                                                                                                                                                Function 06476748 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 287 6476748-6476793 289 6476795-64767a1 287->289 290 64767a3-64767d3 Wow64SetThreadContext 287->290 289->290 292 64767d5-64767db 290->292 293 64767dc-647680c 290->293 292->293
                                                                                                                                                                                APIs
                                                                                                                                                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 064767C6
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1314718333.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6470000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: ContextThreadWow64
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 983334009-0
                                                                                                                                                                                • Opcode ID: d25b08e1cdbba00d5e922f26f90669cb1be2cd11b8d0ab5c1a238685fb3192c2
                                                                                                                                                                                • Instruction ID: 9d1e68e7e32ee41a633b0e2c10423568a03276d3818b47723d07f5f34b56edec
                                                                                                                                                                                • Opcode Fuzzy Hash: d25b08e1cdbba00d5e922f26f90669cb1be2cd11b8d0ab5c1a238685fb3192c2
                                                                                                                                                                                • Instruction Fuzzy Hash: FC210775D003098FDB14DFAAC485BEEBBF5EF48310F14842AD959A7240CB789945CFA5
                                                                                                                                                                                Function 06476DD0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 297 6476dd0-6476e5d ReadProcessMemory 300 6476e66-6476e96 297->300 301 6476e5f-6476e65 297->301 301->300
                                                                                                                                                                                APIs
                                                                                                                                                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06476E50
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1314718333.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6470000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: MemoryProcessRead
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 1726664587-0
                                                                                                                                                                                • Opcode ID: 850272b50afcd0bda267decaf7ff5fdf7dd3b4619242ff15ac7bbe8e7bbb9ffa
                                                                                                                                                                                • Instruction ID: 248c3c466565b948e98b92df99e07dc111f496d3d95b3991181609b38e528d35
                                                                                                                                                                                • Opcode Fuzzy Hash: 850272b50afcd0bda267decaf7ff5fdf7dd3b4619242ff15ac7bbe8e7bbb9ffa
                                                                                                                                                                                • Instruction Fuzzy Hash: 3F21F5B1C003499FDB14DFAAC880BEEBBF5FF48310F10842AE959A7250C7799944CBA5
                                                                                                                                                                                Function 0197D5A0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 305 197d5a0-197d634 DuplicateHandle 306 197d636-197d63c 305->306 307 197d63d-197d65a 305->307 306->307
                                                                                                                                                                                APIs
                                                                                                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0197D627
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1302785263.0000000001970000.00000040.00000800.00020000.00000000.sdmp, Offset: 01970000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1970000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: DuplicateHandle
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3793708945-0
                                                                                                                                                                                • Opcode ID: 1efeb92f99b230adf11ad07be13fc9d30a8e1e0c30245f54061510b9a409b63d
                                                                                                                                                                                • Instruction ID: 8b3174f391a3a01e3345b48711a7e6f749048d4d6fbba0e68a74042dde5b07ef
                                                                                                                                                                                • Opcode Fuzzy Hash: 1efeb92f99b230adf11ad07be13fc9d30a8e1e0c30245f54061510b9a409b63d
                                                                                                                                                                                • Instruction Fuzzy Hash: B121B0B5D002489FDB10CFAAD984ADEBBF9EF48310F14841AE918A7350D379A954CFA5
                                                                                                                                                                                Function 0197D599 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 310 197d599-197d634 DuplicateHandle 311 197d636-197d63c 310->311 312 197d63d-197d65a 310->312 311->312
                                                                                                                                                                                APIs
                                                                                                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0197D627
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1302785263.0000000001970000.00000040.00000800.00020000.00000000.sdmp, Offset: 01970000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1970000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: DuplicateHandle
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3793708945-0
                                                                                                                                                                                • Opcode ID: 07caf2d677ff34cd573d590e78053fd92b62cfb62b07b4a6a99768ccec9165dc
                                                                                                                                                                                • Instruction ID: 42d258454e26381a35c8a5e6c4d2c442b0faf2c7b2bf3b51d41bf6869b91d16d
                                                                                                                                                                                • Opcode Fuzzy Hash: 07caf2d677ff34cd573d590e78053fd92b62cfb62b07b4a6a99768ccec9165dc
                                                                                                                                                                                • Instruction Fuzzy Hash: A821DDB9D002489FDB10CFAAD984ADEBBF4EB48320F14841AE958A7350D378A954CF65
                                                                                                                                                                                Function 0647681A Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0647688E
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1314718333.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6470000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: AllocVirtual
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 4275171209-0
                                                                                                                                                                                • Opcode ID: 695d7dba791ce33651bce0a9f8df7ef634b848e6208f9ebd44dc89047092d953
                                                                                                                                                                                • Instruction ID: 9c064ad4f27d61fcd5a918c03e3a73d7ffbe395c378589647838ca4805583750
                                                                                                                                                                                • Opcode Fuzzy Hash: 695d7dba791ce33651bce0a9f8df7ef634b848e6208f9ebd44dc89047092d953
                                                                                                                                                                                • Instruction Fuzzy Hash: A4114775C002489FDB21CFAAC844BDEBBF5EF48310F14881AE919A7250C7799540CFA0
                                                                                                                                                                                Function 06476820 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0647688E
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1314718333.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6470000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: AllocVirtual
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 4275171209-0
                                                                                                                                                                                • Opcode ID: 981cd7c19a82314ba725cd11ae5f523605a2107e2916003ddba6d73c3c8fc63d
                                                                                                                                                                                • Instruction ID: e41086f78a67cc6c853a81b2d1ef7312c3160d5e20733cfbd9997b810f534981
                                                                                                                                                                                • Opcode Fuzzy Hash: 981cd7c19a82314ba725cd11ae5f523605a2107e2916003ddba6d73c3c8fc63d
                                                                                                                                                                                • Instruction Fuzzy Hash: BA1114758002489FDB25DFAAC844BDEBBF5EF48310F14881AE919A7250CB79A944CBA4
                                                                                                                                                                                Function 06476690 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1314718333.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6470000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: ResumeThread
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 947044025-0
                                                                                                                                                                                • Opcode ID: a2c4274a4c5a1018a64593e227af0b8e7f1bf29fca1790403ac73fdf8a53ff5e
                                                                                                                                                                                • Instruction ID: a2717607356b66aa3db784f7dfa04e130efe6ae5fb497a65f8accab57ad12961
                                                                                                                                                                                • Opcode Fuzzy Hash: a2c4274a4c5a1018a64593e227af0b8e7f1bf29fca1790403ac73fdf8a53ff5e
                                                                                                                                                                                • Instruction Fuzzy Hash: 0B1146B5D002488FDB24DFAAC5457EEBBF5EF48210F24881AD819A7640CB799944CF94
                                                                                                                                                                                Function 06476698 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1314718333.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6470000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: ResumeThread
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 947044025-0
                                                                                                                                                                                • Opcode ID: f56364c26a5f8cf535c06af688178955dad03cb50fe6a1e93e54df1f044829c5
                                                                                                                                                                                • Instruction ID: 7b48fd53b567ae86f85c8d139826e358877fabfeecefa3effe4b1004bc17257f
                                                                                                                                                                                • Opcode Fuzzy Hash: f56364c26a5f8cf535c06af688178955dad03cb50fe6a1e93e54df1f044829c5
                                                                                                                                                                                • Instruction Fuzzy Hash: 991116B1D003488FDB24DFAAC444BDEBBF5EB88210F24881AD519A7240CA79A944CFA4
                                                                                                                                                                                Function 06476A7C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 0647941D
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1314718333.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6470000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: MessagePost
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 410705778-0
                                                                                                                                                                                • Opcode ID: 041ba6890e3559fda1ac41104ecfadbb380c32d60c14bd17d1f66bab998a9b3a
                                                                                                                                                                                • Instruction ID: a39408711ed21e2ac9f5256d000ab63d20b829eb19b92b2786af779d51fde1c7
                                                                                                                                                                                • Opcode Fuzzy Hash: 041ba6890e3559fda1ac41104ecfadbb380c32d60c14bd17d1f66bab998a9b3a
                                                                                                                                                                                • Instruction Fuzzy Hash: DE1103B58003489FDB20DF9AD885BDEBBF8FB48310F10841AE919A7741C379A954CFA5
                                                                                                                                                                                Function 0197B2C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0197B326
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1302785263.0000000001970000.00000040.00000800.00020000.00000000.sdmp, Offset: 01970000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1970000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: HandleModule
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 4139908857-0
                                                                                                                                                                                • Opcode ID: 04f177cc25d75104d0052956f10e4c347f99ca50019a5a4afc1de6094713a564
                                                                                                                                                                                • Instruction ID: 55819d3df9109296cb063d78ec2e51e3790880a5fa38b566d96272a8575ff03a
                                                                                                                                                                                • Opcode Fuzzy Hash: 04f177cc25d75104d0052956f10e4c347f99ca50019a5a4afc1de6094713a564
                                                                                                                                                                                • Instruction Fuzzy Hash: AD11DFB6C013498FDB24CF9AD444ADEFBF9EF88210F10841AD919A7610C379A545CFA5
                                                                                                                                                                                Function 064793BF Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 0647941D
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1314718333.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6470000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: MessagePost
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 410705778-0
                                                                                                                                                                                • Opcode ID: 34e810494223f787e4f7b036f236ac15d58ed68cd48c2ca33d47e173774ff0b3
                                                                                                                                                                                • Instruction ID: b558a62f8a34905a93977a328d85f8436318f241ab1680b3ade4866fd2c70099
                                                                                                                                                                                • Opcode Fuzzy Hash: 34e810494223f787e4f7b036f236ac15d58ed68cd48c2ca33d47e173774ff0b3
                                                                                                                                                                                • Instruction Fuzzy Hash: F111D0B58002499FDB11CF99D985BDEBBF8EB48310F10841AD959A7750C379A944CFA1
                                                                                                                                                                                Function 0159D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1301602042.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_159d000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: b668b14b4406e64856d359dc5da89151dd09945c11383745c0e057bc8203d257
                                                                                                                                                                                • Instruction ID: d6b9d5497e777c467b942f0173db24b096275754e8b2694a828bc04c1e0bf46e
                                                                                                                                                                                • Opcode Fuzzy Hash: b668b14b4406e64856d359dc5da89151dd09945c11383745c0e057bc8203d257
                                                                                                                                                                                • Instruction Fuzzy Hash: 7E21FF72500240DFDF15DF98D9C0B2ABFB5FB88318F248569E9090F256C33AD456CBA2
                                                                                                                                                                                Function 015AD01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1301683606.00000000015AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015AD000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_15ad000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: d7c9b076f135ac5fc8cb786d521e4caebfa45773b2a9308990ad49fd2da5ee1c
                                                                                                                                                                                • Instruction ID: f8654542f28842cfdd4a8c626dbf2ff06804341399f004e3ee2618f65c532679
                                                                                                                                                                                • Opcode Fuzzy Hash: d7c9b076f135ac5fc8cb786d521e4caebfa45773b2a9308990ad49fd2da5ee1c
                                                                                                                                                                                • Instruction Fuzzy Hash: 55210371584304DFDB15EF54D980B1ABBB1FB84314F60C96DD90A4FA52D33AD447CA61
                                                                                                                                                                                Function 015AD006 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1301683606.00000000015AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015AD000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_15ad000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 2b562e8b15cc9011b2f7858380ce62a9bb99df8ee77f4b0cb4009393b95511f4
                                                                                                                                                                                • Instruction ID: aaa46d93c9eadce3de5cb1c9341d5e78485c7b43a822a7d416922e4d4a260d56
                                                                                                                                                                                • Opcode Fuzzy Hash: 2b562e8b15cc9011b2f7858380ce62a9bb99df8ee77f4b0cb4009393b95511f4
                                                                                                                                                                                • Instruction Fuzzy Hash: 512192755493808FCB13DF64D590719BF71FB46214F28C5EAD8498F6A7C33A980ACB62
                                                                                                                                                                                Function 0159D4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1301602042.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_159d000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 5f425b5cd1c464f0a4a5253a28fe3054bde847c9d27b32d63737858cb099eba0
                                                                                                                                                                                • Instruction ID: d79192d19afa816b6d176720fd35f5e2bbe94a3c210ff481daa42baa9a92ab53
                                                                                                                                                                                • Opcode Fuzzy Hash: 5f425b5cd1c464f0a4a5253a28fe3054bde847c9d27b32d63737858cb099eba0
                                                                                                                                                                                • Instruction Fuzzy Hash: C0119D76504280CFCF16CF54D5C4B1ABF71FB84318F2486A9D9494F656C33AD456CBA2
                                                                                                                                                                                Function 0159D731 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1301602042.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_159d000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 04f440ebe08861c680609738fbda62625d1713db74d57a2c5a442c68ecc6117d
                                                                                                                                                                                • Instruction ID: e6b7eed64d8ba30426e89e4a59e8ecfa6feb1393ca61aac21ff7649f53fa2637
                                                                                                                                                                                • Opcode Fuzzy Hash: 04f440ebe08861c680609738fbda62625d1713db74d57a2c5a442c68ecc6117d
                                                                                                                                                                                • Instruction Fuzzy Hash: 5F0184715043849AEB204BA5CDC4B6EBBF8FB41264F18891AED094F682C2699840CAB3
                                                                                                                                                                                Function 0159D730 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1301602042.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_159d000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 179f20cdecacd7e1b14942b571ea911b06470e23a30c2cff0abcef7aad8561d2
                                                                                                                                                                                • Instruction ID: 459e04b495a3b77cc59e19ef37a81a49a43e0c6cf3d61be791d17ba9a7f122f8
                                                                                                                                                                                • Opcode Fuzzy Hash: 179f20cdecacd7e1b14942b571ea911b06470e23a30c2cff0abcef7aad8561d2
                                                                                                                                                                                • Instruction Fuzzy Hash: C5F096714053849FEB218B19CDC4B6AFFE8EB81774F18C55AED084F693C2799844CA75

                                                                                                                                                                                Non-executed Functions

                                                                                                                                                                                Function 0647A1E0 Relevance: .4, Instructions: 353COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1314718333.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6470000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 7d2826b78e23447c5e8624b404bdb992ba4a51fd9df695bf7977f617aad161e8
                                                                                                                                                                                • Instruction ID: 139483de266ebfb37e503f832e5f7fc2dc5e1b3defd7e5c11b9662b40f31312c
                                                                                                                                                                                • Opcode Fuzzy Hash: 7d2826b78e23447c5e8624b404bdb992ba4a51fd9df695bf7977f617aad161e8
                                                                                                                                                                                • Instruction Fuzzy Hash: 6BD1BB30B016018FEBA6DB76C8507AFB7F6AFC9600F18446ED15A9B390DB39E841CB51
                                                                                                                                                                                Function 06475E70 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1314718333.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6470000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 50071c189a173bb53b49ab1417cc4478a98a19b21b723b51393c805779be3d32
                                                                                                                                                                                • Instruction ID: 71d87d1ba0e4e2d7f79132104247fc0e8b567fe466a244dab5d421720c02fe5d
                                                                                                                                                                                • Opcode Fuzzy Hash: 50071c189a173bb53b49ab1417cc4478a98a19b21b723b51393c805779be3d32
                                                                                                                                                                                • Instruction Fuzzy Hash: 53E11B74E002598FDB54DFA9C580AAEFBB2FF89305F24816AD414AB356C734AD42CF60
                                                                                                                                                                                Function 06474630 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1314718333.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6470000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 01fe960728e4fd009839d486d11cd3250c9955a684ba1f2991129e4d598d0b6c
                                                                                                                                                                                • Instruction ID: cfe7df333439ec14959dc977ad2d08579b8a2ffc8e2ef5c8a8fa99718865b705
                                                                                                                                                                                • Opcode Fuzzy Hash: 01fe960728e4fd009839d486d11cd3250c9955a684ba1f2991129e4d598d0b6c
                                                                                                                                                                                • Instruction Fuzzy Hash: 04E1D874E002598FDB54DFA9C580AAEFBF2FF89305F24816AD414AB355D731A941CFA0
                                                                                                                                                                                Function 06473DC0 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1314718333.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6470000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 3bee2430bbb1d1ee4cba858affde52a65f9fb73621a6fb9b448838a3c0d7f5d7
                                                                                                                                                                                • Instruction ID: 6f7771533cc20d88d9c97dbef6147ccfd9df52331b4395bbcbfb916436cde784
                                                                                                                                                                                • Opcode Fuzzy Hash: 3bee2430bbb1d1ee4cba858affde52a65f9fb73621a6fb9b448838a3c0d7f5d7
                                                                                                                                                                                • Instruction Fuzzy Hash: 44E1D674E002598FDB14DFA9C584AAEFBB2FF89305F24816AD415AB356D730AD42CF60
                                                                                                                                                                                Function 06474A68 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1314718333.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6470000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 6bca91fd2b1842b1d9f19fc73ce135254700eaf6e26c4f764994c2e07275cdaa
                                                                                                                                                                                • Instruction ID: 5dcb50169887f884c1fec9b6308721cab1507cd5a6076b0b7782eae5106dd447
                                                                                                                                                                                • Opcode Fuzzy Hash: 6bca91fd2b1842b1d9f19fc73ce135254700eaf6e26c4f764994c2e07275cdaa
                                                                                                                                                                                • Instruction Fuzzy Hash: 6CE1D674E002598FDB14DFA9C580AAEFBF2FF89305F24816AD454AB356D731A941CFA0
                                                                                                                                                                                Function 064741F8 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1314718333.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6470000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: accfb25bce7261d391d8ece2888acf5818f71dd7a0cc85b3e87fc4c609fd1193
                                                                                                                                                                                • Instruction ID: e7fd253269ed38fd4e10417df2d16e0402c7a32ca09ed4bb248c42976de8a794
                                                                                                                                                                                • Opcode Fuzzy Hash: accfb25bce7261d391d8ece2888acf5818f71dd7a0cc85b3e87fc4c609fd1193
                                                                                                                                                                                • Instruction Fuzzy Hash: E8E1D774E002598FDB14DFA9C580AAEFBF2FF89305F24816AD414AB356D735A941CFA0
                                                                                                                                                                                Function 0197DF14 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1302785263.0000000001970000.00000040.00000800.00020000.00000000.sdmp, Offset: 01970000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1970000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 4cba497668e027f55e6484dc806d525cc138f53d10dc570bdddf3534f7a0291e
                                                                                                                                                                                • Instruction ID: 1cb7a2494b36c8ecc85009aa12c20be79dd8a7e460d3f3f03bd7df4e87fedc06
                                                                                                                                                                                • Opcode Fuzzy Hash: 4cba497668e027f55e6484dc806d525cc138f53d10dc570bdddf3534f7a0291e
                                                                                                                                                                                • Instruction Fuzzy Hash: B9A16C32E1020A8FCF15DFB5C8445AEBBF6FF84301B15456AE91ABB265DB31E905CB80
                                                                                                                                                                                Function 06475E5F Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1314718333.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6470000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 526732d5faa91f41ab4f5dbe4a9eaee3f16a641490ee8327b851b976a57ddfaf
                                                                                                                                                                                • Instruction ID: f7ce61b6f372b56fcf307879b0bffc88ab1cff5fc8b04ad34d6a12d9e331a7a2
                                                                                                                                                                                • Opcode Fuzzy Hash: 526732d5faa91f41ab4f5dbe4a9eaee3f16a641490ee8327b851b976a57ddfaf
                                                                                                                                                                                • Instruction Fuzzy Hash: B1510B74E002598FDB14DFA9C5805EEFBF2EF89304F24816AD458AB356D7349942CFA1
                                                                                                                                                                                Function 06474620 Relevance: .1, Instructions: 129COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000000.00000002.1314718333.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6470000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 0cc1986fadd19d565de4592179e3354cc34d3a72ebc06fddc73dde940209d24d
                                                                                                                                                                                • Instruction ID: 78ce43205e079b65dc99a9ce37f41f3c0c56b94de3ae38df316ad7b833e1912f
                                                                                                                                                                                • Opcode Fuzzy Hash: 0cc1986fadd19d565de4592179e3354cc34d3a72ebc06fddc73dde940209d24d
                                                                                                                                                                                • Instruction Fuzzy Hash: 9051FB74E002198FDB14DFA9C5855AEFBF2FF89304F24816AD418AB355D7359A42CFA0

                                                                                                                                                                                Execution Graph

                                                                                                                                                                                Execution Coverage:7.2%
                                                                                                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                Signature Coverage:0%
                                                                                                                                                                                Total number of Nodes:33
                                                                                                                                                                                Total number of Limit Nodes:5
                                                                                                                                                                                execution_graph 15471 13dad38 15474 13dae30 15471->15474 15472 13dad47 15475 13dae64 15474->15475 15477 13dae41 15474->15477 15475->15472 15476 13db068 GetModuleHandleW 15478 13db095 15476->15478 15477->15475 15477->15476 15478->15472 15479 13dd0b8 15480 13dd0fe GetCurrentProcess 15479->15480 15482 13dd149 15480->15482 15483 13dd150 GetCurrentThread 15480->15483 15482->15483 15484 13dd18d GetCurrentProcess 15483->15484 15485 13dd186 15483->15485 15486 13dd1c3 15484->15486 15485->15484 15487 13dd1eb GetCurrentThreadId 15486->15487 15488 13dd21c 15487->15488 15489 13d4668 15490 13d4684 15489->15490 15491 13d4696 15490->15491 15493 13d47a0 15490->15493 15494 13d47c5 15493->15494 15498 13d48a1 15494->15498 15502 13d48b0 15494->15502 15499 13d48b0 15498->15499 15501 13d49b4 15499->15501 15506 13d4248 15499->15506 15504 13d48d7 15502->15504 15503 13d49b4 15503->15503 15504->15503 15505 13d4248 CreateActCtxA 15504->15505 15505->15503 15507 13d5940 CreateActCtxA 15506->15507 15509 13d5a03 15507->15509 15510 13dd300 DuplicateHandle 15511 13dd396 15510->15511

                                                                                                                                                                                Executed Functions

                                                                                                                                                                                Function 013DD0A8 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                APIs
                                                                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 013DD136
                                                                                                                                                                                • GetCurrentThread.KERNEL32 ref: 013DD173
                                                                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 013DD1B0
                                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 013DD209
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.2536704761.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_13d0000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Current$ProcessThread
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2063062207-0
                                                                                                                                                                                • Opcode ID: 97cfb30eff8aa4c961b27eb762ad58e22fce817ae8dbda8d7adf0cdaba67562b
                                                                                                                                                                                • Instruction ID: 2a1979228f46e1bf11ba48a58b591f074071d65531b04f2210e827be575c9ecc
                                                                                                                                                                                • Opcode Fuzzy Hash: 97cfb30eff8aa4c961b27eb762ad58e22fce817ae8dbda8d7adf0cdaba67562b
                                                                                                                                                                                • Instruction Fuzzy Hash: C05168B19013498FDB58CFA9D548BDEBBF1EF48304F20805AE019AB3A0DB789944CB65
                                                                                                                                                                                Function 013DD0B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                APIs
                                                                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 013DD136
                                                                                                                                                                                • GetCurrentThread.KERNEL32 ref: 013DD173
                                                                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 013DD1B0
                                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 013DD209
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.2536704761.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_13d0000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Current$ProcessThread
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2063062207-0
                                                                                                                                                                                • Opcode ID: 0f1bc0be6dc83944a2e3ed51e66d17663743ccbf5060107d828be5d98b0a3ab5
                                                                                                                                                                                • Instruction ID: b5f3590b32bfd7e4f7e6a743d43dc9935587801f6d22ce461e25c3bcb320976e
                                                                                                                                                                                • Opcode Fuzzy Hash: 0f1bc0be6dc83944a2e3ed51e66d17663743ccbf5060107d828be5d98b0a3ab5
                                                                                                                                                                                • Instruction Fuzzy Hash: D55157B19013098FDB58CFAAD548BDEBBF1EF48314F208459E019AB3A0DB789944CB65
                                                                                                                                                                                Function 013DAE30 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 44 13dae30-13dae3f 45 13dae6b-13dae6f 44->45 46 13dae41-13dae4e call 13d9838 44->46 48 13dae71-13dae7b 45->48 49 13dae83-13daec4 45->49 52 13dae64 46->52 53 13dae50 46->53 48->49 55 13daec6-13daece 49->55 56 13daed1-13daedf 49->56 52->45 102 13dae56 call 13db0b8 53->102 103 13dae56 call 13db0c8 53->103 55->56 57 13daee1-13daee6 56->57 58 13daf03-13daf05 56->58 60 13daee8-13daeef call 13da814 57->60 61 13daef1 57->61 63 13daf08-13daf0f 58->63 59 13dae5c-13dae5e 59->52 62 13dafa0-13dafb7 59->62 65 13daef3-13daf01 60->65 61->65 77 13dafb9-13db018 62->77 66 13daf1c-13daf23 63->66 67 13daf11-13daf19 63->67 65->63 68 13daf25-13daf2d 66->68 69 13daf30-13daf39 call 13da824 66->69 67->66 68->69 75 13daf3b-13daf43 69->75 76 13daf46-13daf4b 69->76 75->76 78 13daf4d-13daf54 76->78 79 13daf69-13daf76 76->79 95 13db01a-13db060 77->95 78->79 80 13daf56-13daf66 call 13da834 call 13da844 78->80 86 13daf99-13daf9f 79->86 87 13daf78-13daf96 79->87 80->79 87->86 97 13db068-13db093 GetModuleHandleW 95->97 98 13db062-13db065 95->98 99 13db09c-13db0b0 97->99 100 13db095-13db09b 97->100 98->97 100->99 102->59 103->59
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 013DB086
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.2536704761.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_13d0000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: HandleModule
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 4139908857-0
                                                                                                                                                                                • Opcode ID: 79f017ce315a19b8a205f90d0b498a2ace5e9d9401795be687bea17b6d7f8738
                                                                                                                                                                                • Instruction ID: 85c6c2b727b93d15837861b222b61159ff842371c0ddde0838205119a36fa843
                                                                                                                                                                                • Opcode Fuzzy Hash: 79f017ce315a19b8a205f90d0b498a2ace5e9d9401795be687bea17b6d7f8738
                                                                                                                                                                                • Instruction Fuzzy Hash: 97717AB1A00B058FE724DF29E54175ABBF5FF88208F00896ED44AD7A50D775E809CF91
                                                                                                                                                                                Function 013D4248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 104 13d4248-13d5a01 CreateActCtxA 107 13d5a0a-13d5a64 104->107 108 13d5a03-13d5a09 104->108 115 13d5a66-13d5a69 107->115 116 13d5a73-13d5a77 107->116 108->107 115->116 117 13d5a79-13d5a85 116->117 118 13d5a88 116->118 117->118 120 13d5a89 118->120 120->120
                                                                                                                                                                                APIs
                                                                                                                                                                                • CreateActCtxA.KERNEL32(?), ref: 013D59F1
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.2536704761.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_13d0000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Create
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2289755597-0
                                                                                                                                                                                • Opcode ID: 7ba0eaeb046a8428a8e4416c70d08e0123ec370c2a5a7c95b383ace0ca15a908
                                                                                                                                                                                • Instruction ID: 3495623d66b7d86d348f70ce1ec0242d18f6edb1ee769c790fc302dab0a4ddbf
                                                                                                                                                                                • Opcode Fuzzy Hash: 7ba0eaeb046a8428a8e4416c70d08e0123ec370c2a5a7c95b383ace0ca15a908
                                                                                                                                                                                • Instruction Fuzzy Hash: 80419F71D00729CBEB24DFA9C884BDDBBB5FF49304F20805AD408AB255DB756946CF91
                                                                                                                                                                                Function 013D5935 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 121 13d5935-13d593c 122 13d5944-13d5a01 CreateActCtxA 121->122 124 13d5a0a-13d5a64 122->124 125 13d5a03-13d5a09 122->125 132 13d5a66-13d5a69 124->132 133 13d5a73-13d5a77 124->133 125->124 132->133 134 13d5a79-13d5a85 133->134 135 13d5a88 133->135 134->135 137 13d5a89 135->137 137->137
                                                                                                                                                                                APIs
                                                                                                                                                                                • CreateActCtxA.KERNEL32(?), ref: 013D59F1
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.2536704761.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_13d0000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Create
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2289755597-0
                                                                                                                                                                                • Opcode ID: e05308adfde36e0d3333108c906b5795eb546b4c6a660f8f43de13738a8e682c
                                                                                                                                                                                • Instruction ID: ef172bc94d11cfa751e8943c9745f7c76be3eb19a809cbd626224be328271e7f
                                                                                                                                                                                • Opcode Fuzzy Hash: e05308adfde36e0d3333108c906b5795eb546b4c6a660f8f43de13738a8e682c
                                                                                                                                                                                • Instruction Fuzzy Hash: C841BCB1D00729CBEB24DFA9C884BDDBBB5FF49304F24805AD408AB261DB756946CF91
                                                                                                                                                                                Function 013DD300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 143 13dd300-13dd394 DuplicateHandle 144 13dd39d-13dd3ba 143->144 145 13dd396-13dd39c 143->145 145->144
                                                                                                                                                                                APIs
                                                                                                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013DD387
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.2536704761.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_13d0000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: DuplicateHandle
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3793708945-0
                                                                                                                                                                                • Opcode ID: 108771cd390d1aa5869c7c0c868d428d60af681dc25d404d748c35bc8ab72bd0
                                                                                                                                                                                • Instruction ID: 0a19c3d1a28eb77cc412e9a4c1bee1c5c545d6fb042ecc151fc9f53d0db01680
                                                                                                                                                                                • Opcode Fuzzy Hash: 108771cd390d1aa5869c7c0c868d428d60af681dc25d404d748c35bc8ab72bd0
                                                                                                                                                                                • Instruction Fuzzy Hash: 3E21E2B5D003489FDB10CFAAD884ADEFBF8EB48310F14801AE918A3350C778A954CFA4
                                                                                                                                                                                Function 013DD2F9 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 138 13dd2f9-13dd394 DuplicateHandle 139 13dd39d-13dd3ba 138->139 140 13dd396-13dd39c 138->140 140->139
                                                                                                                                                                                APIs
                                                                                                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013DD387
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.2536704761.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_13d0000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: DuplicateHandle
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3793708945-0
                                                                                                                                                                                • Opcode ID: 48d0851f29e531c3e54f4e486fd17d362f90ff23eaa9e5598d5a0ccf50458be8
                                                                                                                                                                                • Instruction ID: fbfd4a5be2715a2b801b07238a1fa2e12054a491065a3972b225a0c2b01ecd97
                                                                                                                                                                                • Opcode Fuzzy Hash: 48d0851f29e531c3e54f4e486fd17d362f90ff23eaa9e5598d5a0ccf50458be8
                                                                                                                                                                                • Instruction Fuzzy Hash: 8821E4B5D002099FDB10CF9AD585ADEBBF5FB48314F14841AE918A3350C378A954CF64
                                                                                                                                                                                Function 013DB020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 148 13db020-13db060 149 13db068-13db093 GetModuleHandleW 148->149 150 13db062-13db065 148->150 151 13db09c-13db0b0 149->151 152 13db095-13db09b 149->152 150->149 152->151
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 013DB086
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.2536704761.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_13d0000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: HandleModule
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 4139908857-0
                                                                                                                                                                                • Opcode ID: 8d0e4bc9c3fc5a8b6d3808b565aa08586ed73145cf7c3a9789325e8223b8dc27
                                                                                                                                                                                • Instruction ID: 7e94f4ee5d7a59d49009a95f81e1ea6e90701acc920ef6d4e0c7df53b3177045
                                                                                                                                                                                • Opcode Fuzzy Hash: 8d0e4bc9c3fc5a8b6d3808b565aa08586ed73145cf7c3a9789325e8223b8dc27
                                                                                                                                                                                • Instruction Fuzzy Hash: 091110B6C003498FDB20CF9AD444BDEFBF4EF89214F10841AD428A7610C379A545CFA1
                                                                                                                                                                                Function 011DD3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.2535579889.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_11dd000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: fd61b810800117363d48d1346ef9f0c027db6bd3ba96a96095718322dcb9cb8e
                                                                                                                                                                                • Instruction ID: 9866dafdd40ec5f17f9e0ddd2ad4ad972bc02d6ddc5253f3f42baad0c91f66ec
                                                                                                                                                                                • Opcode Fuzzy Hash: fd61b810800117363d48d1346ef9f0c027db6bd3ba96a96095718322dcb9cb8e
                                                                                                                                                                                • Instruction Fuzzy Hash: E3210671504204DFDF19DF94E9C0F56BB65FB84324F20C56DD9090B696C33AE456CBA2
                                                                                                                                                                                Function 011ED01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.2535703342.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_11ed000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 835b6d9ea88f901493c6ba60355ce7748a5a2b546a9bf9d4314ad5fbecef6758
                                                                                                                                                                                • Instruction ID: 72070c3096034511f20bf0d20fa6094fd5fc766ee6aff55c6dd79498a7b34992
                                                                                                                                                                                • Opcode Fuzzy Hash: 835b6d9ea88f901493c6ba60355ce7748a5a2b546a9bf9d4314ad5fbecef6758
                                                                                                                                                                                • Instruction Fuzzy Hash: 66210071604700DFDF19DF94E988B16BFA1EB84314F28C56DE80A0B292C33AD447CA62
                                                                                                                                                                                Function 011ED006 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.2535703342.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_11ed000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: b0adb644d521cd857e452ef70815622b299d09d929435f318d1ec5a7dc60cc0e
                                                                                                                                                                                • Instruction ID: 0a4d0401f7e8a504a290772090dad9347e8c057db7bb4aaea39de31e13688794
                                                                                                                                                                                • Opcode Fuzzy Hash: b0adb644d521cd857e452ef70815622b299d09d929435f318d1ec5a7dc60cc0e
                                                                                                                                                                                • Instruction Fuzzy Hash: E621C2755093808FCB07CF64D994705BFB1EB46214F28C5DAD8498F6A3C33A980ACB62
                                                                                                                                                                                Function 011DD3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.2535579889.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_11dd000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 5f425b5cd1c464f0a4a5253a28fe3054bde847c9d27b32d63737858cb099eba0
                                                                                                                                                                                • Instruction ID: ad1cb9c5647c3ff3a8457d519e19a5d76e1b821f81d240eeebc966b28500efd8
                                                                                                                                                                                • Opcode Fuzzy Hash: 5f425b5cd1c464f0a4a5253a28fe3054bde847c9d27b32d63737858cb099eba0
                                                                                                                                                                                • Instruction Fuzzy Hash: F211CD72404240DFCF16CF44E5C0B56BF61FB84324F2486A9D9090BA56C33AE456CBA2
                                                                                                                                                                                Function 011DD5F3 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.2535579889.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_11dd000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 3981f2b9fb5b2cc7a9232cfd091046a8957f61a553d3fdc91f352cc38bc650aa
                                                                                                                                                                                • Instruction ID: 8763a821d963a42f71e498a14126c011098659202ddd3ac9cad8d3c668c5fcb6
                                                                                                                                                                                • Opcode Fuzzy Hash: 3981f2b9fb5b2cc7a9232cfd091046a8957f61a553d3fdc91f352cc38bc650aa
                                                                                                                                                                                • Instruction Fuzzy Hash: 4DF0F976600600AF97248F0ADC85C27FBBDEFD4674719C55AF84A4B656C771EC41CEA0
                                                                                                                                                                                Function 011DD5E4 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000004.00000002.2535579889.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_4_2_11dd000_shaLnqmyTS.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 23b69c93d24c739cd5c7af4d2472af99fd0d4ebe198594a4a79ed9b9b3641b73
                                                                                                                                                                                • Instruction ID: e9008f9504616ada7bb0441fb83656c90b7b905dc0b6bd8062a6b7ebb9db2089
                                                                                                                                                                                • Opcode Fuzzy Hash: 23b69c93d24c739cd5c7af4d2472af99fd0d4ebe198594a4a79ed9b9b3641b73
                                                                                                                                                                                • Instruction Fuzzy Hash: 64F03C75104780AFD7258F15CC84C23BFB9EF866607198489F88A4B662C731FC42CBA0